There are some everyday situations with which most people can identify. For example, have you ever felt unsafe shopping on the internet and providing credit card details and addresses? Have you ever received calls from companies that know some of your personal data without you ever contacting them before? If so, were you concerned that they had access to your information?
These situations are common; yet, they make us think about how our personal data is being used and how we can protect ourselves — especially considering that, until recently, in Brazil, it was very common for companies to share their customers’ data improperly.
Fortunately, data security has become a priority not only on a personal level, but also on a global level. The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) was created to ensure the security of everyone’s data.
This law came into effect on September 18, 2020 and has as its main objective to allow people to become owners of their own data, able to understand the reasons why it is collected and, through this, decide whether or not they want companies to have access to their information.
As this law applies to any person or company that carries out the processing of personal data, whether online or offline, surely Fintechs could not be left out. Then, the question is: how are Fintechs impacted by the LGPD and what do they have to do to adapt to this law?
Before answering such a question, it is important to remember that, in regards to the financial sector, there were already some regulations that covered the protection of people’s financial data in place. We can cite the Bank Secrecy Law (Lei do Sigilo Bancário), the Law on Crimes Against the Financial System (Lei de Crimes Contra o Sistema Financeiro), among others. That means that, at least when compared to other systems, the financial sector was already somewhat prepared.
Even though finance is a sector with many regulations and laws that protect data, some adjustments will still be necessary to adapt it to LGPD. In order for Finance to meet the legislation, it must adhere to its main requirement, consent of the data subject for their information to be used, along with some principles cited in the LGPD:
- purpose: the collection of personal data solely for legitimate purposes, informed to the data subjects clearly and in advance;
- suitability: compatibility with the proposed purpose;
- necessity: only essential personal data should be kept and only until necessary. It should be deleted when it is no longer relevant;
- open access: subjects’ data must be readily available to them when it is requested;
- data quality: the data maintained must be clear, accurate, relevant and up-to-date;
- transparency: information given to data subjects must be clear and accurate;
- security: technical and administrative measures must be taken to ensure the security of data holders;
- prevention: safety measures should be adopted to prevent damage to the holders;
- non-discrimination: subjects’ data should under no circumstances be used for discriminatory, unlawful or abusive purposes;
- Accountability: each fintech must ensure that it is fit to comply with the LGPD standard and must be able to account for any act that relates to the processing of its subjects’ data.
Based on these principles of the LGPD, we will detail three of them that are essential and that will ensure that a fintech processes of its customers’ data in the best possible way.
One of the pillars of the LGPD is transparency, i.e. the guarantee to data subjects of clear, accurate and easily accessible information about data processing and the processing agents.
In this new scenario of new regulation, we are being presented to subjects who will be part of this system. In Article V, we can read about the positions of controller and operator, who are, respectively, responsible for the decisions regarding the processing of personal data and carrying out the processing of personal data on behalf of the controller.
Following the flow of transparency, we also see the figure of the Data Protection Officer (DPO), who is the person appointed by the controller and operator to analyze the entire data flow and act as a communication channel between the controller, the data subjects and the Brazilian National Data Protection Authority (Autoridade National de Proteção de Dados, ANPD).
Generally, in fintechs, this team is greatly reduced and the DPO is one of the partners or the CEO themselves. Regardless of who it is, this appointment must be made as soon as possible to suit the LGPD. In Article 41, § 1st, we see that the DPO must have their identity and contact information publicly disclosed, clearly and objectively, preferably on the company’s website. This is very important, since this person will be directly involved with all those interested in data protection, especially the data subjects.
In practice, what is essential is that the institution acts so that data subjects can understand what data the organization holds, how it uses it, acts to protect it and, in case of problems, to whom they can resort. For customers who are already part of the financial institution, this can be done by updating documents, such as reviewing the inventory of personal data and preparing a document that clarifies the purposes of personal data processing and the legal basis that justify them.
For new customers, the measures are similar: with each new registration, with each new sale, the customer must already be informed about how the information is protected, if it will be and with whom it will be shared, if there is internationalization, for what purposes it is treated and what the rights of data subjects over their information.
Without a doubt, consent is one of the most important concepts of the LGPD. However, it is not necessary in all cases. We need to consider that some data processing is essential for compliance with the legal obligations of controllers, as is the case with fintechs, for example.
For them, there is a small exception to the rule, considering that the personal and banking data are essential for the identification and security of their data subjects. Therefore, permission is considered implicit, since it is essential for the service. Howerver, the company must assure its clients that their data will be used exclusively for the good service, not in a careless or dangerous manner.
In addition, the other measures of the LGPD are still mandatory to fintechs, such as informing customers whenever there are updates regarding the use of their data, whether through a service they already use or a new service that the company is offering.
The important thing, according to the law, is that there is clarity in the message passed to the customer, and that it references previously determined purposes. The company is also forbidden to ask for consent for generic authorizations, which do not specify the reason for the processing of personal data.
Still following the letter of the law, in Article 9, paragraph 2, we see that “in the event that consent is required, if there are changes in the purpose for the processing of personal data not compatible with the original consent, the controller must inform the subject in advance about the changes in purpose, and the subject may revoke consent, if they disagree”.
This withdrawal of consent is part of the rights of the data subject, clearly expressed in the LGPD. Such rights receive a separate chapter in the law. Among them, there is also the option for data subjects to request the deletion of their personal data. This impacts the relationship that the company has with the data subject: does the right to one’s data supersede all the needs of the company?
Well, the law itself answers this question, in Article 16. It provides legal bases for companies to object to a subject’s request for deletion of their data, in order to, for example, “fulfill legal obligation”. Therefore, if the company needs the data for a specific purpose such as to defend itself in a judicial process or fulfill some obligation imposed by the Law, it may keep the data, even if the subject wants it to be deleted.
However, the company is not allowed to use this information for any purpose that is not supported by one of the legal basis provided for in the LGPD. In the end, although not all the wishes of data subjects can be satisfied, the crucial aspect of compliance with the LGPD is to always keep them abreast of what is being done with their personal data.
Data processing agents must not only adopt the appropriate security measures for data protection, but be able to prove they are in place. In cases of incidents and other failures, this will be taken into account by the ANPD when defining the sanctions to be applied.
When it comes to the processing of personal data, security is a serious matter and the LGPD makes it clear that “processing agents must adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication or any form of improper or unlawful treatment”.
In addition, the law determines a modus operandi in the event of any failure in this process. Article 48 indicates that the ANPD and the data subjects should be notified of the occurrence of a security incident that could entail a risk or material harm to the subjects. Such communication must be made within a reasonable time.
As the LGPD does not mention this deadline, and the agency that will establish it (ANPD) is still in the process of formation, a safer interpretation could be made based on European legislation (General Data Protection Regulation, the GPDR), on which LGPD was based.The GDPR defines a reasonable period as being, at most, 72 hours.
In order for the notification to the subject and the ANPD to be made in the clearest way possible, it must contain: a description of the nature of the personal data affected; the information about the subjects involved; the names of the appropriate technical and security measures used to protect the data; the risks related to the incident; the reasons for the delay, in cases where notification was not immediate; and the measures that have been or will be taken to reverse or mitigate the effects of the issue.
After assessing the severity of the incident in the data processing, the ANPD may impose the adoption of measures on the subject, in order to safeguard their rights, such as a wide disclosure of the fact in the media, for example, in large circulation newspapers; or sanctions to reverse and mitigate the effects of the incident.
In the judgment of the severity of the incident, there will be an evaluation of proof that adequate technical measures have been adopted to make the personal data affected unintelligible to third parties not authorized to access them, within the scope and technical limits of the company’s services.
The changes proposed by the LGPD are not so difficult to implement, especially if the company already values ethics in data processing. In short, it is the responsibility of the company to guarantee to the owner of the data that there will always be a request for explicit consent for the use of their data; explain to the customer that they have rights, including the right to choose to remove their information from the company’s database, except for situations in which there is a legal basis to retain such data; take responsibility for any data breach; notify the supervisory authority immediately; and, last but not least, have total control of the management of the flow of data.
Therefore, fintechs that already adopt different data management, control and operation processes to ensure information traceability and data security should maintain such measures. Those that are on the rise must adapt as soon as possible, not only to the LGPD, but also to the many regulations already present in the market. In the end, who wins with the transparency and reliability of operations are not only the data holders, the subjects, but, mainly, companies that seek to succeed in the area through the conquest of their customers.