By Leonardo Neri

As we have already highlighted, the job of the Data Protection Officer (DPO) is to ensure that the processing agent is compliant with the General Data Protection Law (LGPD). Therefore, it is necessary to know where to start and what to do to achieve this goal.

In order to comply with the rules and provisions of the LGPD, the data controller must implement a culture of personal data protection. To this end, the LGPD provides that data operators and controllers may formulate rules of good practices and governance, also known as a good practices and governance program, which address the procedures adopted in the processing of personal data.

However, in order to effectively comply with these practices, it is necessary to establish an implementation project, which may include 6 (six) steps, which must be adapted to each type and size of company.

PHASE 1 – Diagnosis

Initially, it will be necessary to analyze and map all areas and activities that involve the processing of personal data. At this point, it will be necessary to diagnose what has already been done to protect personal data and what still needs to be done.

It is extremely important, at this stage, to capture as much information as possible, with maximum precision, in order to understand the operation of the treatment agent, ensuring greater assertiveness in implementation.

This is the time to understand the profile of the activities and employees, the purpose of the processing of personal data, the type of personal data processed, the workflows, security flaws and, most importantly, to identify the difficulties and problems faced in the processing of personal data. Only by knowing the processing agent in depth will it be possible to outline the best adaptation strategies, in a personalized manner and with greater effectiveness.

PHASE 2 – Creation of the Data Protection Governance Program

Creating a governance program is one of the main steps in implementation. It will provide guidance on how to continue adapting and maintaining data protection practices and will facilitate employee understanding.

Although the LGPD does not require the creation of a governance and good practices program, it recommends it to operators and controllers. The program may include organizational methods, operating regimes, procedures to guarantee data protection, such as channels for complaints and petitions by data subjects, security standards, technical standards, educational actions, internal inspection measures, and even internal sanctions, all to enable the protection of the personal data processed.

With the creation of the program, the treatment agent will be able to plan and focus on implementation in each of its sectors, knowing exactly what will need to be modified or adapted to comply with legal requirements.

PHASE 3 – Preparation and review of documents

After creating the governance and good practices program, outlining the strategies and measures to be taken, it will be necessary to prepare or review documents relating to the processing of personal data, such as privacy policies and terms and conditions, in order to adapt them to new practices and, mainly, to legislation, thus avoiding future problems with data subjects and with the national authority.

The new documents must comply with all the principles of the LGPD and, furthermore, respect the rights of the holders, without failing to protect the rights of the processing agent, of course.

PHASE 4 – Ensuring the exercise of the rights of the holders

At this stage, the processing agent must focus on implementing all practical measures to secure personal data and guarantee the rights of data subjects, in accordance with the results of the diagnosis and the governance program.

In other words, this is the time to put the plan into action, with the implementation of all mechanisms to comply with the law.

PHASE 5 – Training in company

After implementing all the instruments necessary for adaptation, it is time to train all employees in order to establish a culture of personal data protection among the data processing agent.

Day-to-day operators are certainly the most important tools for ensuring full compliance with legal provisions. There would be no point in implementing data security systems if those who operate them are not trained in good practices.

Therefore, training must ensure that all employees are aligned with the LGPD concept, understanding the real importance of data protection, through the clarification of its principles and purpose.

Training must cover all areas, so that the processing agent is fully compliant with the LGPD.

PHASE 6 – Final LGPD Review

Once the complete implementation of the project and the training of employees in all areas have been ensured, it is important that the treatment agent reviews the measures implemented, within the scope of daily practice, checking for any errors and correcting them, until complete adequacy is verified.

To allow data processing agents a period to test and review the measures implemented, the LGPD provides that administrative sanctions will only come into effect in August 2021. However, judicial convictions of a moral nature and investigations and audits carried out by Public Prosecutors and other Regulatory Bodies have already been taking place at full steam since September 18, 2020.