THE LGPD, General Data Protection Law, came into force in September 2020, placing Brazil among the 120 countries with laws specifically aimed at protecting users' personal data.
Discussions about privacy and online security are global issues, so their implementation in the country is nothing new.
Furthermore, it is important to emphasize that the project is from 2018, comprising Law number 13.709/2018, which regulates the processing of personal data of users in the national territory.
It focuses on the operation of operations that involve the use of personal data, penalizing companies that do not follow its determinations.
In this way, from managers, marketing professionals, sales staff, to customers, of a company of biometric access control, for example, must be aware of the new law.
So, keep reading and understand all the details, as well as its direct impact on digital marketing and how to keep this strategy in full swing, respecting all current legal standards.
Get to know some of the important concepts
In order to understand legal aspects, it is essential to be aware of the terminologies used, what they are about and what is the scope. Well, thinking about it, we separated some key points for understanding the LGPD:
Principles
LGPD is based on ten principles that must be integrated into the reality of the business and complied with by the agents when processing the data of each of the customers who hire the company for the installation of, for example, a biometric turnstile.
We use this example to draw attention to the need for the demand to identify which data is processed, as well as its purpose, which must be legitimate, explicit, specific and informed to the data subject. The principles are:
- Goal;
- Need;
- Adequacy;
- Free access;
- Transparency;
- Quality;
- Safety;
- Prevention;
- Accountability;
- Non-Discrimination.
Thus, it is the responsibility of the company manager to ensure that the treatments are adequate for the purposes, never having discriminatory, abusive or illegal purposes.
Treatment
The processing of personal data, object of the Law, refers to all operations carried out with this information, involving an economic purpose, for example, the sale of stainless steel cabinet.
In other words, they are part of: reception, collection, production, access, use, classification, evaluation, processing, communication, reproduction, storage or archiving, modification, distribution, transmission or transfer, extraction or elimination.
Any of these actions related to information control is within the scope of the LGPD. Be aware that excessive and unnecessary treatments are not well regarded.
However, it does not apply when the processing of data is done for private and non-economic purposes, as well as exclusively for journalistic or artistic purposes, for public or state security, and for criminal investigations.
treatment agents
Another key point to be detailed for the implementation of actions that ensure legal compliance for a company specialized in industrial painting, for example, are the agents involved.
Everyone must be aware of their role, function and purpose in the processing of personal data. Furthermore, the LGPD designates four agents, with different roles related to data processing, they are:
1 - Holder
In this case, it is an individual or legal entity that owns the data.
2 - Controller
It is an individual or legal entity that collects data and decides on its treatment.
3 – Operator
It is an individual or legal entity that processes and processes data under the supervision of the controller.
Even controllers and operators must be aware of the transparency of their operations, in addition to following preventive practices for data protection, such as encrypted systems.
4 – Supervisor
It is an individual appointed by the controller, who acts as a communication channel between all the agents involved, as well as the national authorities (ANPD), and provides guidance on data processing practices.
This agent is responsible for implementing and monitoring compliance with the LGPD throughout the national territory.
Personal data
Any business, regardless of the sector, such as a factory capacitor bank, handles personal data daily. Since personal data is any category of information that makes it possible to identify a person, directly or indirectly.
As an example, we can mention the name, CPF, RG, telephone, home address, date and place of birth or the number of bank cards.
Sensitive data are also considered, those linked to a natural person, and that can subject or interfere with certain behavior, such as ethnic or racial origin, political, philosophical or religious opinion.
Health-related data, such as biometric or genetic information, medical records, and even preferences and consumption habits, also apply.
In addition, data such as IP address and geolocation, for example, which make a person identifiable through the use of technical means, are part of the list.
Finally, information from legal entities or anonymized data, which cannot be associated with a natural person, is outside the scope of the LGPD.
Consent and legitimate interest
The Law provides for nine situations that make data processing lawful, but there are two main points directly linked to digital marketing, so we will focus on them.
Both consent and legitimate interest can only be expressed by the data subject ー a person gives consent to the use of their data when they freely and explicitly accept the grant after being informed that they are providing such information.
That is, consumers actively choose to engage or not with a company that provides assembly of electrical panels, for example.
The legitimate interest, on the other hand, refers to the authorization for the company to use and treat your personal data in a manner and for purposes authorized by the LGPD and, in this case, only strictly necessary data can be processed.
It refers to activities of support, promotion, and/or provision of services that benefit it, according to the holder's expectations and the guarantee of his fundamental freedoms.
However, it is important to emphasize that both consent and legitimate interest can be revoked by express manifestation, at any time.
In addition, the holder may demand access, correction and updating of their data, as well as anonymity, blocking or deletion of unnecessary data.
The request for data portability to another provider and information about which entities, public or private, had access to the data, are also user rights.
Thus, the controller of your company distributing self-adhesive labels, for example, should be responsible for:
- Strengthen transparency measures;
- Create risk mitigation measures;
- Maintain data protection impact report;
- Create opt-out mechanisms.
Opt-out refers to the holder's option to exercise the right to object to continuing on a listing such as email marketing or a newsletter. It is the opposite of opt-in, when the owner gives consent to receive the emails.
LGPD and Digital Marketing
The LGPD has direct implications for the marketing and sales sectors, as mentioned above, and some measures are needed to adapt these strategies to the new scenario.
This action should focus on more specific ways to gain leads. With the implementation of the LGPD, the quantity of leads is likely to decrease, but their quality tends to increase, as consent means engagement.
This can be an ideal time for managers of a business, such as a company that specializes in manufacturing column fire hydrant urban, review their strategies in order to add value to customers.
In fact, in an optimistic view, this legislation can be interpreted as strengthening Inbound Marketing itself, the Attraction Marketing, reinforcing bonds of trust between brand and customer.
Within a strategy aimed at humanizing the brand and creating a close relationship with its audience, the legal pressure for transparency, minimizing the use of data and the need for explicit consent fits very well.
In this context, Content Marketing gains even more prominence, as a more assertive way to capture leads by offering the public an enriching and valuable experience.
How to apply the LGPD?
The first step is to know the reality of your business. We advise hiring a qualified professional for an internal mapping, especially for medium and large companies with large data flow.
Furthermore, a fundamental initiative is the adequacy of Landing Pages and other forms, to guarantee the active consent of the user. The same thing goes for email marketing, sponsored ads and other actions that require personal data.
Final considerations
The application of the LGPD in your company must comprise the entire process and personnel involved with the processing of data, from recording operations, reviewing or drafting contracts, creating privacy notices and internal policies.
The company needs to be prepared to meet the requests of data subjects, according to their rights, and this involves training employees and security implementations, for example.
The processing of personal data requires care and ethics, and each company has its own dynamics and flow, so that there is no general recipe that applies.
Compliance with the LGPD is an ongoing process and should involve good oversight by managers in order to avoid legal complications.