GMB - What is LGPD?
André Gustavo Sales Damiani / Marina de Almeida Santos Dias - LGPD stands for General Data Protection Law. It was edited and approved by the National Congress in 2018, in response to the international market's demand for the preservation of freedom, intimacy and privacy of those individuals who entrust their data to third parties, especially in virtual environments.
In order to accredit Brazil as an honest and reliable business partner, our legislature was inspired by European law (General Data Protection Regulation - GDPR) to regulate transactions with data from individuals.
The “treatment of personal data”, as defined by the LGPD, therefore comprises all forms of collection, storage, sharing and disposal of data on natural persons. The law still requires the consent of the holder and a clear delimitation of the purpose of the data processing, establishing strict protection standards, with technical requirements that invariably pass through solutions in information technology, process management and corporate governance.
What is personal data for LGPD?
It is wrong to think that personal data is just the name or the number of the RG or CPF. In fact, “personal data” is any and all information that makes it possible to identify an individual, thus understanding betting history, financial data or consumption habits, for example.
Who is subject to the LGPD?
Natural or legal persons under public or private law (regardless of their nationality or the country in which they are based) are subject to the LGPD's discipline, who process personal data with the aim of offering or providing goods or services to Brazilian individuals and / or located in national territory.
Is the LGPD in effect? What is the deadline for legal compliance?
The deadline is now. The LGPD is already in place. However, the National Data Protection Authority will only be able to impose the expected administrative sanctions, as of August 2020.
If my business is not yet prepared, how big is the risk?
Protection of personal data is not new in Brazilian law. Since 1988, our Federal Constitution has safeguarded the privacy and intimacy of all citizens. Based on it, the current rules, such as the Consumer Protection Code, the Civil Code and the Internet Marco Civil, already ensure the repair of damages arising from data breach (indemnity). In extreme cases, the leakage of this information or the mismanagement of data can even have repercussions in the criminal sphere.
In addition, as of August 2020, the LGPD will allow the imposition of administrative sanctions on those who fail to observe the best data governance and privacy protection practices. Thus, those who do not comply with the legal standards of prevention will also be subject to various administrative penalties, depending on the complexity of the infraction, and may suffer a fine of up to 2% (two percent) of the company's revenue, limited to R$ 50 million (US$ 11.45m ) per occurrence, without prejudice to the aforementioned duty of reparation already provided for by the Brazilian legal system.
What impact does the law have on the sports betting market?
The exposure of entrepreneurs in the sports betting market is especially delicate. One, because the activity - recently regulated by the National Congress - depends on periodic licensing by the competent authorities, a fact that makes the verification of compliance with the LGPD a recurring theme and sensitive to state inspection. Two, because the efficient exploitation of this segment presupposes the correct treatment of critical data from bettors, such as bank information, assets, history of commercial relationship, etc .; whose particularities will be decisive in setting higher indemnities in court or out of court (ANPD). Finally, not least, it should be noted that the potential leak will represent a serious reputational shock, especially in a segment where several bettors choose to remain anonymous in the eyes of third parties.
What is the most efficient solution? Tearing down myths ...
MYTH: My company is already in compliance with European law, so I don't have to worry about LGPD ...
Although the LGPD reproduces many of the standards contained in the European data protection law (called the General Data Protection Regulation or GDPR), compliance with international guidelines does not necessarily imply adherence to Brazilian legislation. This is because European corporate behavior and culture are nowhere close to ours. In Brazil, the economy is strongly impacted by the unpredictability of the manifestations of the judiciary and regulatory authorities, thus making it mandatory to document corporate good faith through efficient control mechanisms, aimed at making employees aware of best practices. LGPD.
MYTH: this is something for the IT to resolve ...
Addressing the LGPD problem from an exclusively technological perspective will not work. This is because the translation of legal requirements for the corporate environment (especially for the sports betting market) requires legal expertise, which should be integrated with IT tools and governance mechanisms, in order to compose the complete, effective and lasting solution.
MYTH: just implement software that the problem is solved ...
Technological tools are undoubtedly a great ally of the efficient data governance program, although they do not solve the problem in isolation. In order for the investment in this resource to be converted into benefits for the betting entrepreneur, the support of a multidisciplinary team capable of mapping the characteristics of this market segment and recommending products aligned with the strategy of facing the problem and the needs of the organization is essential. In addition, it is worth mentioning that the biggest threat to data controlled by the entrepreneur is not the possibility of invasion of corporate systems, but the mismanagement of internal flows and processes impacted by the law.
MYTH: the internal legal department has all the tools to solve the problem and continue to meet the general and routine demands ...
The homemade solution, while looking attractive, is not the best. As already mentioned above, facing the LGPD challenge presupposes the availability of time for planning and executing the project, multidisciplinary and the expertise of the lawyers involved in the project.
Solution
Once some myths about LGPD have been deconstructed, the truth is that the challenge of compliance requires a customized and multidisciplinary approach, with the integration of legal and technological solutions to compose a solid action plan and aligned with the characteristics of the betting market and the organization. Each company must implement a data protection policy appropriate to its exposure and the culture that governs its environment, encouraging the expected behaviors and strengthening internal controls.
In view of this, the first step is to identify the internal weaknesses in relation to the requirements of Brazilian law, in order to create mechanisms to correct and prevent irregularities in the treatment of personal data for all impacted areas of the operation (“Assessment”).
Having identified the problem in detail, it will certainly be necessary, at least, 10 (ten) essential deliveries in the search for LGPD compliance:
1. risk mapping;
2. implementation of a data governance program;
3. integration of the legal strategy with the solutions practiced in IT;
4. review of internal processes impacted by the law;
5. recommendations for the implementation of a segregation of duties program and determination of the chain of responsibilities;
6. attribution of legal bases and management of consent logs;
7. joint election of the person in charge of managing the data governance program;
8. training, awareness and qualification of the employees involved;
9. documentation of business “good faith”;
10. possibility of support for continuous improvement and crisis management.
Conclusion
There is no miracle. It is necessary to direct efforts and investment in order to hire multidisciplinary and customized support from professionals with experience focused on the problem that permeates all sectors of the company and whose solution will transform the modus operandi of the sports betting market in Brazil.
Source: Games Magazine Brasil
