How growing data management requirements are boosting tech investments

Two years after Brazil’s general law for the protection of personal data (LGPD) took effect, enterprises – especially the biggest – are including the issue in their day-to-day operations.

“Over the past two years, we have witnessed the growing concern of enterprises with sanctions and reputation issues related to incidents involving personal data. Data privacy has become a topic at the top management level of companies, especially those where the processing of personal data is part of their business,” Leandro Bissoli, executive director of law firm Peck Advogados, told BNamericas.

Peck is one of the largest law firms in Brazil. It is also among the biggest specialized in data compliance and digital law.

Growing data management requirements stemming from increased automation, widespread cloud adoption and 5G are expected to take that to new heights, while opening up more business opportunities for software, law and consultancy companies.

According to a study by Bravo, a technology and consulting company specialized in ESG solutions, the global market for data protection solutions is set to exceed US$4bn by 2025.

Bravo, whose study included Brazilian companies, said this is due to the high cost of non-compliance that companies are facing.

The data protection-oriented mindset seen in big firms, however, has not yet spread to smaller companies. And while new data services are arriving at full speed, there is still much to be done in terms of legal compliance.

According to the Bravo study, around 40% of surveyed organizations reported a lack of data protection awareness and leadership internally. Another issue is the lack of budget mentioned by 38.1% of them, followed by the lack of clear definition of legislation aspects, cited by 36.1%. 

“Unfortunately, whether due to lack of resources or knowledge, many companies have yet to implement their privacy governance programs. They are possibly awaiting greater publicity of the fines and penalties by the National Authority for the Protection of Personal Data [ANPD],” said Bissoli.

ALSO READ: Why Brazil’s crypto framework matters 

ANPD

Subordinated to the presidency, ANPD is the control body overseeing protection of personal data and privacy and compliance with the LGPD. 

Following a period of inspection and adaptation to the law, the ANPD started last year to fine and penalize companies that do not comply with the legislation, albeit still tentatively.

At the end of November, Brazil’s senate voted to approve the reappointment of Miriam Wimmer as ANPD chief for a four-year term.

During her hearing in the senate, Wimmer listed four main challenges still to be faced by the ANPD.

The first refers to improvements in the interpretation and regulation of the legislation, which she deemed “crucial for the legal security of the country.”

Wimmer also said ANPD must be better coordinated with other public sector bodies, such as consumer protection agencies, as well as regulatory entities and public attorney offices.

She also highlighted the need for the agency to “act more effectively” in the application of administrative sanctions and fines.

Finally, Wimmer noted that there are still regulations pending for international transfers of personal data. This, according to the official, is essential for the insertion of Brazilian companies in transnational data flows.

“I understand that strengthening the ANPD is a crucial project for the future of the country,” she told lawmakers.

Echoing Wimmer, Peck’s Bissoli said the chief challenge related to the LGPD does not refer to any adjustments or improvements in the legislation, but rather to “complementary themes that require regulation by the authority.”

Many companies have also been collecting and storing more personal data than they should for their business activities, keeping it indefinitely in their systems.

“This business practice, in addition to increasing storage costs, can increase impacts in the event of data leakage," said André Cilurzo, head of data privacy at software firm Protiviti, in a statement.  

“It is like a nuclear power plant storing more uranium than necessary for energy generation. In the event of an accident, the impacts are much greater,” he added.

In addition to the potential impacts of a leak, many companies are storing personal data without a specific purpose and justification, increasing the likelihood of its use for unspecified cases and its exposure to regulatory bodies, said Cilurzo.

The specific purpose of data collection is one of the requirements of the LGPD.

Last month, the ANPD published its regulatory agenda for the next two years, with 20 items that should be addressed in the period. 

Among the topics are dosimetry regulation (the size and reach of fines) and their application; international data transfers; data sharing by the public sector; and aspects related to biometrics, facial recognition and artificial intelligence.

The agenda can be seen here.

SENSE OF URGENCY

The fact is that the need to adapt and comply to the LGPD, together with the development of the digital ecosystem around 5G, with the rise of different cloud, automation and edge computing projects, has given enterprises a whole new sense of urgency about the topic.

“We see growing demand from our customers for technical, legal and risk analysis when implementing these new technologies in their processes,” Bissoli told BNamericas.

“We have ongoing projects related to 5G, artificial intelligence, facial biometrics, metaverse, tokenization of assets and digitization of corporate processes.”

From a solutions provider’s perspective, in addition to knowing the legislation that applies to each project, the digital law professional will have to be much more up-to-date about these new technologies, as well as which and how security controls can be implemented to mitigate risks in client projects, added the lawyer.

“Finally, we cannot lose sight of the exponential growth of fraud in the digital ecosystem. And this must be taken into account in any project assessment,” Bissoli said.