DATA PROTECTION IN INDUSTRIES – PROTECTING DATA AND STRENGTHENING MANAGEMENT

The Brazilian Data Protection General Law (LGPD for its initials in Portuguese) has introduced significant changes for companies across all sectors in Brazil, including factories.

Jemima Sartori is a lawyer with extensive experience in preventive legal advisory services for companies. She holds degrees in Marketing and Law, an MBA in Planning and Strategic Management, and specializations in LGPD (the Brazilian Data Protection General Law) and Medical Law.

She assists business owners in understanding and implementing GDPL regulations in their businesses.

Contact: jemima@carducciadvocacia.com.br and social media @carducciadvocacia.

The Brazilian Data Protection General Law (LGPD for its initials in Portuguese) has introduced significant changes for companies across all sectors in Brazil, including factories.

LGPD was created to protect the personal data of individuals, covering even the personal

data processed by manufacturing companies, such as information on employees, contractors, and partners.

Here, I will clearly explain what LGPD is, the possible sanctions, why it applies to factories, and how these can comply with the Data Protection General Law.

WHAT IS LGPD AND WHAT DOES IT PROTECT?

The LGPD is a Brazilian regulation that governs the processing of personal data. But what exactly is personal data? Personal data refers to any information that can identify an individual, such as:

• Full name.

• CPF, RG (Brazilian identification documents).

• Email.

• Address.

• Banking information.

• Health data, biometrics, and religion – these are classified as “sensitive data.”

LGPD not only provides guidelines but also mandates that any company collecting, storing,

or sharing such data must handle it responsibly, ensuring protection against leaks and misuse.

SANCTIONS, FINES, AND THE ROLE OF ANPD

The Brazilian National Data Protection Authority (ANPD for its initials, in Portuguese) is the body responsible for ensuring compliance with LGPD and guaranteeing that companies across all sectors, including factories, handle personal data securely. If the regulations are not followed, the penalties can be severe.

Administrative penalties are applied as follows:

1. Warning: The company is notified and given a deadline to correct irregularities.

2. Fines: These can reach up to 2% of the company’s annual gross revenue, limited to R$ 50 million per violation.

3. Publication of the infraction: The factory may be publicly displayed, potentially damaging its reputation.

4. Blocking of personal data: The company may be prohibited from using the data until the issue is resolved.

5. Deletion of personal data: In more severe cases, ANPD may require the deletion of collected data, disrupting internal business processes.

Beyond these sanctions, poor data management can lead to legal action from employees, contractors, or partners whose data has been improperly handled.

HOW DOES ANPD MONITOR AND ENFORCE COMPLIANCE?

ANPD conducts audits, investigations, and may request data protection impact reports from any company at any time. It also receives complaints from data subjects or other regulatory bodies, including judges. A company can even be penalized twice for the same violation – administratively and judicially.

When an infraction is identified, ANPD evaluates:

• The severity and extent of the damage caused.

• Whether the company was already in compliance with the law.

• Whether the company took measures to prevent or correct the issue.

• Recurrence of the violation.

For this reason, it is essential for factories to prepare to avoid any penalties. Keeping the best practices in data handling and documenting all processes can make a significant difference

in case of an inspection.

WHY SHOULD FACTORIES BE CONCERNED ABOUT LGPD?

As mentioned earlier, factories handle a large amount of personal data daily, especially related to:

• Employees (registration forms, time records, medical exams, payroll).

• Contractors (contracts, access to internal areas, identification documents).

• Other companies (supplier contracts, shared data for service provision).

If these pieces of information are poorly managed, they can pose risks to both individuals and the company itself, leading to fines, reputational damage, and legal actions.

What was not an infraction before, today it has become. A common example of poor data management in a factory is the improper storage of employee information. Imagine this scenario:

the HR team keeps employee records – including name, ID, address, phone number, and medical exam results – in an unlocked cabinet accessible to anyone working in or passing through the administrative area. While this may seem normal in many companies, such practices can lead to serious consequences, such as:

• Unauthorized access: Employees without permission, visitors, or contractors may access confidential information.

• Data leaks: Personal data can be photographed or copied without the company’s knowledge, exposing employees to fraud or scams.

• Misuse of information: Personal data may be used inappropriately, both inside and outside the company environment.

These issues can result in labor complaints, reputational damage, and fines from the National Data Protection Authority (ANPD), as LGPD mandates that personal data must be handled securely and responsibly.

THE IMPACT OF LGPD ON THE INTERNAL PROCESSES CULTURE

Complying with LGPD requires changes in how companies handle information, from the moment it is collected to its storage and disposal. This includes:

• Cration of employee awareness.

• Adoption of clear processes .

• Review and modification of existing contracts.

• Use of secure technologies.

PRACTICAL SCHEME FOR COMPLIANCE WITH LGPD

Here’s an overview of how compliance is achieved:

1. Data mapping.

2. Risk classification.

3. Creation of internal policies.

4. Review of contracts.

5. Information security.

6. Incident response plan.

However, I must confess that in some practical cases, when I start the compliance process within a company, we begin with a meeting to appoint a data protection officer. It is during this meeting that I often reverse the order of compliance and start with the Review of Contracts, for example. The reason this often happens is that the company is already vulnerable, and compliance is being carried out in a critical scenario.

HOW TO START COMPLIANCE?

Complying with LGPD is a complex task, but the process becomes much simpler when it is well planned. The first step is to understand that compliance with the law, in addition to

being a legal obligation, is also an opportunity to strengthen the organization, protect employees, and build stronger relationships with suppliers and partners.

To achieve this, consider the following steps:

1. Create an internal privacy committee: compliance with LGPD requires the involvement of different sectors of the company.

2. Conduct complete data mapping: for example, find out where employee data collected for payroll is being stored.

3. Identify and prioritize risks: after mapping, assess which areas present the highest risk of non-compliance with LGPD.

4. Define clear internal policies and rules: create or update internal documents, such as privacy policies and conduct manuals.

5. Review contracts and partnerships: ensure that all contracts include clauses requiring data protection and compliance with LGPD from those partners.

6. Implement secure technologies: it is not necessary to invest in expensive solutions right away, but some basic precautions can make a significant difference.

7. Provide regular training: creating policies is of no use if employees do not know how to apply them. Invest in periodic training so that everyone understands the importance of data protection and knows how to act daily to prevent leaks or misuse.

8. Have an incident response plan.

Even with all security measures in place, incidents can still happen. Be prepared to act quickly in case of a data breach.

Companies that proactively comply with LGPD not only avoid fines and sanctions but also gain the trust of their employees, partners, and the market. Demonstrating care for personal data creates a safer, more organized, and efficient work environment. Additionally, compliant companies tend to be more valued by major partners and suppliers who also need to ensure the security of their operations.

Remember: LGPD goes beyond legislation– it is an opportunity to modernize and strengthen business management. Starting today means avoiding problems tomorrow and building a solid foundation for responsible growth.