General Data Protection Regulation: challenges and adequacy
By Leda Cavalcanti
According to Provisional Presidential Decree 959, the General Data Protection Regulation (GDPR) would become effective on May 3rd, 2021. But on August 26th, the Senate approved the entry into force of the Regulation with the sanction of President Jair Bolsonaro, which occurred on September 18th, 2020. The Regulation is already in effect, but administrative sanctions will only be applied as of August 1st, 2021, and those who fail to comply with the obligations may be prosecuted by users or by defense bodies, such as Procon. “It is highly recommended to companies being prepared as soon as possible, in order to avoid losses”, warns the attorney Leonard Batista, a postgraduate from Universidade Presbiteriana Mackenzie and Pontifical Catholic University of São Paulo, and partner at the office Reigada Batista and Devisate Sociedade de Advogados, in this interview for Eletrolar News magazine.
How will this regulation affect retailers of all sizes, from the most traditional to those who work with online stores?
Leonard Batista – The whole market has already concluded that knowing customers is an important tool to improve service, and to offer your products in a more assertive way. In the connected world we live in, information is worth a lot. The GDPR did not come to change that, its objective is to avoid the misuse of this information. Retail is not prohibited from using consumer data. But all information will have regulations regarding its use, the company’s responsibility for passing it on to its employees or other companies, and the possibility for the consumer to know what information about him/her the organizations have. The consumer can also ask to update, modify and even delete this information. We see, however, that many companies have not even started to prepare themselves to comply with the Regulation, which is worrisome. They should start adjusting as soon as possible, as penalties can result in heavy fines.
How should this be done? Will the cost impact activities?
LB – The suggestion is to seek specialized professionals that provide consultancy. To answer questions properly, it is necessary to perform an analysis of the information the company uses, the volume, which employees manipulate or have access to it, and what are its current procedures, what is its level of security, among others. This diagnosis will allow the company to understand what needs to be changed, and, consequently, what the investment will be. There is no single, standardized solution for everyone. Each case must be analyzed, as each company has different procedures and manipulates information differently. Some may have such a high level of security that they just need to change procedures. Others may need to increase the security level of servers and computers. It is advisable that everyone make at least one diagnosis to assess their situation and have a more adequate overview of their vulnerabilities. Then they can plan adjustments in a more productive, safe, and economical way.
“Retail is not prohibited from using consumer data. But all the information will have regulations regarding its use, the company’s responsibility for passing it on to its employees or other companies, and the possibility for the consumer to know what information about him/her the organizations have.”
Surveys show that less than 20% of retailers are prepared for changes. Will medium and small retailers will be able to do so?
LB – – In practice, every company, from the smallest to the largest, manipulates data from consumers, collaborators and employees, and, therefore, must conform to the GDPR. It turns out that reality shows that medium and small retailers are trying to survive the consecutive economic crises and now, the Covid-19 pandemic. All of them impact the growth of the market. Is the dilemma justified – paying the rent vs. implementing a firewall, paying the tribute vs. hiring a website to provide a service channel? Not to mention that companies need to have a DPO (Data Protection Officer), a professional who will respond to customer requests, provide guidance on data handling, and who will be the point of contact with the ANPD (National Data Protection Authority). However, this company may receive a fine of up to 2% of its gross revenue for each breach of GDPR. At first glance, it may seem that the costs of implementing the GDPR would be unfeasible for small and medium-sized retailers. However, there are economical solutions to suit them, mainly because they handle less information than a large company, and, in general, the procedures are easier to implement.
Consumer must consent to the use of his/her data. How will this be carried out in retail?
LB – Yes, the consumer must consent for his/her data to be used. Thus, at each stage of consumer data collection, a document must be created that clearly informs the consumer how this information will be treated, used and whether it will be made available to third parties. Consumer must also have a means of contact, so that he/she may exercise the right to know what information about him/her the company keeps, in addition to the possibility of him/her updating the information and even deleting it.
What benefits will GDPR bring to retail?
LB – Today, we live in a globalized and connected world. Retailers have found that they can sell their products to anyone anywhere in the world via digital platforms. And Europe has great sales potential. The GDPR has been implemented here because many countries can sever business relationships with locations that do not have data protection regulations. Brazil was in this condition, and that was the main motivator for implementing this legislation. So, we have a commercial advantage by keeping the doors open for international businesses and partnerships. This regulation also provides greater security about what are the obligations of companies. It is important to note that long before the GDPR, Brazil already had some other laws dealing with the misuse of personal data. However, few know the content of these laws, and there was no specific regulation on data manipulation. GDPR brings greater legal certainty, not to mention that leaking information can cause financial losses. A hacker can use consumer information to make purchases on their behalf, and the consumer who has been harmed almost always sues retailers in court. In this case, the entrepreneur ends up having expenses with the process, and may be ordered to reimburse the amounts. Thus, bearing the loss. Information security is of great interest to retail in general.
How will the Regulation be enforced? Does the market have professionals for this purpose?
LB – The GDPR provides for the ANPD (National Data Protection Authority), which was recently structured by means of Decree 10.474/2020. ANPD will be an administrative body with the function of overseeing, implementing and monitoring compliance with the GDPR. Thus, ANPD will inspect and apply sanctions provided for in the GDPR. This body will certainly count with the possibility of consumers bringing complaints, as well as there will be the sending of official letters from consumer protection bodies like Procon.
Will there be fines for companies that do not comply with the rules? How will they be applied?
LB – Much is said about the BRL 50 million fine. However, it will not be just any infraction that will reach this value. There are even penalties that will not imply payment in cash. The sanctions provided for are diverse, such as warning, public communication of the infraction, blockage of data and suspension of the exercise of data processing activity. For the sanction application, an administrative procedure will be established, during which the company will be able to defend itself and demonstrate that it is compliant with the Law. ANPD will investigate the denounced fact, and the decision will always take into account: the infraction seriousness; if the company acted in good faith; the company’s financial size; if the case in question is a recurrence of an infraction; if the company has cooperated with the investigation; if the company has applied corrective measures; and if the company meets the requirements of the GDPR. These criteria and other occasional ones will be taken into consideration to determine if the company should be penalized or not, as well as to determine which sanction will be applied, and, in the case of application of fine, what will be the fixed baseline. So, it is clear that the more prepared the company is, the lower penalties applied to it. On the other hand, if a company is denounced and it has not implemented management of consent, management of requests from data owners, management of the data life cycle, anonymization techniques, and does not even has a DPO, then it will certainly receive heavier penalties.
“Companies, when adapting to the GDPR, will create a bond of trust with customers and employees. People are increasingly looking to buy products from responsible companies, and this adds value to the brand. GDPR will divide the market into companies that are responsible for their customers’ personal data and the rest.”
How can companies use information to their advantage, integrating service channels and offers?
LB – Companies already use personal information to offer products, and this practice has been carried out with increasing success and assertiveness. Without a doubt, it is much easier to sell when you know your customers well. But, with the reality of GDPR, the company must take care so that personal information is not accessible to just anyone. Think about this: companies take great care of their customers’ bank information. Well, it is as if personal information were also raised to the same degree of criticality. Not to mention that there are still sensitive data, which are information related to ethnicity, race, religion, political positioning, health, sexual life, genetic and biometric data. In such cases, there will be an even more specific and rigorous treatment.
Thus, the integration or flow of personal information between departments must follow the standards established in the Law, ranging from the consent of the owner of that information to anonymization, and it may be that certain information should not even be used (sensitive data). Certainly, companies should analyze this flow of information to make sure that the way the data is currently being used does not violate the law.
Do you consider GDPR an evolution? Why?
LB – I understand that it is. We are all owners of our personal data; this is part of our privacy. We all have the right to know who is handling our information, and whether it is safe. Companies, when adapting to GDPR, will create a bond of trust with customers and employees. It will be an even more transparent relationship. Today, people are increasingly looking to buy products from responsible companies, and this adds value to the brand. GDPR will divide the market into companies that are responsible for the personal data of customers and the rest.
Source: Eletrolar News Magazine 138