Digital Law and Data Protection
General Personal Data Protection Law
The General Law for the Protection of Personal Data (Law 13.709 of August 14, 2018), also known as LGPD, will come into force in August 2020. It submits personal data to the protection of the law, imposing on companies the need to adapt to a series of new principles and procedures for legally handling personal data and guaranteeing the rights of data subjects. Training for the qualification of supervisors and employees.
Creation/review or audit of a comprehensive data protection compliance program. Mapping of Personal Data handled by the company. Guidelines for adaptation to the LGPD In an adaptation project to the LGPD, pay attention to the following points:
- Control of internal access to your company’s personal data. You should check who, internally, has access to your company’s personal data and their respective prerogatives (deletion, modification, insertion, etc.). Then, confront reality with the best security practices, making adjustments, if necessary.
- Third party management: Subcontractors and business partners who have access to your company’s personal data. The list must be analyzed and the use of personal data verified, eventually giving precise instructions on the subject, depending on the case.
- Your company’s information security must be strengthened. It is about checking the infrastructure that currently exists and making certain adjustments to minimize the risk of incidents that could cause damage to the holders of personal data and lead to compensation.
- The management of personal data transferred by other companies to yours. The activity of some companies consists wholly or partially of processing personal data transferred by other companies. It is necessary to take certain precautions and discipline the relationship so that your company is not held responsible in case of incidents.
- Compliance with the rights of the holders of personal data. The creation of processes to manage the demands for exercising the rights of holders. As of the entry into force of the LGPD, holders of personal data are entitled to know whether their company processes personal data about them, to access them, modify them, etc.
The General Law for the Protection of Personal Data and the Health Sector
The General Data Protection Law – LGPD strongly impacts the healthcare sector. This is because, in addition to the impact common to all companies (data on employees, visitors, third-party shareholders, etc.), the essence of the activity of companies in the health sector implies the treatment of a high volume of data related to patients, consumers of medicines, clinical tests and diagnostics, etc. Such data are considered “sensitive” by the LGPD, which imposes a special legal regime for its treatment. Training for the qualification of supervisors and employees. Advising on the harmonization of regulatory obligations in the health area with the LGPD. Mapping of Personal Data and qualification of Sensitive Personal Data processed by the company.
Challenges brought by the LGPD to the health sector
During a project to adapt a company in the health sector to the LGPD, the following points should be observed:
- Disposal of documents containing sensitive personal data. A disposal/retention policy must be implemented, observing the mandatory storage periods possibly imposed by specific laws.
- Sharing health-related data with third parties. LGPD prohibits the sharing of sensitive personal data between controllers for the purpose of economic advantage. You must analyze the flows of personal data originating from your company and eventually adjust them to avoid heavy sanctions.
- Control of internal access to your company’s personal data. You should check who, internally, has access to your company’s personal data and their respective prerogatives (deletion, modification, insertion, etc.) and confront reality with the best security practices, making adjustments, if necessary.
- The formation of the commercial and credit and collection team is imperative. Since every customer of the company is potentially a patient, lack of staff awareness can lead to incidents with sensitive personal data that could be avoided through an adequate training process.
- Your company’s privacy policies must be prepared or revised in order to reconcile the interests and rights of the holders of personal data with the duty to protect sensitive personal data imposed on your company.
How we can help your business: