Data Protection Officer (Encarregado) - Ed. 2020

Data Protection Officer (Encarregado) - Ed. 2020

How To Operationalize Privacy Compliance And Data Subject Requests?

Entre no Jusbrasil para imprimir o conteúdo do Jusbrasil

Acesse: https://www.jusbrasil.com.br/cadastro

Sabina Jausovec 1

1. Introduction

A robust privacy compliance function is strategically important for any organization where customer trust is a bedrock of its operations and its business success. Designing, implementing, maintaining, and maturing a privacy program in today’s global environment requires substantial effort, time, and resources by an organization. An organization’s privacy office typically must coordinate compliance across multiple business functions within its organization, while navigating complex technology landscapes and ever-changing regulatory environments. An organization’s privacy staff must have sufficient privacy expertise. Moreover, it must also be able to align privacy compliance activities to its organization’s business strategy, understand organizational culture and values, and be able to collaborate with many areas across the business to implement privacy controls.

Both the GDPR and the LGPD require a strategic approach to how an organization handles personal data and requires organizations to be able to demonstrate its compliance (accountability principle). 2 Organizations subject to the LGPD compliance can leverage learnings from organizations that had to implement similar requirements under the GDPR. Organizations that must comply with these-type of privacy laws should use their compliance function to their advantage. By strategically planning compliance and applying good privacy practices in line with the principle of organizational accountability, an organization will be able to leverage these practices in support of building stronger customer relationships based on trust.

This chapter will first provide a high-level overview of applicable data subject rights under the GDPR and the LGPD. We will then discuss how setting up a privacy program based on the essential elements of organizational accountability can help an organization demonstrate its compliance with data subject rights. This chapter will also discuss practical considerations for implementing privacy compliance workflow to fulfill data subject requests.

2. Data Subject Rights Under the GDPR and the LGPD

Both the GDPR and the LGPD require organizations to extend certain rights to data subjects over their personal data, including rights such as data access, rectification, deletion, and portability. The LGPD is introducing new rights for Brazilian residents with shorter deadlines for organizations to respond and comply with the data subject requests than the timeline available under the GDPR (15 days under the LGPD instead of one month allowed under the GDPR). 3 These short timelines will be extremely challenging for organizations if processes are not well designed and implemented.

The GDPR establishes the following data subject rights:

The LGPD establishes the following data subject rights

1. The right to be informed 4

2. The right of access 5

3. The right to rectification 6

4. The right to erasure 7

5. The right to restriction of processing 8

6. The right to data portability 9

7. The right to object 10

8. Automated individual decision making 11

9. The right to withdraw consent 12

1. The right to confirmation of the existence of the processing 13

2. The right of access 14

3. The right of correction (of incomplete, inaccurate, or outdated data) 15

4. The right of anonymization, blocking or elimination of unnecessary or excessive data processed in non-compliance with the provisions of the LGPD 16

5. The right to data portability 17

6. The right to delete personal data processed with the consent of the data subject 18

7. The right to information about public and private entities with which the controller has shared data. 19

8. The right to information about the possibility of denying consent and the consequences of such denial 20

9. The right to withdraw consent 21

10. The right not to be subject to discrimination for the exercise of rights 22

One critical area of operationalizing privacy compliance for an organization will be developing a sustainable process for efficiently fulfilling data subject requests. Because the LGPD introduces new rights for data subjects, it is imperative that organizations develop a sustainable process to timely respond to data subjects when the new law becomes applicable. An organization will not only need to meet the requirements of the new law, but it will also need to be prepared to demonstrate compliance in the event of a consumer complaint or regulatory inquiry.

3. Designing and Maintaining Privacy Compliance Program

There is no one-size-fits-all approach for developing an effective privacy program. However, there are certain general best-practice approaches that an organization can leverage when setting up its privacy program framework. Whether an organization already has a mature privacy program in place or whether it is starting from the beginning, an organization must consider its business operations, organizational structure, culture, and its values when designing privacy compliance controls that must be implemented within its business operations. Operationalizing compliance and delivering the necessary governance, accountability, and control environment will enable an organization to protect and responsibly use personal data of its customers and employees, while seizing the benefits of data-driven initiatives within its organization.

One challenge when implementing privacy controls is typically balancing privacy compliance requirements against the business needs and the burdens additional compliance steps can put on an organization’s business operations. However, an organization can minimize time to compliance if responsibilities for privacy are shared within the organization the right way. When considering how to most efficiently and effectively implement and operationalize privacy compliance, it is important to begin with the end in mind. Namely, understanding what …

Uma experiência inovadora de pesquisa jurídica em doutrina, a um clique e em um só lugar.

No Jusbrasil Doutrina você acessa o acervo da Revista dos Tribunais e busca rapidamente o conteúdo que precisa, dentro de cada obra.

  • 3 acessos grátis às seções de obras.
  • Busca por conteúdo dentro das obras.
Ilustração de computador e livro
jusbrasil.com.br
15 de Agosto de 2022
Disponível em: https://thomsonreuters.jusbrasil.com.br/doutrina/secao/1207548779/how-to-operationalize-privacy-compliance-and-data-subject-requests-data-protection-officer-encarregado-ed-2020