Integration between Compliance Programs and the General Data Protection Law

The growing complexity of legal and commercial relationships in contemporary society requires organizations to adopt structured internal control and regulatory compliance mechanisms. In this context, implementing compliance programs becomes an essential tool for ensuring compliance with laws, regulations, ethical standards, and internal policies.

With the enactment of Law No. 13,709/2018 (General Personal Data Protection Law – LGPD), the Brazilian legal system now has a new regime aimed at protecting privacy and personal data, imposing specific obligations on all data processing agents.

 In this context, the intersection between compliance and the LGPD is inevitable. Compliance with the LGPD is not merely a technical requirement, but a true legal obligation. Failure to comply can result in administrative, civil, and, in certain situations, even criminal liability, in addition to causing serious damage to the institutional reputation of the company that fails to adhere to these standards.

Therefore, it is crucial that compliance programs are fully aligned with LGPD guidelines, aiming to mitigate risks related to the processing of personal data. Implementing internal controls, consolidating an ethical culture, and adopting good business practices are essential pillars for preventing illicit data leaks and ensuring legal compliance.

In this regard, for a company to be aligned with the guidelines of the General Data Protection Law (LGPD) and a Compliance program, it is necessary to adopt a series of fundamental measures. These include: mapping and documenting all personal data processed by the organization, including its collection, storage, and disposal; developing clear and accessible privacy policies and terms of use that accurately inform how data is collected, used, and protected; creating a customer service channel for data subjects, enabling them to exercise their rights, such as access, correction, deletion, portability, and revocation of consent; providing ongoing employee training on data protection and best security practices, fostering a culture of ethical data handling and incident prevention; establishing effective security incident response procedures, enabling swift and structured action in cases of data leaks or unauthorized access, with containment measures, risk assessment, and communication to authorities and data subjects. and, finally, carrying out periodic internal audits, with the aim of assessing ongoing compliance and ensuring that legal guidelines are being effectively met.       

 In other words, data governance, in turn, involves defining the processes, policies, and structures responsible for the secure and effective management of data within the organization. However, when this governance is not aligned with compliance, it creates problems that can compromise both legal certainty and the company's reputation.

Therefore, the integration between data governance and compliance is not only recommended, but a necessity for organizations seeking to operate with integrity, responsibility, and in compliance with legal and ethical requirements.

Amanda Batista Fernandes Segala is a lawyer at the Rücker Curi Law and Legal Consulting firm.