Invitations to various types of ceremonies contain essential information for those attending: date, time, venue and a few other details. Some invitations also include an extra item: the outfit. Without the appropriate, agreed and requested attire, the guest will not be able to take part in the ceremony. This is fundamentally the nature of what we call “conformity”, or “compliance” as it is called in corporate language. You have to meet the conditions set by a rule, an order or even a law in order not to suffer a penalty. Many IT managers became familiar with “compliance” when the LGPD, our General Personal Data Protection Law, came into force in Brazil.
Lack of compliance can cost companies dearly. In this case, compliance means following the law’s guidelines for collecting, using and storing personal data, which may be linked to an identified or identifiable individual. The law also brought in protection for sensitive data, which relates to the most intimate aspects of an individual’s personality. Like your racial or ethnic origin, your religious conviction, your political opinion, your genetics and even your biometric data, for example.
Data is the new wealth
In this digital age, personal data and metadata about human activities represent raw material and wealth not only for marketing companies but also for cybercriminals. Until this law came into force, collecting, using and storing personal data did not require compliance with any rules in Brazil. From the beginning of the 2010s, it was clear that this was an issue that required immediate attention and care. The most notable initiative came from the European Union, which in 2018 brought into force the General Data Protection Regulation, its data protection law. Because of this, Brazil and other countries ended up speeding up the preparation of their laws.
In previous years, Brazilian companies from any economic sector were able to collect, use and store personal data without any great care. But cybercrime threat actors have shown that this needs to change. Hundreds of server intrusions and data leaks on the dark web showed that there was a lack of security in all three activities. Many individuals have had their data used to open bank accounts, companies and other types of registration. Victims have been compromised with fake loans, purchases they never made and other types of fraud.
Even without official statistics on the subject, Brazil always appears in studies on cyber attacks and leaks. Indicating the degree of risk to which all companies are subject, not just those that handle personal data. Until the LGPD came into force, a cyber attack with data leaks could end up in court at the request of a victim, of course. But no law obliged companies to protect themselves from these attacks and do the same with their data. Nor was there any penalty for those who didn’t. But the LGPD has changed everything.
Data hijacking
During 2019, Brazilian security researchers observed many data thefts that went unreported. In their opinion, this could indicate that criminals were storing this data in order to blackmail companies after the law came into force the following year. Preferring to pay the crooks than the hefty fine from the regulator, the National Data Protection Agency. Although there were no facts to prove this hypothesis, it was quite feasible. For companies that violate the LGPD, fines can be simple or daily. A permanent amount will be applied for each day that the infraction persists. These fines can reach up to 2% of the turnover of the economic group to which the company belongs, and can reach a maximum of R$50 million.
The threat of these penalties and the risk of loss of reputation in incidents and leaks has made it necessary for Brazilian companies to urgently achieve maturity in cyber security. First of all, reaching maturity doesn’t mean acquiring a service or installing a process. In fact, it’s a journey that has a goal to be achieved and then maintained. On the other hand, on this journey, companies need to adopt various strategies, ranging from training employees to creating and establishing robust privacy policies.
Maturity in large and medium-sized companies
To accomplish this, large and medium-sized companies invest time, money and other resources. One of the reasons for this is that the legal departments of each have alerted management, boards and information technology teams to the risks of not adopting the necessary measures to achieve compliance with the law. Although many people don’t know it, achieving compliance with the LGPD doesn’t mean creating bulletproof data security. Not least because there is no such thing as 100% security for anything. However, by achieving compliance, the company will finally be able to demonstrate that it has done all it can to protect the personal and sensitive data it holds.
Although many people don’t know it, achieving compliance with the LGPD doesn’t mean that bulletproof data security has been created. Not least because there is no such thing as 100% security for anything. However, by achieving compliance, the company will finally be able to demonstrate that it has done all it can to protect the personal and sensitive data it holds.
Did you like the content? Visit our blog and find out more!