Startups should be wary of products that are designed and configured to capture only the data essential to their businesses
* Julia Shinohara is a data protection lawyer at BZCP extension
The national data protection authority (ANPD) published on February 27, 2023 the regulation (Resolution CD/ANPD nº 4/2023) which establishes the parameters and criteria for the application of sanctions for violations of the General Data Protection Law – LGPD (Law nº 13.709/2008) .
With that, the ANPD It will now be able to apply sanctions to agents who do not comply with the obligations of the LGPD or the regulations published by the authority, which is expected to happen in the very near future.
In an interview released by the director-president of the ANPD, Waldemar Gonçalves Júnior, earlier this month, it was revealed that there are already 8 administrative processes underway at the ANPD, the analyzes of which had already been completed and expected only the regulation of dosimetry to the application of sanctions.
Although the market expectation is that the first sanctions will be applied to large technology companies, such as Google, Objective AND Twittertherefore the sanctions applied by the ANPD should also concern startups, since the LGPD applies to any company that carries out personal data processing activities, regardless of its size.
In this context, it becomes even more essential for startups to comply with the requirements of the LGPD, implementing an adequate compliance and data governance program. That is, much has already been said about the importance of implementing an LGPD compliance project for the value and competitive differential that this brings to the company. However, now with this new regulation, the savings generated by an LGPD compliance project becomes something much more attractive and measurable.
This is because, in addition to preventing the occurrence of data security incidents, the correct and documented implementation of a data governance program is expressly provided for by the regulation as a mitigating circumstance which entitles you to a 20% discount on the value of any fine which will be applied.
Furthermore, the regulation provides for a 75% discount if the company interrupts the infringement before the ANPD initiates an administrative procedure. In this sense, for a company to put an end to an infringement, it must first identify the existence of the infringement, which is only possible if the company is fully aware of all the data processing activities it carries out , as well as the respective legal bases, so that it can identify and remedy any gaps.
Classification of infringements
Likewise, the regulation provides, as one of the hypotheses for qualifying the infringement as “serious”, infringements which significantly affect fundamental rights and interests in which the processing is carried out without the support of a legal basis envisaged by the LGPD, emphasizing , again, the importance of mapping data processing activities and identifying the respective legal bases.
Another hypothesis to qualify the infringement as “serious” that startups should be aware of is that deriving from the processing of personal data on a large scale, therefore understood as the processing activity involving a large volume of data or a high number of controllers, as well as the significant duration, frequency and geographical extension of the processing carried out.
Therefore, it is important for startups to implement the principles of Privacy by design AND Privacy by default (“privacy by design” and “privacy by default”, respectively), so that its products are designed and configured in such a way as to capture only factual data essential to the company’s activities, mitigating the risks for data controllers data and, consequently, the risk of sanctions for the company. It’s worth noting that the sooner a company adapts to the LGPD and embeds privacy into its culture, the easier and more painless this process is.
In addition to the qualification of the infringement (as light, medium or serious), another element that will be considered for the definition of the sanction and the basic value of the sanction (in case of serious infringements, or in which the offender has not complied with the preventive measures or corrective measures imposed on him) will be the billing of the offender in the last financial year, which, in the case of startups, must be up to R $ 16 million, as provided in the Legal Framework for Startups (Supplementary Law No. 182/2021).
The regulation also provides that the payment of the fine must be made within a maximum term of 20 working days, with a double term granted to startups, as defined by CD/ANPD Resolution no. 2/2022, which regulates the application of the LGPD for small treatment agents.
That said, although the expectation is that the first sanctions will fall on large technology companies, it is essential that startups also mobilize to complete their LGPD compliance projects, aiming to avoid sanctions, or at least to reduce the value of any fines , which should begin to be implemented in the coming weeks.
Source: Terra
Rose James is a Gossipify movie and series reviewer known for her in-depth analysis and unique perspective on the latest releases. With a background in film studies, she provides engaging and informative reviews, and keeps readers up to date with industry trends and emerging talents.
