Brazil proposes adaptation of data protection rules for SMEs

The goal is to tweak the rules to make them "feasible" for smaller businesses, according to National Data Protection Authority.

Brazil's National Data Protection Authority (ANPD) is proposing an adaptation of the current data protection rules or small and medium businesses.

According to one of the directors at ANPD, Arthur Pereira Sabbat, the authority has received "several ideas" on the matter and is structuring a first draft of the rules, which will be discussed in a consultation to be launched in the next three weeks.

"The idea is to put something on the shoulders of small and medium enterprises (SMEs) that is feasible to them", said Sabbat, during a presentation at the E-Cyber Security Forum on Thursday (10), on the proposed rules, which would be specific for SMEs, startups and individual entrepreneurs.

According to Sabbat, oftentimes smaller businesses are diverting staff from commercial and other core functions to data protection duties, and that is not the ANPD's goal. The intention is, he said, to adapt the rules just so small and medium enterprises can comply with the General Data Protection Regulations at a minimal level.

A survey by Brazilian martech RD Station carried out with more than 1,100 SMEs from different segments, only 35% of Brazilian companies said they were prepared to meet the data protection requirements, against 65% who acknowledged that their businesses did not comply with the new regulations. The survey was carried out October 2020.

Some 48% of the SMEs polled said their biggest problem is around finding complete and objective information on the subject, while 20% mentioned the lack of access to tools to adapt their business to the requirements. Lack of technical knowledge of the legal team appeared in 13% of responses, while the lack of resources to adapt to the LGPD was the main reason for non-compliance for 8% of those polled.

When it comes to the main responsible for ensuring that the company complies with the requirements of the new law, 35% of SMEs surveyed said it was the owner of the business. Just over 20% said they had a dedicated person to the matter in the legal department, while the same percentage of companies that said no one was currently looking into the matter. Among those who invested, 5% said they had hired a third-party provider to handle the requirements and another 4% hired a person to handle data protection.

On the other hand, the vast majority of Brazilian SMEs view the data protection rules positively, according to the RD Station survey. For almost half of respondents (48%), the requirements will have a positive impact on business, while 24% said the impact will be "very positive". For 16% of those polled, the regulations are irrelevant to the business and 10% assessed the impact as negative.