The Integration between Compliance Programs and the General Data Protection Law

The increasing complexity of legal and commercial relations in contemporary society imposes on organizations the need to adopt structured mechanisms of internal control and regulatory compliance.In this scenario, the implementation of compliance programs becomes an essential instrument to ensure compliance with laws, regulations, ethical standards and internal policies.

With the enactment of Law no. 13,709/2018 (General Law for the Protection of Personal Data (GDPR), the Brazilian legal system began to count on a new regime aimed at the protection of privacy and the protection of personal data, imposing specific obligations on all processing agents.

 In this context, the intersection between compliance and LGPD proves to be inevitable. Compliance with the LGPD is not just a technical requirement, but constitutes a true legal duty. Its failure to comply can generate administrative, civil and, in certain situations, even criminal liability, in addition to causing serious damage to the institutional reputation, in relation to the company, which does not follow such parameters.

Thus, it is essential that compliance programs are fully aligned with the LGPD guidelines, aiming at mitigating risks related to the processing of personal data. The implementation of internal controls, the consolidation of an ethical culture and the adoption of good business practices are essential pillars to prevent illicit data leakage and ensure legal compliance.

In this area, for a company to be aligned with the guidelines of the General Data Protection Law (LGPD) and a Compliance program, it is necessary to adopt a series of fundamental measures. Among them, we highlight: the mapping and documentation of all personal data processed by the organization, covering its collection, storage and disposal; the elaboration of privacy policies and terms of use clear and accessible, which accurately inform how data are collected, used and protected; the creation of a service channel to data holders, enabling the exercise of their rights, such as access, correction, exclusion, portability and revocation of consent; the continuous performance of incidental and protection of data to the protection and a culture of ethics.       

 That is, data governance, in turn, involves the definition of processes, policies and structures responsible for the safe and effective management of data within the organization. However, when this governance is not articulated with compliance, it creates the problematization, which can be compromised both legal certainty and the reputation of the company.

Therefore, the integration between data governance and compliance is not only recommended, but a necessity for organizations that seek to operate with integrity, responsibility and in compliance with legal and ethical requirements.

Amanda Batista Fernandes Segala is a lawyer at the Rucker Curi Law Firm and Legal Consultancy.