Risks
For any company, in all sectors, non-compliance with the LGPD entails numerous
problems such as fines, labor lawsuits, compensation to customers,
as well as loss of business to other companies that demand LGPD compliance. We highlight
some segments:
Click on the icon of the option you want to see the risk.
General Companies and Startups
Both companies operating in physical and digital environments, regardless of the segment
and with varying levels of innovation and scale, all need an LGPD Implementation
Project.
Fines, lawsuits for damages, and loss of customers (especially B2B) are already a
reality for companies that are not in compliance with LGPD implementation.
Besides being a mandatory legal requirement, larger companies have started to demand
LGPD implementation from their suppliers and service providers.
Stay ahead of your competitors, generate a better reputation for your company, enable
investments, boost new business, and retain your current clients.
Education
By its very nature, companies in the education sector (elementary, high school, or higher
education) process the personal data of students. They can be children, teenagers, their
legal guardians, or even adult students. All precautions must be taken to protect personal
data, sensitive or not, especially since information leaks can cause direct damage and
compromise the educational institution's reputation.
The education sector deserves extra attention, especially for protecting information,
be it names, addresses, and student grades, biometric data, digital, facial, or others,
in addition to observations made by teachers in the physical and/or virtual environment,
because the leakage and improper processing of this data can violate citizens' fundamental
rights and consequently bring great losses to the company.
Healthcare
Companies and professionals in the healthcare field (clinics, offices, laboratories,
hospitals, health and dental plans, suppliers in this area, etc.) process many
sensitive data, such as information about diseases and syndromes, as well as their respective
medical records and exams. This requires special protection considering the LGPD.
Any incident with this information may pose serious risks to patients,
in addition to administrative and judicial sanctions for the companies involved.
Among the risks, one can highlight the compromise and unavailability of the company's
database caused by some vulnerability, virus, and/or cyberattack, which can make
patient care, medical procedures, and even emergency surgeries unfeasible, putting the
lives and health of patients at risk.
Financials and Fintechs
The adaptation of the financial sector for personal data protection involves not only the
LGPD but also all the Rules of the Central Bank of Brazil and the National Monetary
Council.
It involves everything from physical processes and procedures, customer service, display of
documents, and delivery of receipts, to the technological environment of confidentiality
and information security, which includes the innovations brought to this segment, such as
PIX instant payment and the implementation of open banking.
Non-compliance in all these processes, data breaches, security incidents, physical or
cyber attacks, can result in fines of up to R$ 50,000,000.00 (fifty million reais) by the
ANPD, besides sanctions from other agencies such as PROCON and compensation in
lawsuits.
E-commerce
In addition to all the risks inherent to the internet and the consequent need to adapt to
the LGPD, the e-commerce sector has suffered especially with scams and fraud in payment
methods. Among the biggest problems for e-commerce players is the damage to their
reputation and trust among customers and internet users, and the consequent loss of
revenue.
Besides the financial compromise of the business, an online store can suffer other sanctions
imposed by PROCONs and the ANPD, possible blockage and loss of the database, when not
secure, fines, implying a bad reputation for the company in the market and loss of partners
and opportunities.
Others
Besides the risks inherent to any activity, within companies, some internal departments
can be more critical regarding threats and vulnerabilities. Some of these
departments:
Information Technology - IT
- Protecting the physical and virtual environment using firewalls, antivirus,
and updated software corresponds to only a part of information security
and preventive measures to comply with legislation.
-
There must be monitoring of processes and procedures to prevent and
mitigate vulnerabilities and security incidents.
Human Resources - HR
- HR is a point of attention regarding the LGPD due to the large volume of
employee data. The department must adopt appropriate measures for processing
candidates' personal data, whether when receiving physical and electronic
resumes or even collecting information in the interviews it conducts.
-
Controls and security measures must be adopted for the personal documents of
employees (CLT, interns, contractors, young apprentices, cooperative members),
in the information and the documents themselves (work card, RG, CPF, and the
information contained in registration forms and other documents).
Commercial / Sales
-
One of the most critical areas of a company regarding data and the LGPD is the
commercial department, mainly due to how the personal data with which
negotiations are made is processed.
-
Technical and administrative security measures for processing personal data
for buying and selling activities, with customers and suppliers.
-
The use of data via WhatsApp, telephone, e-mail, etc., without proper guidance and
training, can cause risks of information leakage leading to damages to data
subjects and client companies.
Marketing
-
Is the collection of personal data in physical or digital media without the
authorization of the data subjects illegal? Perhaps not, but it needs to undergo
specialized analysis.
- And does processing data for marketing purposes, such as sending and directing
unauthorized advertising, violate the LGPD? It may also be possible, provided
it is evaluated and validated by specialized consulting.
Customer Service
-
The way the company maintains contact with its customers and/or leads, receiving
or making calls or sending messages (WhatsApp, e-mail, phone calls)
can be very critical regarding LGPD violations.
-
To prevent penalties (fines, indemnities, complaints on social networks and
review sites, like Reclame Aqui), it is necessary to align processes and,
above all, train the customer service team.
Financial
-
In the financial department, technical and administrative measures must be
adopted to ensure the security and confidentiality of payment methods for
customers and suppliers.
-
Data exposure due to verifying information from customers, suppliers,
and employees to make payments, since bank account numbers, branches,
CPF are used, along with the storage of copies of these documents
and receipts when necessary.
Legal
-
The legal department processes a lot of personal data, mostly because
internal opinions and/or the handling of Judicial and Administrative
Procedures involve access to a lot of information.
-
The drafting and/or signing of documents (contracts, forms, terms,
policies) without a proper case-by-case assessment (copy and paste) of the
implications under the LGPD can bring severe consequences to the company.
Available at <https://www1.folha.uol.com.br/mercado/2021/07/justica-ja-tem-600-decisoes-envolvendo-lei-de-protecao-de-dados.shtml>
Available at <https://exame.com/tecnologia/vazamento-de-dados-do-colegio-bandeirantes-causa-polemica/>
Available at <
Available at <
Available at <
