The relevance of governance and compliance has been the subject of debate in many forums around the world. These themes, which initially gained prominence with anti-corruption actions, have transformed, in recent years, into essential internal policies and instruments for enhancing the reputation of organizations.

Not by chance, the concept of "ESG" has come to translate, in financial language, the importance of investing in the environmental, social, and governance pillars. And compliance, which has a close relationship with governance, has come to encompass measures and campaigns aimed at ensuring the implementation of anti-corruption standards, the promotion of sustainability, compliance with data protection laws, and adherence to ethical and moral principles.

Privacy and data protection governance is a valuable initiative, backed by international standards, that demonstrates the effectiveness of efforts undertaken by the private sector in promoting awareness (education) and preventing security incidents. On the other hand, the sanctioning process – which is part of this same context – is a consequence of decisions made by data processing agents that result in non-compliance with legislation, possibly due to the absence (or insufficiency) of appropriate measures and actions. In fact, governance and sanctioning are elements that coexist and complement each other, with governance acting as an important factor in reducing the risk of penalties.

Governance and Legal Compliance

Governance and legal compliance regarding data protection, while still considered optional by some organizations, have already established themselves as market requirements. In the coming years, these practices are likely to become decisive in determining what will be economically and operationally viable. Thus, adopting governance and compliance policies not only meets current demands but will also be essential to ensure the sustainability and competitiveness of companies in the future.

In the context of data protection, in particular, governance develops in at least two distinct spheres: (i) in the legal-regulatory field, especially through the actions of the National Data Protection Authority (ANPD), which may adopt different approaches, such as regulations, guidelines, technical notes, and educational campaigns; and (ii) within the scope of the personal data processing agents themselves, either due to the influence of regulatory actions or pressure from the market and other stakeholders. These agents may implement governance measures voluntarily, as per Article 50 of the LGPD, as well as adhere to various international frameworks, such as ISO 37000 and ISO 37301 standards.

Governance as an asset

In fact, the ANPD, in conjunction with the LGPD, encourages good practices and privacy governance, since all published guides, as well as the inspection and sanction regulation (Resolution CD/ANPD No. 04/2023) – and others – make it clear that demonstrating good faith and implementing privacy governance and personal data protection measures will be considered as mitigating factors in cases of penalties. 

Recognizing the importance of market reputation and its associated financial impact, the ANPD (National Data Protection Authority) made it clear, both in the aforementioned regulation and in the sanctions it applied, that publicly exposing the offender as an unethical agent is a form of penalty. Governance and the implementation of best practices, along with the dissemination of concepts such as ESG (Environmental, Social, and Governance) and awareness of the importance and economic, competitive, and reputational advantages associated with data protection compliance, will play a fundamental role in the country's cultural adaptation and transformation process, moving towards a society that values ​​and preserves its privacy.

Adequate data protection is therefore a fundamental dimension of current compliance and stands out as a relevant corporate asset, contributing not only to regulatory compliance but also to strengthening companies' market position.