Adaptation to LGPD for the RNP System - Stay in the know!
The sanctions of the General Data Protection Law (LGPD) – or Law No. 13.709 – have been in force since August this year. This means that institutions, both public and private, must seek compliance with the law, in order to prioritize the secure flow of personal data and privacy of holders, and to provide transparency to such holders so that they know how their collected data is being treated and stored.
Compliance is no longer an option: promoting a culture of personal data protection needs to be an ongoing concern. Given this, organizations must work to implement compliance and governance programs for privacy and data protection. With the entry into force, the adaptation to the law proved to be urgent, considering that it provides for the application of fines and sanctions. Among the legal sanctions are warnings, corrective measures, suspension or prohibition of data processing activities. For companies, fines can be up to 2% of sales, with a limit of R$50 million.
In the areas of education, research and, above all, health, personal and sensitive data are handled all the time. What information is this? Name, CPF, address, e-mail, telephone, enrollment of a student or employee are examples of personal data. Some are considered sensitive, due to the possibility of discrimination, such as racial or ethnic origin, political opinion, religious conviction, sexual orientation, information about health and sexual life, among others.
Even in the face of this reality of large data flow and production, in a survey carried out with 56 institutions, within the scope of the 2020 Edition of the “Research on Security and Privacy in the RNP System”, we gathered numbers that demonstrate that there is still much to be done in terms of adequacy to the law in force.
• 57% of institutions admitted that they should manage user consent, but do not.
• 54% have not yet defined a process to respond to requests from holders of personal data.
• 64% indicated that promoting the culture of personal data protection remains one of their main challenges.
Although there are similarities in the parameters to be followed, the institutions of the RNP System have their specificities in relation to other types of organizations.
Institutions must be aware of the sharing of personal data with third parties. It can only be carried out with the express consent of the holder of personal data. Without consent, especially sensitive information, sharing is only allowed for studies by research bodies, whenever possible, using anonymization.
For public health research, the same is true. Research bodies may have access to personal databases, but only in secure environments and also including anonymization. Disclosure or sharing of these data with third parties is not permitted.
How was the LGPD Program designed to support the institutions of the RNP System?
The LGPD Program works on three fronts, offering methodological, consultative and educational support. The initiative aims to assist institutions in the actions necessary to comply with the law already in force, taking into account the characteristics of the organizations in the RNP System and also the fact that there are institutions in different stages of adaptation.
As methodological support, the RNP Method of adaptation to the LGPD - also known as the RNP Method - was developed by a multidisciplinary team of experts, based on the experience of adaptation of RNP itself, the pilot project conducted by RNP at the Federal University of Bahia and consultancies conducted by partner companies in some institutions of the RNP community. The method helps organizations to structure actions necessary for the LGPD to be fulfilled and brings elements related to the culture of privacy, preparation, data and risk mapping, implementation and adequacy, data security and protection and governance in privacy.
“The adaptation process is not trivial - meeting the various requirements of the Law requires a structured effort from the organization, and this is not done overnight. Therefore, it is essential that educational institutions recognize as soon as possible the importance not only of compliance with the Law itself, but mainly the importance of promoting a culture of privacy, protecting personal data and establishing a permanent privacy program. And it is to help with this issue that we are thinking about the LGPD Program and the RNP Method”, says Emilio Nakamura, Deputy Director of Cybersecurity at RNP.
On the 13th, the RNP Method was officially launched at the Webinar “Developing the Culture of Privacy in the RNP System”, with the director of the National Data Protection Authority (ANPD), Miriam Wimmer. We talked about the benefits of the methodology for the RNP System and we had the testimony of the IT Superintendent of the Federal University of Bahia, Luiz Claudio Mendonça. He described his experience in implementing the RNP Method pilot project at UFBA.
Além da metodologia, a RNP também oferece serviços de consultoria, exclusivos para instituições do Sistema RNP, e treinamentos para capacitação de profissionais que precisam aprender mais sobre o assunto, através da Escola Superior de Redes.
Próximo evento - SIG-LGPD@RNP. Convidamos todo o Sistema RNP para participar!
O SIG-LGPD@RNP é uma iniciativa que faz parte do conjunto de ações do Programa LGPD. O fórum inclui encontros virtuais com especialistas convidados para compartilhamento de experiências e boas práticas relacionadas à privacidade, à proteção de dados pessoais e à própria LGPD.
Amanhã (1º/10), será realizado o webinar “Convocatória para o 2º Ciclo do SIG-LGPD@RNP”, às 15h. Neste webinar, os interessados terão a oportunidade de conhecer os critérios de seleção, prazos e outros detalhes para se candidatarem a integrar o segundo ciclo desse fórum. As instituições que participaram do primeiro ciclo também estão convidadas.