Often, when dealing with a Privacy Program, compliance with the General Data Protection Law (LGPD), or Information Security Governance (IS), "packages" of normative documents (such as Policies, Standards, Procedures, Instructions, and others) are offered, sold, or desired. 

The fact is that standardization through these documents supports compliance with regulations, programs, and laws, both from a public and private perspective. And this support aids in execution and continued execution, not as an end in itself, but to achieve the same objectives proposed by such regulations, programs, and laws. However, I am struck by the frequency of the argument "to protect ourselves" that usually accompanies the indication of the need for these documents.

From the heyday of ISO 9001 to current integrity programs, appearing honest is important and reflects positively on image and credibility. But appearing honest is not enough when dealing with any type of compliance, whether voluntary or mandatory. And, again, I return to the people.

Guided by theory and strongly by practice in the area of ​​"normative documents" and their use in organizations, I believe that people need to be included and sensitized, their processes thought out, adjusted, and mapped with a view to corporate information security and the protection of personal data. When professionals understand the purpose of their work in these contexts and the importance of record-keeping for the continuity of the activity and its constant improvement, we identify intellectual and practical honesty between what is done and what is said to be done, regardless of the existing documentary hierarchy.  

A privacy and data protection policy will only be effective if it reflects the reality of the fair treatment of personal data and not a generic model. An information security management system will only be valid when it records the... modus operandi The focus should be on the program it refers to, not the program it aspires to be. Furthermore, regarding individuals, if their work activities are not directly linked to these guidelines, they need to be informed about the parameters that govern them and the regulated points that directly or indirectly affect their tasks. 

The power of normative documents is directly linked to the reality of the practice they portray; in other words, the more accurate, the better. Identifying problems, implementing an action plan, and analyzing results highlight processes and proposals for improvement – ​​and this cycle is very valuable! But, like the wife of Emperor Julius Caesar, in the corporate world it is necessary to be and appear honest, even if, initially, the truth hurts.

Want to read another text by the same author? Discover how there's a lot of life after adapting to the LGPD (Brazilian General Data Protection Law). here.