LGPD: Insurtechs face challenges for technology sales and management
The General Data Protection Law (LGPD) came into force on September 18 this year, generating the need for adaptation by legal and physical persons using third party personal data. In addition to adapting computerized and electronic systems, one of the challenges is in the training and management of the teams that have access to the data.
First of all, it is necessary to understand that the new law determines that companies have to take responsibility for the security of the data and ensure that it will not be treated inappropriately, nor shared freely without the authorization of the owners of that information, depending on the case. The objective is to guarantee the privacy of citizens’ data, controlling from how they are collected to their distribution, archiving, classification, reproduction and modification.
For startups, companies that provide solutions for other companies, the challenge is even greater. In many cases, they deal with information that has been collected and is used by other companies, which are their customers. Although these data are not from their direct consumers, according to the LGPD, startups also have a responsibility to protect them, as do the corporations that are their customers. This requires strict alignment between the parties, which, of course, also involves the employees of the companies.
Even involving many processes, adapting to the LGPD is entirely possible. One company that is getting it right is Planetun, an insurtech that develops disruptive solutions for the insurance and automotive market. In addition to regulating its systems to the new rules, the startup is also conducting training and workshops for its employees and implementing responsibility under data protection as part of its culture.
According to lawyer Mariana Meirelles, from Start Comply, who is developing this adaptation process with the company, “training is essential because the greatest vulnerability in an LGPD implementation is the human being. Technological solutions respect the configuration ”. That is, once a programming change is made to the systems to safeguard the information, the standards will be respected. With people, the question is not so simple.
The importance of the law must be clearly communicated to company employees, as Planetun has been doing. Everyone must be made aware and trained in relation to the LGPD and one of the solutions is precisely the holding of workshops so that employees understand the new reality and the citizen’s right to the protection of their data.
Mariana explains that the company that does not comply with the new standards, in addition to suffering sanctions and financial losses, loses reputation and has its image damaged with suppliers, partners and customers. The employee who leaks some data, “is subject to administrative penalties, dismissal for cause and responsibility to the company. In addition to violating the internal code, it is also violating the LGPD ”, he explains.
Companies must still introduce the signature of confidentiality terms by employees in their routine, since, according to the LGPD, they are responsible for the behavior of employees in relation to data handling and can also be penalized in case of inappropriate sharing. “Employees need to be fully aware that they now have this obligation when dealing with data”, emphasizes the lawyer.
At Planetun the first step was to map who has access to the data, how and for what. Then came other issues, such as the implementation of individual logins and passwords with periodic changes; use of encrypted data; and recording of actions within the system, such as consultation and data exchange.
“In the case of startups, it is also important to inform customers about the entire process, which procedures are adopted, rules and deadlines,” says Mariana.
The body that will regulate compliance with the LGPD and enforce sanctions will be the National Data Protection Authority (ANPD), which is being structured, however, administrative penalties will only be applied as of August 2021. Despite this , the law is already in effect and those who do not comply with the provisions are already subject to legal proceedings and notices from the Public Ministry and Procons.