The subject is popular: the General Personal Data Protection Law (LGPD) came into force in September this year. The new law aims to protect personal data, as well as the rights of freedom and privacy of the users who deposit their information daily in different digital and physical environments.
If LGPD is considered the most important change in relation to the privacy of the holders and the protection of the personal data, the impact is high for private and public companies, which need to comply. Education institutions are included as well! In this post, you can see what changes with the law, what the challenges and some essential steps to adapt are, as well as the sanctions for those who do not comply with the set of norms. And more: RNP has adopted the RNP Method internally and shares it with the partner institutions for the community to move towards compliance.
First, what kind of data is that?
Information, such as name, address, e-mail, telephone, sector where you work, registration of a student or an employee are some of the data considered personal.
In addition, there are some personal data considered sensitive: when, upon their exposure, there is a possibility of ethnic or racial discrimination due to religious or philosophical beliefs, political opinion, or genetic, biometric information or information related to the user´s health or sexual life.
What changes for the education and research institutions with LGPD?
Increase the security and solidity of data the collection and storage, and increase the transparency to the user are the goals of the new law. Thus, education and research institutions shall also pay attention to the adaptation actions which directly affect students, teachers, employees, suppliers and service providers in the way the different personal data flow.
In addition to making the purpose of the personal data collection clear according to the legal base, the institutions shall protect the data handled by them, because there is legal liability in case of a security incident, which results in loss of the students´ or the teachers ‘privacy. And as this personal data can be handled together with service providers, adjustments are necessary with them as well. Thus, the institutions shall preserve the students' privacy, from the selection process until the end of the course, through the enrollment.
In addition, the institutions shall pay attention to the sharing of personal data with other organizations, which can only be done upon the express consent by the students or the personal data holder. Without consent, according to art. 7, IV and art. 11, II, c), about handling of personal data, with remark for sensitive personal data, the education and research institutions are responsible sharing to be allowed only for studies of research bodies, whenever possible, using anonymization.
For performance of public health studies, based on art. 13, II, “the research bodies may have access to personal databases” in an exclusively secure and controlled environment, using a set of security controls which shall also include anonymization or pseudonymization of the data, without permission to disclose or share this data with third parties.
What are the steps to adapt?
Thinking of facilitating the partner institutions´ journey to adaptation, RNP shares the RNP Method, the result of a joint work between the organization itself and LGPD specialists within the legal and the information security areas. According to the method, some steps are fundamental for the adaptation, starting with diagnosis and following to an adaptation strategy.
It all starts with the mapping of the personal data handled by the institution and its flows. It is necessary to analyze the risks that can affect the privacy of this information, work with technologies and processes to protect it, and structure plans to respond to incidents. The documents of the organization, the already exist one and those to be created, shall follow the guidelines in the law.
The privacy culture has to be internalized within the organization. Therefore, qualify your teams on LGPD. In addition, be ready to provide clarifications and respond to the holders´ requests. They have the right to transparency and to forgetting their personal data. The information that proves compliance shall be described in a document called Data Protection Impact Report (RIPD).
What happens in case of non-compliance with LGDP?
For institutions and companies which are not in compliance with the law, as well as those that commit irregular practices, there are different forms of penalties. The organizations can receive warnings, fines with percentage up to 2% of the revenues, limited to R$ 50 million per infringement, and in more serious cases, prohibition to perform the activities.
Find out how RNP can contribute to the education institutions
Count on RNP at the time to adapt your institution and have efficient solutions to optimize this process. Download our exclusive e-Book to read more about LGPD and all steps of the RNP Method. Do you need specialized help? We offer methodological support, advisory services and qualification.