One of the biggest challenges for a company's adequacy projects to personal data protection's legislation is matching the processing of certain personal data in any legal basis available in the law; depending on the country and, consequently, on its local law, there is not even the possibility of choosing a legal basis for matching, as occurs, for example, in the USA. However, this difficulty affects both Brazil and most European countries.
As the Brazilian Data Protection Act (LGPD) has been in force for only 1 year and its penalties have come into effect just over 30 days ago, the greatest examples of this difficulty in matching turn out to come from the old world. It is impressive the amount of penalties that are imposed by national data protection authorities, in the respective European countries, to companies that, according to such authorities, inadequately match the processing of such personal data and, therefore, are penalized for violating the law.
Thus, the National Data Protection Authority in the United Kingdom (Information Commissioner's Office - ICO) created an interactive online tool to help those seeking guidance in matching the processing of personal data in some of the legal bases provided for in the GDPR, European data protection act, to which the United Kingdom was a signatory before its separation from the European Union.
In order to use this service free of charge, the user must access the website https://ico.org.uk/for-organisations/gdpr-resources/lawful-basis-interactive-guidance-tool/.
Upon entering, the user already finds a preset questionnaire with the following questions, as set below:
After submitting the results, according to the answer, a justification is presented for which legal basis or bases the user should carry out the matching of the processing of personal data; if the user has answered that he does not know or somehow, the authority instructs him to identify what would be needed to validate your choice of framing.
In this way, ICO makes the user navigate through the 6 legal bases provided for in the GDPR for matching the processing of personal data. It is a simple but very useful initiative, considering that, just as there are large corporations with many resources to seek adequate advice that can show the way, there are many companies that do not have adequate resources and have great difficulty in trying to understand and apply the law. ICO really deserves congratulations for the initiative.
Something similar could be done in Brazil, keeping the proportions as to the differences foreseen between the legislations, since here we have 10 legal bases for matching the processing of common personal data, 8 legal bases for matching the processing of sensitive personal data and also a differentiated matching for the processing of personal data of children and adolescents -- in this case, there is still controversy regarding the understanding over the applicability if only for children or if also for adolescents, since the lawmaker was unfortunate in its corresponding wording.