The Integration between Compliance Programs and the General Data Protection Law

The increasing complexity of legal and commercial relationships in contemporary society requires organizations to adopt structured mechanisms for internal control and regulatory compliance. In this scenario, the implementation of compliance programs becomes an essential instrument to ensure adherence to laws, regulations, ethical standards, and internal policies.

With the enactment of Law No. 13,709/2018 (General Data Protection Law – LGPD), the Brazilian legal system now has a new regime aimed at protecting privacy and personal data, imposing specific obligations on all processing agents.

 In this context, the intersection between compliance and the LGPD proves to be inevitable. Observing the LGPD is not merely a technical requirement; it constitutes a genuine legal duty. Failure to comply can lead to administrative, civil, and in certain situations, even criminal liability, in addition to causing serious damage to the institutional reputation of the company that fails to follow these parameters.

Thus, it is fundamental that compliance programs are fully aligned with the LGPD guidelines, aiming at the mitigation of risks related to the processing of personal data. The implementation of internal controls, the consolidation of an ethical culture, and the adoption of good business practices are essential pillars to prevent the illicit leakage of data and ensure legal compliance.

In this field, for a company to be aligned with the guidelines of the General Data Protection Law (LGPD) and a Compliance program, it is necessary to adopt a series of fundamental measures. Among them, the following stand out: mapping and documenting all personal data processed by the organization, covering its collection, storage, and disposal; developing clear and accessible privacy policies and terms of use, which precisely inform how data is collected, used, and protected; creating a service channel for data subjects, enabling them to exercise their rights, such as access, correction, deletion, portability, and revocation of consent; continuous training of employees on data protection and good security practices, promoting a culture of ethics in information handling and incident prevention; establishing effective incident response procedures, allowing for quick and structured action in cases of leaks or improper access, with containment actions, risk assessment, and communication to authorities and data subjects; and, finally, conducting periodic internal audits, with the aim of evaluating continuous compliance and ensuring that legal guidelines are being effectively met.       

 In other words, data governance, in turn, involves defining the processes, policies, and structures responsible for the secure and effective management of data within the organization. However, on the other hand, when this governance is not articulated with compliance, it creates a problem that can compromise both legal security and the company's reputation.

Therefore, the integration between data governance and compliance is not just recommended, but a necessity for organizations seeking to operate with integrity, responsibility, and in accordance with legal and ethical requirements.

Amanda Batista Fernandes Segala is a lawyer at Rücker Curi Advocacia e Consultoria Jurídica.