RIO DE JANEIRO, BRAZIL – Entrepreneurs are eagerly awaiting the new rules of the National Data Protection Authority (ANPD) applicable to small and medium-sized enterprises on the processing of personal data, which should simplify several issues that currently apply to all companies, regardless of their size.
In a smaller company, where human resources and capital are limited, the focus is on its core business, so that the administration of personal data handling becomes highly onerous since it requires management and specialized personnel.
HOT IT WORKS IN OTHER COUNTRIES
In European Union countries where the corresponding personal data protection law (General Data Protection Regulation – GDPR) has been in force for longer and is at a more advanced stage of discussion, there is a specific provision in the legislation for micro and small businesses.
In these countries, companies with fewer than 250 employees are not required to keep records of personal data processing operations unless the very activity of the company consists of data processing; or there is a risk of damage to the data subjects; or “sensitive personal data” is processed – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation – or data concerning criminal convictions and offenses.
In addition, the requirement to appoint a Data Protection Officer (DPO) applies only to public authorities/bodies, except for courts in the exercise of their jurisdictional function, and companies whose main activities involve the processing of personal data that require regular and systematic monitoring on a large scale or involve the processing on a large scale of sensitive personal data or data relating to criminal convictions and offenses.
WHAT IS THE CURRENT SITUATION IN BRAZIL
In Brazil, the General Law on Personal Data Protection (LGPD) left it to the National Data Protection Authority (ANPD) to edit simplified and differentiated rules, guidelines, and procedures, including deadlines, applicable to micro-enterprises, small businesses, and startups (Art. 55-J, XVIII).
Along the same lines adopted by the European Union, one of the measures expected in Brazil is the regulation by the ANPD on the cases of exemption from the appointment of the person in charge (DPO).
The LGPD itself brings this possibility (Art. 41, 3rd paragraph) by giving freedom to the ANPD to establish rules on the definition and duties of the person in charge, including the release of keeping the person in charge, taking into account the nature and size of the entity or the volume of data processing operations.
Thus, at least two important criteria should be considered for the non-requirement for appointment of a DPO:
The size of the company – and here it will be necessary to define which criterion will apply, whether it will be the same as in Complementary Law 123/2006, i.e. based on gross revenue, or on the volume of data processing operations.
It is important to have these two criteria, because even a small company, depending on its activity, may handle several personal data, including sensitive personal data (as in the case of a clinic). In such cases, where the risk of security incidents and the potential for harm to data subjects is greater, it is reasonable to require the appointment of a data controller.
A second expectation, in the sense of specific regulation for SMEs, concerns impact reports, which are the documents containing the description of personal data processing processes that may generate risks to civil liberties and fundamental rights, as well as the mechanisms for risk mitigation.
There is room to modulate the obligation to prepare impact reports since the LGPD provides for the ANPD’s power to order the company to prepare the report (Art. 38) and establishes that these reports may be required by the ANPD when the processing of personal data is based on legitimate interest.
Thus, it is expected that the ANPD will present clear criteria as to the obligatory preparation of these documents, as well as a simplification in the methodology of the report so that it can be accessible to all companies.
Therefore, it is important that SMEs remain well-informed on the subject, to which we will return in a future article. Besides these two expectations that we have mentioned now, there are several others that should be carefully analyzed by the ANPD, in order to adapt the legislation to the reality of the most diverse companies, without losing sight of the protection of the rights of the holders of personal data.