The General Data Protection Law (LGPD), in effect since 2020, brought profound changes to the processing of personal data by companies and organizations in Brazil. Despite its importance, there are still companies that ignore or fail to comply with the law’s requirements, exposing themselves to severe administrative, financial, and even criminal penalties.
The purpose of the LGPD is to ensure the privacy and security of information while respecting data subjects’ rights. Additionally, it establishes rules for the collection, storage, processing, and sharing of this data. “Those responsible for data processing who violate the LGPD may face administrative sanctions, such as fines of up to 2% of revenue, limited to R$50 million per violation, data blocking or deletion, and civil liability for damages caused to data subjects., states Rafael Valentini, a specialist in Criminal Law and partner at FVF Advogados.
In an entirely digital era where information security and protection against data leaks, among other issues, has become a competitive advantage for companies, corporations needed to adhere to the LGPD in various ways. Business ethics, social responsibility, client-supplier partnerships, responsible investing, and other topics now feature in board meetings, CEOs, and management discussions. After all, companies that adopt good privacy and data protection practices gain a competitive edge and are better prepared to handle potential cyber incidents.
But what happens when a specific company disregards the law and, as a result, may have committed a crime? “Although the LGPD does not directly provide for criminal sanctions, violations involving crimes, such as fraud or misuse of data, may lead to criminal liability based on other laws, such as the Penal Code and the Cybercrime Law., emphasizes the expert. One way to shield oneself under the LGPD is to adopt an effective data governance policy, implement information security technologies, and other measures.
