Impact of GDPR on Shopping Malls

* Rodrigo Santiago

The General Data Protection Law, 13.709/18 aims to establish clear, unique and harmonious rules for the processing of personal data. The objective is to guarantee the user's right to privacy, because with the law this will be able to have a better control over the destination of their information.

In view of the rules and the scope of the law, several companies of the most varied types of service began to develop strategies to be in compliance and not suffer future sanctions. However, there are sectors and companies that face greater difficulties than others. The purpose of this article is to address how malls are impacted by the law and what strategies they can adopt to comply with its requirements.

Scope of LGPD

The law will cover any organization or company that carries out activities involving the processing of personal data in national territory or extraterritorially in cases of:

  • The data processing operation being carried out in national territory;
  • The purpose of using personal data to offer or provide consumer goods or services to customers located in the national territory;
  • Personal data have been collected in the national territory.

Definition of Personal Data

First, it is important to clearly understand how the LGPD defines personal data. In its article 5, the law categorizes the term into three types:

  1. Personal Data: Information related to an identified or identifiable natural person;
  2. Sensitive Personal Data: Personal data about racial or ethnic origin, religious belief, political opinion, affiliation to a union, organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data, when linked to a person Natural;
  3. Anonymized Data: Data related to the holder that cannot be identified, considering the use of reasonable and available technical means at the time of its treatment.

The state of shopping malls

Although the LGPD concerns all companies, each company will face a set of difficulties related to its area of operation.

One of the main difficulties we find when evaluating this type of business is the amount of personal data stored and used by Shopping Centers that are collected from multiple sources (for example, data from contractual partners, customer data from the website, but also from databases merchant data), as well as shared with a variety of partners such as merchants and service providers.

The key elements of the LGPD are the broad scope of data protection and the granting of more rights and control over individual data. Emphasis is placed on accountability, transparency and the documentation that must be maintained to demonstrate proper handling.

Probably the elements of greatest concern when evaluating the LGPD are sanctions such as a simple fine of up to 2% (two percent) of the revenue of a legal entity governed by private law, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited , in total, R$ 50,000,000.00 (fifty million reais) per infraction. Supervisory authorities (such as the National Authority for the Protection of Personal Data, the ANPD) have broad powers of investigation and correction, can carry out on-site audits and issue reprimands and orders to carry out specific remediation activities in the event of an incident of privacy. This alone makes compliance with the new privacy law an obligation for companies.

Customers are increasingly aware of the rights they have over their data and it will also be considerably easier for individuals to file claims for damages. Greater consumer awareness also means that demonstrating transparency and respect in the use of personal data will become essential to earning consumers' trust and retaining them as customers.

Therefore, privacy impact assessments should be carried out as a matter of routine within projects and initiatives that may expose individuals to increased privacy risks, thus ensuring the security of customer information.

Practices for fitness

In addition to paying attention to customer transparency as mentioned in the previous topic, shopping centers must make it clear to customers where data will be stored and ensure their protection. To mitigate the possibility of any data threat and ensure a secure storage environment, we recommend the following practices:

  • Ensure employee awareness of LGPD rules;
  • Ensure consent and data security of both customers and employees;
  • Review the privacy policy and other rules and procedures related to the processing of personal data, adapting them to the new rules;
  • Ensure within the organization the existence of a responsible group to ensure compliance with the LGPD;
  • Clearly and objectively define the roles and responsibilities of those who belong to the group;
  • Ensuring that all systems used within Shopping Malls comply with the LGPD.


Faced with this new scenario, it is up to shopping centers to study the best strategies to not only adapt to the law, but also remain in place. The relationship with the customer and transparency have never been more important for the continuity of their activities than they are now, there is no more room for generic justifications in privacy policies or notices, the customer will need to have confidence that their data will be well used and protected.

— Rodrigo Santiago is ISO 27001 Lead Auditor, GRC, Privacy and Information Security Consultant at [SAFEWAY]

How can we help?

THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.

In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law SuitPeople and Technology.

through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!