Brazilian boards struggle with data protection rules

Executives are familiar with the regulations but nearly half don't believe they are responsible for ensuring compliance, according to research.

Board members in Brazilian organizations are still struggling to get up to speed with the requirements set out in the data protection regulations as sanctions for non-compliance are enforced from this month by the National Data Protection Authority.

The findings emerged in a survey carried out in the first half of 2021 by Brazilian business school Fundação Dom Cabral (FDC) with 207 companies with executive or advisory boards with the goal of analyzing board attitudes in relation to the General Data Protection Regulations (LGPD, in the Portuguese acronym).

According to the report, 40% of organizations polled said they would not be fully compliant with the rules by August 1, 2021. From that date, sanctions for non-compliance are applicable, and may range from warnings to daily fines of up to 50 million reais (US$ 9.6 million), in addition to a partial or total suspension of activities related to data processing.

Board members of 86% of companies surveyed claimed to be aware of the LGPD and its impact on business, however only 46% see themselves as the main responsible party when it comes to implementation of the data protection measures.

"[Board members] must always be aware of their responsibility to establish policies and ensure that the organizations they manage comply with the new laws that impact them, as is the case with the LGPD. This is a task that cannot be delegated", said FDC professor Dalton Sardenberg, one of the academics leading the study.

Even though a significant percentage of companies said they are not prepared for the penalties brought by the LGPD, 82% of those surveyed said that compliance with the data protection regulations is one of their main priorities for 2021.

Some 66% of the companies polled have a Data Protection Officer (DPO) in place, the study noted, of which only 14% are solely dedicated to that function. According to the survey, 52% of the DPOs in place carry out duties relating to data protection alongside other functions, such as the role of chief information officer.

The percentage of companies with DPOs in place is higher within companies with executive boards (69%) than those with advisory boards only (51%), according to the FDC study. Some 82% of those polled said they thought that DPOs should report to the company's top leadership even though this is not a requirement in the Brazilian data protection regulation.

According to the study, only 13% of the companies interviewed have suffered a cyber attack. The research noted that companies that have already faced cybersecurity risks or some negative data protection impact are more likely to hire a dedicated DPO.

Companies that already have a dedicated DPO tend to be more interested in hiring consulting and support software, the study added. The report also found that companies with a board of directors tend to have a better perception and involvement in the actions to implement the measures for data protection compliance than companies that only have an advisory board.

According to the research, 48% of companies surveyed have a budget allocated to the area responsible for adapting to the data protection rules, while 57% of the organizations surveyed rely on, or plan to hire, a specialized external consultancy to handle the requirements.

Moreover, 61% of the companies surveyed believe that the data protection rules add value to companies and that they don't consider the regulations are another bureaucratic obstacle created by lawmakers.

According to FDC professor Fernando Santiago, who also coordinated the study, the findings in the study dispel a widespread belief that the Brazilian business community does not see value in the data protection and that it only came to complicate everyday business dealings. "The survey reveals a scenario that is totally opposite to this discourse", he noted.

"Brazilian companies shown that they have a degree of understanding about the growing importance of personal data in recent decades and that [handling it properly] is important and generates effective value for companies", Santiago added.