The Data Protection Agency of the National Consumer Defense Council, in partnership with the National Data Protection Authority (ANPD) and the National Secretariat for Consumer (Senacom) published the “How to Protect Your Personal Data” guide, an excellent initiative to raise the people's awareness for taking care of their personal data.
There is no way to start this article other than to inform those who participated in the elaboration of the guide mentioned herein and of others that will probably be released involving ANPD that they should not forget to add the date to the documents. This is essential, because there is a given legal scenario at the time of making the guide, and if it turns out that the document does not undergo frequent updates, it can quickly become out of date; which may make things difficult for the reader if they cannot identify the date or perceive whether the content is up to date or not. An update date informs the reader of any updates.
Now onto the relevant aspects of the guide. It starts by informing on the General Data Protection Act (LGPD) and ANPD, by listing the risks for the consumer when there is an illicit data processing:
1. Monitoring of their behavior and restriction of fundamental rights of freedom;
3. Economic losses;
4. Restriction of access to goods and services;
5. Violation of intimacy;
6. Fraud affecting their identity.
The guide goes on to aptly define personal data as any “information related to an identified or identifiable natural person” and clarifying that this personal data belongs to a subject who can be defined as every natural person to whom the processed data refers. Therefore, anyone can be a data subject, in any context.
Then, the guide informs on who the processing agents are – those who perform collection, use, sharing or other activity involving personal data, that is, the controller and the processor. It then clarifies who is the Officer in charge and their role in facilitating communication between the processing agents, data subjects and the ANPD.
Afterwards, the guide defines that data processing is any operation performed with personal data, for example: production, retrieval, classification, use, access, reproduction, transmission, distribution, handling, filing, storage, deletion, valuation or control of the information, modification, communication, transfer, dissemination or extraction. In addition, the processing of personal data requires compliance with one of the ten legal bases listed below:
1. when there is the consent of the personal data subject;
2. when the controller needs to process said data to fulfill a legal or regulatory obligation;
3. when the Federal Government carries out public policies or in the exercise of its institutional functions;
4. to carry out studies by a research body;
5. for the celebration of a contract to which the data subject is a party, at the request of the data subject;
6. for the exercise of rights in a judicial, administrative or arbitration proceeding;
7. for the protection of life and physical safety of the data subject;
8. for the protection of health in procedures carried out by health professionals, health services or health authorities;
9. when necessary, to meet the legitimate interests of the controller or third party, except where fundamental rights and freedoms of the data subject that require the protection of personal data prevail; and
10. for credit protection;
Then, the guide informs that the processing of personal data must respect the principles of the LGPD:
1. goal: the processing of personal data must have a specific, clear objective and be informed to the data subject. Processing cannot be carried out for generic purposes;
2. necessity: only personal data strictly necessary to achieve the initially defined objective is to be processed;
3. adequacy: the processing of personal data must be consistent with the goal that motivated it;
4. transparency: the data subject must be clearly and adequately informed about the relevant aspects and characteristics of processing for their data;
5. free access: the data subject must have guaranteed access to their personal data, at any time, being free of charge and through accessible means.
6. data quality: the personal data processed must be correct, accurate and up to date;
7. safety: personal data must be treated with the physical and logical measures necessary for protection, preventing unauthorized access;
8. prevention: whoever processes personal data must adopt measures to avoid processing that violates the LGPD;
9. non-discrimination: no processing may be carried out for discriminatory, unlawful or abusive purposes;
10. liability and accountability: the processing agent must guarantee and demonstrate, in a documented manner, that they have taken all necessary, effective and sufficient measures to carry out processing in line with the legislation;
After a very interesting question and answer session, the guide goes on to discuss the rights of data subjects, commenting on confirmation, free access, correction, anonymization, blocking, deletion, portability, elimination, withdrawal of consent, requesting of information, reviewing and requesting of explanations.
And it is after the section above that the guide brings very interesting suggestions for public and private organizations related to processing of personal data:
1. Ensuring that all processing of personal data has a legal basis;
2. Keeping records of data processing operations;
3. Preparing an impact report on the protection of personal data when the processing could generate risks to the civil liberties and fundamental rights of the data subjects;
4. Designing secure systems that protect data from inception;
5. Informing the data subject and the ANPD of personal data security breaches that may cause relevant risk or damage, with appropriate containment or mitigation measures;
6. Informing the data subject if there is any change in the purpose for data collection;
7. Repairing damage caused by the processing of personal data, in violation of legislation;
8. Confirming the existence or providing access to personal data, upon request by the data subject;
9. Disclosing the types of data collected;
10. Describing the methodology used for data collection and sharing;
11. Describing the methodology used to ensure information security;
12. Permanently evaluating the adopted safeguards and risk mitigation mechanisms;
13. Indicating the Data Protection Officer and publicly disclosing their contact information;
14. Accepting complaints, communications and providing clarifications to data subjects;
However, it is the next section that unravels the mysteries in the title of this guide, demonstrating what the data subject can do to protect their personal data:
1. Creating backups of stored data, mainly using cloud storage;
2. Enabling encryption on disks and external media such as USB sticks;
3. Creating strong passwords, which contain a combination of special characters, uppercase and lowercase letters and numbers, avoiding using personal data or common words;
4. Enabling 2-step password verification when available, particularly in cloud storage systems and messaging apps;
5. Installing apps from official sources and stores only;
6. Always updating the operating system and applications;
7. Erasing stored data before disposing of equipment and media;
8. Distrusting links received by messaging apps;
9. Limiting the disclosure or provision of personal data on the internet, including to social networks or companies, to strictly necessary cases;
Finally, the guide explains that, if there is data leakage or improper treatment of the subject's personal data, they must contact the company; and contact ANPD should they fail to solve it. And, if the improper treatment of personal data takes place in a consumer relationship, they must access consumer.gov.br or go directly to one of the Procons (public consumer protection organization) throughout the country.