The LGPD (Brazilian General Data Protection Law) celebrated its anniversary last month. Seven years of changes, attempts at changes, or at least the appearance of change. For those who understood and prioritized themselves as holders of personal data (even if they assume the...). skin (Regarding legal entities at some point), the questioning, awareness, stance, and deliberations become visible. For others who perceive it merely as another legal obligation of their ventures, it has become an onerous burden with limited legal or technological solutions.
Companies that take responsibility for the personal data entrusted to them (whether as controller or processor) mature along with the evolving agenda, keeping pace with the ANPD (through its consultations, regulations, manuals, and recommendations) and communities of practice. But for those others, those that only appear to care or take responsibility, the news is good: there's still time to improve!
I currently see common situations in companies whose compliance with the LGPD (Brazilian General Data Protection Law) still leaves much to be desired, among which the well-known conflict of interest stands out (since it encompasses many instances). When analyzed from a privacy perspective, this conflict of interest manifests in different ways, such as functional subordination to a technical or operational area, biased leadership interests to the detriment of the issue, lack of team autonomy (DPO, analysts, and lawyers) due to the immediate management's lack of technical expertise, decisions not based on the company's best interests, distance and difficulty of access for the team to senior management, decision-making where prior analyses do not consider privacy and data protection, projects that don't become programs, DPOs who accumulate functions or want to do everything alone, and so on…
These companies continue to fail by not having a holistic vision, by not professionalizing their operations, and by not understanding the corporate ecosystem that supplies and is supplied by a privacy and data protection management system. And in this sense, nothing is more efficient and effective than self-assessment (or self-assessment), the comparison (or benchmarking...and necessity. Necessity is a unique motivation, just like creativity, as Henfil would say, a Doberman chasing after you. That's the... status quo Currently: the need for urgency.
And that's it, change with strategy, to make happen the healthy relationship of "contains" and "is contained" between the different areas of knowledge and organizational aspects considered, without subjugating or minimizing any of them. Incidentally, I am not including here cases where the relationship between "data volume, criticality of data elements, and potential risk to the data subject" is not satisfied.
