The Integration between Compliance Programs and the General Data Protection Law

The increasing complexity of legal and commercial relations in contemporary society compels organizations to adopt structured mechanisms for internal control and normative compliance. In this scenario, the implementation of compliance programs becomes an essential instrument to ensure adherence to laws, regulations, ethical standards, and internal policies.

With the enactment of Law No. 13,709/2018 (General Data Protection Law – LGPD), the Brazilian legal system now has a new regime aimed at protecting privacy and personal data, imposing specific obligations on all processing agents.

 In this context, the intersection between compliance and LGPD proves inevitable. Compliance with the LGPD is not merely a technical requirement, but a true legal duty. Non-compliance can lead to administrative, civil, and in certain situations, even criminal liability, in addition to causing serious damage to the institutional reputation of the company that fails to adhere to these parameters.

Thus, it is fundamental that compliance programs are fully aligned with LGPD guidelines, aiming to mitigate risks related to the processing of personal data. The implementation of internal controls, the consolidation of an ethical culture, and the adoption of good business practices are essential pillars for preventing the illicit leakage of data and ensuring legal compliance.

In this regard, for a company to be aligned with the guidelines of the General Data Protection Law (LGPD) and a Compliance program, it is necessary to adopt a series of fundamental measures. Among these, the following stand out: mapping and documenting all personal data processed by the organization, covering its collection, storage, and disposal; developing clear and accessible privacy policies and terms of use that precisely inform how data is collected, used, and protected; creating a service channel for data subjects, enabling the exercise of their rights, such as access, correction, deletion, portability, and revocation of consent; continuous training of employees on data protection and good security practices, promoting a culture of ethics in information handling and incident prevention; establishing effective procedures for responding to security incidents, allowing for rapid and structured action in cases of leaks or undue access, with containment actions, risk assessment, and communication to authorities and data subjects; and, finally, conducting periodic internal audits to assess continuous compliance and ensure that legal guidelines are being effectively met.       

 In other words, data governance, in turn, involves defining processes, policies, and structures responsible for the secure and effective management of data within the organization. However, conversely, when this governance is not articulated with compliance, a problem arises, which can compromise both legal certainty and the company's reputation.

Therefore, the integration between data governance and compliance is not just recommended, but a necessity for organizations seeking to operate with integrity, responsibility, and in accordance with legal and ethical requirements.

Amanda Batista Fernandes Segala is an attorney at Rücker Curi Advocacia e Consultoria Jurídica.