When it comes to data protection, Brazil is still taking its first steps. However, these are firm and very important steps. If we were to compare the legislation to a child, in the next few days, we would have a party, cake, and brigadeiro: September 18th marks four years since the General Data Protection Law, the LGPD (Law 13,709/2018), came into force.
Just four letters, but they brought so many impacts – positive, by the way! In recent years, the topic of ‘data protection’ has gained relevance in Brazil and has been discussed in the media, in the corporate environment, and among society in general. However, in many countries, information security is a present reality even before the internet solidified as a tool for work and entertainment.
Thus, Brazilian individual and corporate thinking is still in its infancy, while European thinking already enjoys the maturity of this culture. After all, in 1981, in Europe, the International Treaty on Data Protection was born, a document that later became the basis for other regulations.
It has been four years since the LGPD came into force in Brazil, and a portion of companies went after the necessary tools to comply with the law and avoid liabilities and issues when it comes to data protection. Before that, however, the vast majority ignored the subject and did not have established policies that provided an acceptable level of security for personal information.
However, even after so much debate and so many negative episodes, there is still a significant number of corporations that have not implemented any technical and administrative measures, such as a security policy to comply with LGPD. They have chosen to take risks, neglecting their database and customer base. A survey by Grupo Daryus showed that 80% of Brazilian companies are still not fully compliant with LGPD – 35% claimed to be partially compliant and 24% in the initial stage of compliance.
The National Data Protection Authority (ANPD), an independent agency responsible for regulating, supervising, and enforcing the provisions of legislation related to the protection of personal data, is active and vigilant against abuses committed against data subjects. Contrary to what was thought until recently, the internet is not a lawless land.
In many cases, what drives organizations to establish a data protection framework is the fear of penalties and sanctions provided for in the LGPD, as well as to comply with contractual requirements. However, what should drive companies is the commitment to the security of their customers and employees, not just legislation. Moreover, information is extremely valuable to companies. It is through them that the habits and consumption patterns of their customers are known, enabling the anticipation of service and product offers or even the correction of strategies.
As people begin to understand that the protection of their personal data is a right established by law, criminals take advantage of companies’ and systems’ vulnerabilities to steal this information, as data is worth a lot of money in the underground market. A study by Cybersecurity Venture indicated that cybercrimes are expected to cause estimated losses of around US$ 10.5 trillion annually by 2025.
