LGPD goes far beyond technology and processes: it’s about people

On any given Tuesday, still regretting the fact that I had woken up much earlier than usual, I found myself sitting in a waiting room anxiously awaiting the call to retrieve documents. Lost in thought, I hardly noticed that a man had approached and started a conversation with one of the attendants on duty. Chat comes, chat comes and you post the following comment:

Wow, but how crowded it is here!

I raised my head and saw that he was coming to me. By reflex, I responded empathically:

Is not it?! Hard…

Then came the speech of the attendant:

Ah, after the incident, it got crazy!

Under our watchful eyes she continued:

In fact, we still don’t have much idea what happened to our customer data, but it looks like the case was serious. We have a problem with our systems and this causes many operational difficulties. I don’t know if we’ll be able to restore everything, so we have to be patient.

I remained silent. You commented genuinely interested:

Oh yes? What happened? I didn’t know!

The panel beeped and a password flashed on the screen. You asked for permission, as it would be attended to.

(…)

On another occasion, I went to a clinic for a first appointment. The space was shared by two doctors of the same specialty. To facilitate the operation, each doctor had his own secretary and from the waiting room he watched as patients arrived and were attended to. Then I noticed that one of the secretaries was extending a term to the patients, demanding that they sign it. To patients who asked why, the secretary explained that it was a data security term and that, without the signature, “the doctor would not be able to protect the patient’s personal data”. In the 25 minutes that I remained in that room, I saw at least two patients refuse to sign or ask for further clarification, to the point where the secretary got up and had to knock on the doctor’s door.

(…)

I could tell you one more series of cases like these, as inspiration and experience abound, but I think I’ve already figured out where I’m going: it’s no use structuring a beautiful Privacy Program in your organization, implementing new policies and processes, if there isn’t one focus on the people who deal with the individuals (data holders) at the edge.

A word spoken out of context, misaligned with messages transmitted by other channels, or any demonstration of lack of preparation and lack of understanding of the aspects involved can jeopardize the organization’s meticulous efforts to comply with the law.

In general, the public knows organizations through the actions of the people who represent them. Therefore, care with personal data, which is essential after the General Data Protection Law (Law No. 13.709/2018, known by the acronym LGPD), will necessarily be measured by the quality of information provided by such representatives. Therefore, there is no longer any way to tolerate low internal levels of understanding and engagement in this regard.

The solution is just one: invest (always and continuously) in awareness.

The “how to do it” is something very particular to each organization, but the best practices point to relaxed and gamified dynamics, with simulations of real cases, in which the participants are protagonists and not mere spectators. If the intention is to truly impact, nothing better than transforming technical content into something simple and, why not, fun.

*****

Paulo Vidigal, columnist for TechWorld, is a partner at Prado Vidigal, specialized in Digital Law, Privacy and Data Protection, certified by the International Association of Privacy Professionals (CIPP/E), postgraduate in an MBA in Electronic Law from Escola Paulista de Direito, with an extension in Privacy and Data Protection from Mackenzie Presbyterian University and in Privacy by Design from Ryerson University.

Leave a Comment