Advogadas do FF Advogados são destaque em artigo internacional sobre LGPD
Elisa Figueiredo, Thais Françoso e Aline Dantas
It is not new that Covid-19 directly impacted the daily lives of companies and changed the routine of employees, suppliers and customers. Companies were forced to adapt their businesses to the new reality created by the pandemic.
ln the case of companies that already had active compliance programs, it was necessary to review the risks linked to the business and, consequently, to reassess the entire compliance program, its policies and procedures.
Only with updated programs, adapted to the new social reality (during and after the pandemic), it will be possible to mitigate the risks related to the health of customers and employees and minimize the new risks appearing in situations that arose with the arrival of Covid-19, such as new business models, new hires, lay-offs, donations and all adjustments resulting from the various legislative changes of that period.
Almost 6 months after the arrival of Covid-19 in Brazil, we realize today that companies, in general, have returned to their activities, some in the old model, others in hybrid models and even others in a totally innovative model. ln any case, the reflexes of the pandemic are evident, especially with regard to the use of technology and the way in which companies communicate with employees, customers, prospects or suppliers.
Two simple examples of this new kind of communication are the use, by reason of the home office, of users’ remate access to data and information maintained within the companies, and the realization of virtual meetings, through the use of the numerous online platforms available on the market. These two examples show the sharing of data and information outside the corporate environment. Accordingly, more than ever, it is necessary to talk about the risks related to information security (loss and leakage of data and information, network intrusions, malware, etc.).
Obviously, it is important that interna} communication, training and all company policies are adequate to this new “virtual” reality, but not exclusively: information security risks must also be assessed under the perspective of the Brazilian General Data Protection Law – GDPL.
As known, entering into fore of the GDPL was extended and, specially regarding the penalties, will begin only in August 2021.
However, the current scenario requires information security risks to be urgently mapped and controlled, including the protection and adequat treatment of personal data used by compames.
Even though penalties provided for in said legislation, which may amount to fines up to R$ 50 million, will not be applied, nor the partial or total ban from the activities related to data processing until August, 2021, the mentioned penalties are far from being the worst problems generated by the improper leakage of these data.
Indeed, the damage caused by a leak of personal data or sensitive information can be fatal to the business, because they impact the credibility and image of a company, not to mention possible liability ( civil or criminal) not only of legal entities, but also of its partners or managers.
As we have seen, the Covid-19 pandemic impacted the shape of business, exposing as well the fragility of data and information security in companies. Therefore, even if the GDPL has not come into force, the new or old risks related to leaks, invasions or mismanagement of sensitive data and information require immediate action, inserted in the review of compliance programs and focused on compliance with the guidelines established by the GDPL.