LGPD: cake, brigadeiro and some things to celebrate

When it comes to data protection, Brazil is still taking its first steps. However, these are firm and very important steps. If we were to compare the legislation to a child, we'd be having a party with cake and brigadeiros in the coming days: September 18th marks the fourth anniversary of the General Data Protection Law, the LGPD (Law 13.709/2018).

Just four letters, but they've had such an impact – a positive one, I might add! In recent years, the topic of "data protection" has gained relevance in Brazil and has been discussed in the media, in the corporate environment, and among society in general. However, in many countries, information security has been a reality even before the internet became established as a work and entertainment tool.

That is to say, Brazilian thought, both individual and corporate, is still in its infancy, while European thought already enjoys the maturity of this culture. This is partly because, in 1981, Europe saw the birth of the International Treaty on Data Protection, a document that later became the basis for other regulations.

It's been four years since the LGPD came into effect in Brazil, and a portion of companies have sought the necessary tools to comply with the law and avoid liabilities and problems when it comes to data protection. Before that, however, the vast majority ignored the issue and lacked established policies that provided an acceptable level of security for personal information.

However, even after so much debate and so many negative episodes, a significant number of corporations still haven't implemented any technical and administrative measures, such as a security policy, to comply with the LGPD. They have chosen to take risks, neglecting their databases and their client portfolio. A survey by the Daryus Group showed that 80% of Brazilian companies are not yet fully compliant with the LGPD – 35% stated they are partially compliant and 24% are in the initial stages of adaptation.

The National Data Protection Authority (ANPD), the agency responsible for regulating, supervising, and enforcing the provisions of legislation related to the protection of personal data, is active and vigilant against abuses committed against data subjects. Contrary to what was thought until recently, the internet is not a lawless land.

In many cases, what drives organizations to establish a data protection structure is the fear of penalties and sanctions foreseen in the LGPD (Brazilian General Data Protection Law), as well as to meet contractual requirements. However, what should drive companies is a commitment to the security of their clients and employees, not just the legislation. Furthermore, information is extremely valuable to companies. It is through this information that they learn the habits and consumption patterns of their clients, allowing them to anticipate offers of services and products or even correct strategies.

As people begin to understand that the protection of their personal data is a legally protected right, criminals exploit vulnerabilities in companies and systems to steal this information, as data is worth a lot of money on the black market. Research by Cybersecurity Ventures indicated that cybercrime is projected to cause estimated losses of approximately US$10.5 trillion annually by 2025.