Navigating Data Protection Compliance: A Project Manager's Journey Through LGPD*

*based on General Data Protecion Regulation - GDPR

Two years ago, I had the opportunity to lead a project to comply with the General Data Protection Law (LGPD). This was a very enriching experience that made me seek new learnings and improve skills to contribute to essential organizational changes.

Knowledge of this law should not only be a concern for companies but also for all of us, data subjects, who have our personal data, including sensitive data, spread across various platforms. Not just the obvious digital ones, but also a whole chain of service providers and businesses that may have access to and process our data, like doctors, pharmacies, restaurants, among others.

The LGPD, or Law No. 13.709/2019, came into effect in September 2020. In 2021, sanctions became enforceable, but only in 2023 did the National Data Protection Authority (ANPD) establish the rules for calculation and began to apply them. The LGPD is based on the European regulation, the General Data Protection Regulation (GDPR).

An LGPD compliance project involves many fronts, multidisciplinarity, and deliverables such as: training, contract adjustments, Privacy Notices, Policies (such as Data Security), Data Mapping/Inventory, Impact Report (RIPD), contingency and mitigation plans (for example, in case of data loss or leakage), adjustments in systems (front, backend), documents, processes, as well as interfacing with consultancies and legal advisories specialized in the subject, as needed by the company.

A Project Leader involved in such an initiative must, among other characteristics:

• Understand the fundamentals of the Data Protection Law and be familiar with legal concepts, to interpret and effectively implement related requirements;

• Be critical and detail-oriented,

• Exercise skills such as communication, leadership, problem-solving, ethical thinking;

• Have cultural sensitivity, to understand the perspectives of the different stakeholders involved;

• Manage stakeholders;

• Manage risks;

• Have sufficient technical knowledge to support the team in redefining processes, in addition to providing requirements for tool adjustments;

• Exercise documentation skills, to support the review of policies, contracts, and other related documents;

• Be flexible, as data-related regulations can change and adjustments may be necessary;

• Facilitate the delivery of training and programs to disseminate knowledge and organizational definitions regarding the law;

• Be open to continuous learning, as the data protection context is dynamic;

• Have strong communication skills, to interface between all parties involved.
  

For those unfamiliar with the LGPD, here are some important points:

1. The LGPD regulates the processing of personal data with the intent to protect individuals' rights, such as privacy;

2. Personal data are data that can directly or indirectly identify a natural person by cross-referencing data, for example, name, CPF (Social Security Number), email, address;

3. Sensitive data are those that could cause some form of discrimination, such as religious preferences, health-related data, and sexual orientation;

4. Data processing includes collection, alteration, sharing, alteration, international transfer of data, deletion, among other actions;

5. Among the data subject's rights are, among others: confirmation of the existence of data processing, access, anonymization and deletion of data, revocation of consent, information on data sharing.

6. For a data controller to process data, compliance with legal bases is necessary, such as the consent of the data subject, legal obligation, protection of life, among others;

7. One of the LGPD principles is necessity, to collect only data that has explicit purpose and necessity of use;

8. The ANPD is the regulatory and supervisory body in Brazil;

9. The DPO - Data Protection Officer, has a fundamental role in this context, being responsible, among other things, for liaising between users, companies, and the ANPD, receiving demands from the data subjects.
   

For more information, the link to access the Law is http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm.

The ANPD's website can be accessed at https://www.gov.br/anpd/pt-br

If you have been involved in a similar project, it would be a pleasure to hear about your experiences as well. Share!

#dataprotection #lgpd #generaldataProtectionlaw #projectmanagement

Published originally in portuguese, on LinkedIn: https://www.linkedin.com/pulse/navegando-na-conformidade-da-prote%25C3%25A7%25C3%25A3o-de-dados-uma-priscila/?trackingId=9%2FRhacFxRiyewT7y%2FzH1Ug%3D%3D