The General Law for the Protection of 
Data – LGPD (Law No. 13,709, of 8/14/2018), which came into force on September 18, 2020, deals with the systematization of the use of personal data at the national level, whether physically or electronically, and has brought significant impacts to the daily lives of companies and government agencies.
This topic, however, is not new, as it arises from the Federal Constitution itself, when it takes care to protect the fundamental rights to intimacy and privacy (art. 5, item X of the Federal Constitution), in addition to having already been addressed indirectly in various legislations, such as the Access to Information Law and the Consumer Protection Code, for example.
The advent of the LGPD places Brazil in the select group of nations that, in the face of the dizzying process of globalization, highlights the concern for personal data, providing, in a single regulation, general guidelines for the collection, processing and storage of personal data.
The LGPD's importance goes beyond the protection of personal data and privacy. It is also important for companies that, in some way, in the course of their activities and in exercising their constitutional right to free enterprise (art. 170 of the Federal Constitution of 1988), collect, process, or store personal data. In other words, the LGPD provides companies with legal certainty for carrying out their activities, based on the establishment of clear, specific guidelines and the definition of rights and obligations, in addition to the creation of a dedicated authority (National Data Protection Authority – ANPD).
Therefore, the first conclusion that can be reached is that the LGPD proposes to equalize rights and obligations between natural persons who hold personal data and the companies and/or governments that use them in some way in the exercise of their activities, balancing constitutional protections granted to both sides.
In this general context of changing business behavior to comply with the Law, it is safe to say that there are significant impacts for companies, especially 
for small and medium-sized companies. In addition to the costs involved, since, in most cases, it is necessary to hire specialized consultants on the subject, the adaptation itself, changes in internal processes, adoption of physical and cybersecurity measures, and the lack of awareness on the topic make the adaptation process even more difficult.
In fact, the entry into force of the LGPD brought concerns and doubts that the topic itself focuses on privacy, since there was no culture of personal data protection in Brazil until then.
It's common to hear from business owners, especially small and medium-sized ones, and managers in general, questions about the overall aspects of the law. Questions like: What is the LGPD? What is personal data? Why protect it? How should I get started? What are the impacts if I don't adapt?
In my view, fortunately, this isn't the entire picture. Although there's a huge challenge ahead for society, businesses, and governments to promote the spread of a data protection culture and raise awareness of its value and importance, the Law was created to boost business, promote rationality and transparency in the handling of personal data, and indeed bring opportunities and competitive advantages for those companies that adapt.
Furthermore, personal data protection is likely to become a significant intangible business asset. In the information age, compliance with personal data protection regulations, maintaining transparent, informed, and free relationships (Article 6 of the LGPD), will be increasingly valued by society and, especially, by the market at all levels.
Given all this, it's natural for entrepreneurs to ask themselves: What now? What steps should I take to adapt my company? Where do I begin?
At first,
It's important not to waste time. Although the punitive sanctions provided for in the LGPD only come into effect on August 1, 2021—and these are hefty fines, potentially reaching fifty million reais, or 21% of the organization's annual revenue—the compliance process requires time and dedication. Even if there's no risk of administrative penalties for now, companies may be sued by customers, employees, suppliers, and regulatory agencies in general for compliance with the LGPD. Legal action for unfulfilled or inadequately fulfilled requests may even be possible, as well as liability for data leaks and misuse.
Following applicable best practices, it is possible to establish the following as the main steps in the process of adapting to the Law:
The starting point for a successful adaptation process is, without a doubt, the organization's “self-knowledge” through immersion in the company's operations to:
(the) Identify situations involving the processing of personal data, including mapping: processes involving the processing of personal data, which and what types of data are processed, the lifecycle of this information, where and how the data is stored, for what purposes it is processed, the flows of this data, and who are the people involved in the processing of personal data;
(b) Prepare the Data Inventory, the company's Data Flow and the Record of Personal Data Processing Operations carried out by it;
(w) Identify the privacy obligations applicable to the company, as set out in the privacy regulations and legislation applicable to the business activity it carries out, and verify their level of adequacy based on the information obtained in the diagnosis;
(d) Identify the applicable legal bases, based on the mapping of personal data processing activities performed. The company must define the legal basis, among the ten provided for personal data (Art. 7 of the LGPD) and the eight for sensitive personal data (Art. 11), that authorizes each of the processing operations performed by the company;
(and) Assess Controls and Analyze Privacy and Security Risk. Companies must identify the privacy risks they face and the controls needed to mitigate them;
(f) Evaluate the company's main contractual instruments and identify possible needs for changes to comply with the LGPD.
Once the diagnostic phase is over and with a clear and sufficiently accurate view of the entire organization, it is necessary to identify which actions need to be taken to comply with the obligations set out in the LGPD, draw up a schedule for carrying out these actions, and define deadlines and those responsible for each of them:
(the) start implementing the relevant actions;
(b) Designate a “personal data controller” (DPO), as applicable (this may be internal or external);
(w) Develop relevant policies and procedures such as:
Once the implementation of the necessary changes to the adaptation process is complete, the company must focus its efforts on monitoring the actions to ensure process improvement and promote continuous improvement.
Given all of the above, it is clear that compliance with the LGPD is more than a legal necessity; it is an opportunity and a competitive advantage in the market, which can capitalize on the value of the business in front of its audience and all commercial partners.
Furthermore, it's clear that compliance is a challenging process and requires the organization's undivided commitment, from the highest levels of management to all employees. Senior management's level of engagement in the compliance project is one of the key success factors, along with the promotion of knowledge to all employees through communication campaigns and training.
Therefore, this effort to change the culture around the importance of protecting privacy, personal data, and information security must be propagated from the highest management of the company, reaching all organizational levels.
For context, the Aço Cearense Group's LGPD compliance project, which began in October 2020, is currently completing the diagnostic phase and beginning the implementation phase. It is led by the Legal Department, with sponsorship from the Group's President and Vice Presidents, and involves a multidisciplinary team comprised of the Legal Department, the Information Technology and Human Resources departments, and technical support from the specialized consultancy Daryus.
Put Maju Ferreira (Legal Director of the Aço Cearense Group), Graduated in Law from the University of Fortaleza (UNIFOR), with a postgraduate degree in Labor, Criminal, Civil and Tax Procedural Law from Christus College. She has 26 years of professional experience, practicing law and providing legal advice.
EN 
PT_BR 
