One year after the approval of the GDPR and with several control analysis and implementation projects implemented during this period, I have particularly found some curious and attention points in Brazilian companies.
Are they:
1. Do not start now, think that there is a long time for the law to come into force or that the deadline will be extended
That's the excuse most common of companies who haven't done anything about the law yet. The most alarming thing is that they simply don't know what they need to do and what the impact will be on their business and operation.
2. Thinking that the law will not apply to your business or “will not catch”
That is excuse number two. Remember the law of mandatory use of seat belts?
So, in the same way, during the period of adaptation many did not use it because they understood that in the city was not important and the "law would not stick". This I have heard in companies: I do not work with personal data, my business is small, among others.
The law makes no distinction (yet) so you need to prepare yourself, remembering that the law will bring revenue to the government and so it should be tightly enforced.
3. Start work alone, without a multidisciplinary team and without support from top management
This is a problem that we see for those who have already started: starting an initiative like this without the support of all areas within the organization or even senior management, will make you a lone gentleman in an endless crusade.
Initially seek to bring together all interested parties, IT / SI, Risk, Compliance, Governance and Legal areas, set up a multidisciplinary committee to assess the needs for internal adjustments, depending on the company, there may even be changes in the business model.
4. Do not use LGPD compliance as a business differentiator
As there may be profound changes in business areas, it is no better for those who are already ahead (or appropriate for the law) to use this as a differential against their competitors.
After several leaks and concerns about privacy, I believe that some businesses will be able to capitalize strongly in front of the general public (as happened with ISO certifications in the past).
5. Think you don't need external support for the implementation
Here an important point, today in Brazil qualified information security professionals are lacking, already for a multidisciplinary theme like GDPR, having all the professionals at home (with time for a new long project) can be rare.
Bringing in qualified professionals who know what needs to be done and have experience can be quite a help. Since as the changes can be profound and for many “Saint of Home does not work miracles”.
Plan, evaluate and start now. This is a unique opportunity to do the right things in Information Security, Compliance and Risk.
- What changes with the sanction of Law 13,853 / 19
- The categorization of “Personal Data”
- Acceleration of Privacy Regulations
- LGPD impacts on Cyber Security
- Video: Safeway Drops - LGPD
Discover our approach to LGPD!
* Umberto Rosti is CEO of Safeway.
About [SAFEWAY]
SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs.
During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 17 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, process and people solutions.
Let's make the world a safer place to live and do business!