With less than a year remaining before Brazil's General Data Protection Law (referred to as the LGPD) takes effect, HR professionals should start preparing.
The LGPD—which regulates how companies, including employers, must process personal data such as employees' identification numbers—takes effect Aug. 15, 2020, except for the provisions giving authority to create the National Data Privacy Agency (ANPD), which took effect Dec. 28, 2018.
The ANPD, however, still isn't created. The government is optimistic that the directors will be chosen and vetted by the end of this year, but even if that occurs, it still won't leave much time for the agency to create the many regulations needed to implement the law. As a result, it's possible there will be delays in the law's implementation.
Nonetheless, HR should consider taking the following steps.
Create a Human Capital Team
Companies should build a team to help implement changes required by the law. The team should include HR professionals responsible for global and Brazilian workforce management, preferably with some experience in data privacy compliance. The law will apply to any organization—including foreign ones—collecting or transmitting personal data in Brazil.
Brazil's LGPD requires all companies to appoint an officer to be the "channel of communication" between the financial controller, the data subjects (e.g., employees) and the ANPD. One of the officer's main responsibilities is to guide employees and contractors on transmitting personal data. Therefore, the company should start assessing who should fill this role.
The ANPD may issue regulations about the definition and duties of such officers—including waiving the need to appoint one, depending on the nature and size of the company or on the volume of data handled. One of the proposed changes to the law was to waive this requirement for small companies, but the National Congress of Brazil left it for the ANPD to decide.
Train Key Stakeholders
It will take time and perseverance to educate and train workers not only on how to transmit and collect the data, but also on why the company is justified in collecting it.
Identify All Systems Used to Process Employees' Personal Data
Multinational companies often rely on cloud-based HR information systems to manage their workforces, including their Brazilian workforces. Often, such companies use a multinational vendor that in turn uses local subcontractors to provide payroll and HR services, without the company's headquarters knowing exactly what systems are in use or what information local vendors are collecting, processing and disclosing to third parties.
Because these systems maintain a large range and volume of data, HR professionals should focus their compliance efforts on mapping these systems.
Analyze the Type of Information Processed
The next step is to identify the type of data the company has collected and is processing, and to decide if that data is personal, sensitive or anonymous. Personal data relates to an identi¼able person. Sensitive data reflects race or ethnicity; religious beliefs or membership; political opinions; union membership; philosophical or political organization membership; sexual lifestyle; or health, biometrics or genetic information.
Companies need to decide the legal basis for processing sensitive data. Legal bases identified by the LGPD include:
- Explicit and voluntary consent of the data subject.
- To comply with a law or regulation.
- To execute public policies or contracts.
- For research purposes, but anonymous data should be used whenever possible.
- To exercise a right in a judicial, administrative or arbitration process.
- To protect the life or health of the data subject or a third party.
- To protect financial credit.
Consent may seem the simplest legal basis for processing data, but, in fact, it should be used sparingly. Brazilian companies may want to seek consent for everything, but that practice can backfire. For example, in an employer-employee relationship, the employee may not be considered free to choose to consent because their refusal to consent may lead to retaliation. Thus, courts may deem an employee's consent invalid.
Dispose of Data No Longer Needed
The next logical step would be to get rid of unnecessary data. However, this could involve a lot of manual labor. It is also a difficult task, partly because there are no clear laws specifying retention periods. HR should consult legal counsel about disposing of data.
Pay Attention to ANPD Guidelines
Once the ANPD is created and it begins issuing guidelines, companies should focus on these next steps with legal counsel's help:
- Create policies ensuring that employees can exercise their data protection rights.
- Create data-processing notices for employees, contractors, interns and outsourced workers.
- Train and retrain employees on the security program.
- Establish disciplinary actions for employees who breach the security program.
Republished with permission of SHRM. © 2019 SHRM. All rights reserved.