Data protection culture: advances and perspectives for 2022

Data Protection Day was established by the Council of Europe in 2006. It is celebrated on January 28th, when the signatures to the Council of Europe Convention No. 108/1981 on the protection of individuals with regard to automatic data processing were opened. Closing out the global initiative of Personal Data Protection Week, the date is celebrated to encourage and foster a culture of data protection around the world.

This is a great opportunity to discuss important points about the subject and to identify the main issues that companies will have to face in 2022. Starting with business, many companies are already in a new phase with regard to the topic. They have gone through the initial stage of implementing legislation, in particular the General Personal Data Protection Law (LGPD), and now need to maintain a privacy and data protection management system that is consistent with and capable of meeting the requirements of the law.

What Data Protection Day reminds us is that the task can be made simpler if a culture of privacy is actually implemented. The topic is alive. More than well-defined policies and goals, the adoption of daily activities in favor of privacy is a must.

In the current phase, privacy by design becomes even more relevant. In addition to reviewing and updating risk matrices and records of processing activities, or even seeking a greater level of detail in contracts, personal data protection is expected to be a hallmark of every initiative. Decisions about the purpose of the use of personal data, identification of what data is needed, ways to achieve maximum transparency with the data subject, and ways to establish high levels of security are good examples. To do this, privacy professionals need to be involved from the beginning of each action.

The role of Data Protection Officer (DPO) is becoming more and more established. Parameters on how to structure the exercise of the function become clearer every day.

The sanctions applied in Europe in the last few months may have important consequences in Brazil. In addition to cases of non-appointment of the professional,^[1] sanctions have confirmed the importance of the foreman being sufficiently involved in the matter. They also recommend that there should be no accumulation of functions or situations of lack of administrative structure and autonomy. Potential conflicts of interest should also be avoided.

For example, in December, the Belgian data protection authority (APD) recognized the conflict of interest and imposed a fine of 75,000 euros to a financial institution because the DPO appointed was also head of the department to which the DPO should report. In another case, the Luxembourg authority (CNPD) imposed a fine of 15 thousand euros due to the DPO's lack of involvement in all matters related to personal data, his lack of autonomy in the exercise of the function, and the fact that the professional had not received adequate training to perform his activities.

The year also tends to bring in an increasingly active National Data Protection Authority (ANPD). The ANPD is expected to issue new guidance guides with nuances of its interpretation of the LGPD, along the lines of what was done with the Processing Agents and Data Protection Officer Guide and the publication Information Security for Smaller Processing Agents.

Moreover, in yet another commendable pedagogical stance, the Authority began its first monitoring cycle in January of 2022, with a review of companies' compliance and regulatory risks and adoption of practices to curb irregularities and foster a culture of data protection.

Of particular note is the fact that 2022 is also an election year. It becomes very relevant to understand the protection of personal data in this context, considering that the political and electoral process involves the circulation of a large volume of personal data and will be the first in the country after the LGPD came into effect, which must be fully complied with.

It is fundamental to understand the main points to be considered by all the key players in this process (candidates, political parties, etc.). To help in this task, the ANPD and the TSE have jointly launched the guide on the Application of the General Personal Data Protection Law (LGPD) by Data Processors in the Electoral Context. Among other points, the publication explores the scenario, the main legal bases that support operations, and accountability guidelines for channels to exercise data subject rights and for prevention and security.

Compliance with the LGPD in the election context involves defining the role of the processing agent (whether controller, operator, or co-controller). Political parties and groups that carry out party political campaigns are structured in many different ways, and the roles of the agents must be precisely defined in order to know what must and must not be fulfilled.

It is also important to be aware of the use of personal data in political campaigns if this data has been collected before for other purposes (for example, data present in collective petitions - indicated below - on a given issue). In such cases, care must be taken to avoid the risk of misuse of purpose. Data may be used only in situations where the purposes are closely related to the reasons for the collection or where the data subject has consented for campaign purposes.

Another sensitive issue is profiling by political parties or candidates. This is when voters are classified into different groups or sectors, through the use of algorithms that identify relationships between different behaviors and characteristics of personal data subjects. This allows one to target political advertising much better.

The situation is not forbidden, but it is relevant that the processing agent adopt safeguarding and compliance measures. Among them, it is important that one review one’s policies to make the situation very clear to the data subjects, pay attention to the correctness of the data used, not collect data beyond what is necessary, and not keep it longer than necessary for that purpose.

The foreign experience also provides interesting guidelines on the topic. Noteworthy, for example, are the UK data protection authority (ICO) guidelines and the recent Opinion 2/2022 of the European Data Protection Supervisor (the European Union's independent data protection authority) on the subject.

Another increasingly relevant topic that is directly associated with the purpose of Data Protection Day is privacy incidents. Depending on the profile, it is better known as data leakage, but it represents any situation, of low or high significance, in which the confidentiality, integrity, or availability of personal data is compromised.

With the growth in the number of situations in the last year, it is highly relevant that companies adopt preventive measures, not only regarding information security, but also regarding governance, having an incident response and remediation plan that is able to mitigate the risks and contain the damage.

Well-defined roles in identification and response, simulation exercises, pre-hired service providers for crisis management, and a correct assessment of the severity of the incident based on reliable criteria are some of the measures increasingly adopted.

Topic affects all new technologies

Data Protection Day also reminds us of one of the most relevant features of the topic: its general applicability in relation to all new technologies and practices. This is the case, for example, with the increasing use of mechanisms that make use of artificial intelligence and that have personal data as raw material. If personal data is processed, the LGPD will need to be respected, especially by defining the precise purpose of the operation, the use of only the data necessary for the purpose, and the understanding of the legal justification supporting the use of the tool.

The preparation of specific Personal Data Protection Impact Reports, with risks and safeguards adopted, can be very useful, demonstrating the company's concern and diligence on the topic. Furthermore, it is important that automated decision processes that make use of personal data have mechanisms for reviewing the decision, since this is a right of the holder of the personal data involved, pursuant to article 20 of the LGPD.

There is also the risk of abusive or illegal discriminatory practices arising from the automated processing of personal data, which is prohibited by article 6, IX, LGPD. This requires definition of frameworks for such mechanisms, as well as supervision not only of the data collected or reported to the tools, but of the entire processing. The recent ISO IEC 24.027:2021 standard brings about important parameters to mitigate the risk of biased results.

Let us celebrate the culture of personal data protection in the best way: by remembering its importance and understanding its moment for business.

^[1] Available at: https://www.aepd.es/es/documento/ps-00231-2021.pdf. Accessed on: January 24, 2022;

LEGAL INTELLIGENCE CENTER

Categories

Data protection culture: advances and perspectives for 2022

Authors

Who we are

CAREER

CAREER

LEGAL INTELLIGENCE CENTER

Privacy

LEGAL INTELLIGENCE CENTER

Categories

Data protection culture: advances and perspectives for 2022

Authors

Related Content

Presidential Decree Assigns The Central Bank of Brazil (BACEN) Jurisdiction to Regulate Crypto Economy

Legal framework of crypto-assets and challenges of the sector

Caution in preparing the new pay transparency report

CVM complements understanding on token of receivables and fixed income tokens and clarifies about CCB, CCCB, CCI and crowdfunding

Bacen and the CMN publish rules on sharing of data

New rule for processing personal data of data of children and adolescents

Brazil: Central Bank and National Monetary Council issue rules on data sharing

Fines imposed by the Data Protection Authority

Who we are

CAREER

CAREER

LEGAL INTELLIGENCE CENTER

Privacy