Compliance with the Brazilian General Data Protection Law has proven to be an essential and complex challenge for organizations. The lack of a data-driven culture, legal uncertainties, low investment in data governance and a growing landscape of cyber insecurity contributes to this complexity.

The lack of data protection culture

I often say that compliance with data law brings a double challenge regarding the creation of a culture that privacy demands.

First, Brazilian organizations do not have a robust data-driven culture already in place. For just this factor alone, the program is a challenge in itself. But a second factor is that creating a data protection culture is new for most companies. A data protection culture is a significant change in the mindset of people at all levels and roles in society.

In Brazil, 70% of the population, 127 million users, is connected to the internet, according to a recent ICT Household survey. However, it is not the habit of Brazilians to worry how their data is handled; most are unaware of their data rights and are accustomed to providing information without knowing how it will be used. One of the biggest challenges is educating the user about data rights to literate them about the abuses with improper use by companies and empower them correctly about it. 

The uncertain and confusing legal scenario

Another factor increasing the complexity of compliance is the uncertainty that comes from the law itself, including when it will enter into force and enforcement by the authorities. Since the dawn of its conception, the LGPD has changed its form in many ways. One of the most noticeable changes was the right of the holder to review automated decisions that initially needed to be made by a natural person and was later released to be an equally automated processor dedicated to fulfilling this right.

Defining the role of the data protection officer is also complicated. So far, I have seen different approaches from several companies on how they incorporate the DPO organizational structure from IT to data science. The law doesn't require or specify what the DPO structure should be, and some companies are considering including the DPO outside the second line of risk management structure. 

The law's entry into force is another notorious point of divergence and so far has its definition linked to the creation of the national data protection agency, the ANPD.

Read more about the Brazilian General Data Protection Law:

"Brazilian Data Protection Law: A complex patchwork," by GCA Avogados Partner Ana Carolina Cagnoni, CIPP/E, CIPP/US

At this point, Brazilian companies are working with an August 2020 date for compliance, but a legislative bill promulgated at the end of last year intends to push the LGPD’s entry into force to August 2022. The delay in ANPD establishment and the unpreparedness of the Brazilian companies support the promulgation of the bill. 

In my opinion, there is no correlation between the delay in the law's entry into force and a larger share of LGPD-compliant companies. Instead, I believe the program loses strength in budget prioritization, and companies will postpone the beginning of their adequacy. Considering privacy requires a program and not a project, the law's entry-into-force date becomes a minor and non-determining factor in the success of enforcement.

The late investment in data governance 

Despite the uncertainty, a growing number of companies are starting to realize the importance of robust data governance. The adoption is slow, but investing in data governance maturity is worth the effort. Over the last 20 years, we have had a significant technological evolution that has not been adequately monitored in the data management discipline, resulting in professionals with low or insufficient qualifications in this area. This lack of sufficient professional qualifications explains the failure of many business intelligence projects due to poor data management. Given these failures, companies began to look for integrated solutions, often unfriendly and outsourcing the role of data to specialized consultancies. The definition of roles and responsibilities was also inadequate, and it is not uncommon to see companies whose departments place full responsibility for data management in IT. Gradually, Brazilian companies have started to understand the shared responsibility between IT and business areas, redefining the role and due importance of data management. The lack of professionals qualified to the new hybrid "IT and business roles" is a reality, and companies must invest in data literacy for their staff. Serious data governance is a crucial movement in which companies learn more about their data collection and generate greater efficiency and quality in its use.

The threat of the cybersecurity scenario

In the information security scenario, corporate cyberattacks and data leaks have grown significantly, placing Brazil fourth among countries targeted in cybercriminal attacks, according to a Kaspersky report. Between March and June 2019, there were 15 billion attempted attacks in Brazil, according to cybersecurity firm Fortinet. These significant numbers of cyberattacks will increase in quantity and sophistication. Highly regulated sectors, such as the Brazilian banking sector, are better prepared for these events, but those are a minority.

The combination of all these events makes the Brazilian data protection scenario challenging but positive. I believe companies should look at compliance with the data protection law as "house tidy" that provides benefits in operational efficiency, quality and cost optimization, generating better products and solutions for customers.

From now on, Brazilian companies must deal with a medium-term period (three to five years, in my opinion) of adequacy with many uncertainties. However, the fact is that privacy is now a fundamental right guaranteed by the Brazilian constitution, and the law will have a positive effect on the daily lives of all citizens.

Photo by sergio souza on Unsplash