LGPD: Learn about the data protection law and how it works in digital marketing

The LGPD, General Data Protection Law, came into effect in September 2020, placing Brazil among the 120 countries with laws specifically aimed at protecting users' personal data.

Discussions about privacy and online security are global issues, so their implementation in the country is nothing new. 

Furthermore, it is important to emphasize that the project is from 2018, comprising Law number 13.709/2018, which regulates the processing of personal data of users in the national territory. 

It focuses on the operation of operations that involve the use of personal data, penalizing companies that do not follow its determinations.

In this way, from managers, marketing professionals, sales team, to the clients of a biometric access control company, for example, must be aware of the new law.

So, keep reading and understand all the details, as well as its direct impact on digital marketing and how to keep this strategy in full swing, respecting all current legal standards.

LGPD: Conheça a lei de proteção de dados e como ela age no marketing digital

Get to know some of the important concepts

In order to understand legal aspects, it is essential to be aware of the terminologies used, what they are about and what is the scope. Well, thinking about it, we separated some key points for understanding the LGPD:

Principles

The LGPD is based on ten principles that must be integrated into the business reality and complied with by the agents during the processing of data of each of the customers who hire the company for the installation of, for example, a biometric turnstile.

We use this example to draw attention to the need for the demand to identify which data is processed, as well as its purpose, which must be legitimate, explicit, specific and informed to the data subject. The principles are: 

  1. Goal;
  2. Need;
  3. Adequacy;
  4. Free access;
  5. Transparency; 
  6. Quality;
  7. Safety;
  8. Prevention;
  9. Accountability;
  10. Non-Discrimination.

Thus, it is the responsibility of the company manager to ensure that the treatments are adequate for the purposes, never having discriminatory, abusive or illegal purposes.

Treatment

The processing of personal data, subject to the Law, refers to all operations carried out with this information, which involve an economic purpose, for example, the sale of stainless steel cabinet

In other words, they are part of: reception, collection, production, access, use, classification, evaluation, processing, communication, reproduction, storage or archiving, modification, distribution, transmission or transfer, extraction or elimination. 

Any of these actions related to information control is within the scope of the LGPD. Be aware that excessive and unnecessary treatments are not well regarded.

However, it does not apply when the processing of data is done for private and non-economic purposes, as well as exclusively for journalistic or artistic purposes, for public or state security, and for criminal investigations.

treatment agents

Another fundamental point to be detailed for the implementation of actions that ensure legal compliance for a company specialized in industrial painting, for example, are the involved agents.

Everyone must be aware of their role, function and purpose in the processing of personal data. Furthermore, the LGPD designates four agents, with different roles related to data processing, they are:

1 - Holder

In this case, it is an individual or legal entity that owns the data. 

2 - Controller

It is an individual or legal entity that collects data and decides on its treatment.

3 – Operator

It is an individual or legal entity that processes and processes data under the supervision of the controller.

Even controllers and operators must be aware of the transparency of their operations, in addition to following preventive practices for data protection, such as encrypted systems.

4 – Supervisor

It is an individual appointed by the controller, who acts as a communication channel between all the agents involved, as well as the national authorities (ANPD), and provides guidance on data processing practices. 

This agent is responsible for implementing and monitoring compliance with the LGPD throughout the national territory.

Personal data

Any business, regardless of the sector, such as a capacitor bank factory, deals daily with personal data. A personal data is any category of information that makes it possible to identify a person, directly or indirectly.

As an example, we can mention the name, CPF, RG, telephone, home address, date and place of birth or the number of bank cards.

Sensitive data are also considered, those linked to a natural person, and that can subject or interfere with certain behavior, such as ethnic or racial origin, political, philosophical or religious opinion.

Health-related data, such as biometric or genetic information, medical records, and even preferences and consumption habits, also apply.

In addition, data such as IP address and geolocation, for example, which make a person identifiable through the use of technical means, are part of the list.

Finally, information from legal entities or anonymized data, which cannot be associated with a natural person, is outside the scope of the LGPD.

Consent and legitimate interest

The Law provides for nine situations that make data processing lawful, but there are two main points directly linked to digital marketing, so we will focus on them.

Both consent and legitimate interest can only be expressed by the data subject ー a person gives consent to the use of their data when they freely and explicitly accept the grant after being informed that they are providing such information. 

That is, consumers actively choose whether or not to engage with a company that provides assembly of electrical panels, for example.

The legitimate interest, on the other hand, refers to the authorization for the company to use and treat your personal data in a manner and for purposes authorized by the LGPD and, in this case, only strictly necessary data can be processed.

It refers to activities of support, promotion, and/or provision of services that benefit it, according to the holder's expectations and the guarantee of his fundamental freedoms.

However, it is important to emphasize that both consent and legitimate interest can be revoked by express manifestation, at any time. 

In addition, the holder may demand access, correction and updating of their data, as well as anonymity, blocking or deletion of unnecessary data. 

The request for data portability to another provider and information about which entities, public or private, had access to the data, are also user rights.

Thus, the controller of your label distribution company, for example, must be responsible for:

  • Strengthen transparency measures; 
  • Create risk mitigation measures; 
  • Maintain data protection impact report; 
  • Create opt-out mechanisms.

Opt-out refers to the holder's option to exercise the right to object to continuing on a listing such as email marketing or a newsletter. It is the opposite of opt-in, when the owner gives consent to receive the emails.

LGPD: Conheça a lei de proteção de dados e como ela age no marketing digital

LGPD and Digital Marketing

The LGPD has direct implications for the marketing and sales sectors, as mentioned above, and some measures are needed to adapt these strategies to the new scenario.

This action should focus on more specific ways to gain leads. With the implementation of the LGPD, the quantity of leads is likely to decrease, but their quality tends to increase, as consent means engagement.

This could be the ideal moment for business managers, such as those in a company specialized in the manufacture of urban column hydrants, to reassess their strategies in order to add value for customers.

In fact, in an optimistic view, this legislation can be interpreted as strengthening Inbound Marketing itself, the Attraction Marketing, reinforcing bonds of trust between brand and customer.

Within a strategy aimed at humanizing the brand and creating a close relationship with its audience, the legal pressure for transparency, minimizing the use of data and the need for explicit consent fits very well.

In this context, Content Marketing gains even more prominence, as a more assertive way to capture leads by offering the public an enriching and valuable experience.

How to apply the LGPD?

The first step is to know the reality of your business. We advise hiring a qualified professional for an internal mapping, especially for medium and large companies with large data flow.

Furthermore, a fundamental initiative is the adequacy of Landing Pages and other forms, to guarantee the active consent of the user. The same thing goes for email marketing, sponsored ads and other actions that require personal data. 

LGPD: Conheça a lei de proteção de dados e como ela age no marketing digital - lgpd

Final considerations

The application of the LGPD in your company must comprise the entire process and personnel involved with the processing of data, from recording operations, reviewing or drafting contracts, creating privacy notices and internal policies.

The company needs to be prepared to meet the requests of data subjects, according to their rights, and this involves training employees and security implementations, for example.

The processing of personal data requires care and ethics, and each company has its own dynamics and flow, so that there is no general recipe that applies.

Compliance with the LGPD is an ongoing process and should involve good oversight by managers in order to avoid legal complications.