If you missed Part I, I suggest that you head back and read that first so this
doesn't sound like gibberish you.
We know that we have the duty to be fully transparent to our site visitors regarding the data we collect on them when they visit our site, how we keep it secure and handle their requests relating to their data timely. Every privacy law has these requirements - but what exactly are the rights of our site visitors when it comes to LGDP? What requests can they make?
Under Lei Geral de Proteção de Dados (General Data Protection Law, or LGPD) our site visitors have the following "rights":
Right to access
Right to erasure
Right to correction
Right to confirmed processing
Right to data portability
Right to withdraw consent
And....what the hell does that actually mean?
Right to access and view the information all of the information you have collected on them
Right to erasure: Demand you erase all of the information you have collected on them, (unless otherwise required by law)
Right to correction of the information you have collected on them
Right to confirmed processing: Be provided proof that you have used their data in the way that you state you do and nothing more and anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
Right to data portability: The right to receive the data you have collected on them and reuse the data for their own purpose(s) across different platforms. Allowing them to move, copy, or transfer personal data easily from one IT environment another in a safe and secure way without affecting its usability.
Right to withdraw consent from you using any of the data you have collected on them
LGDP doesn't state a timeframe in which you have to comply with one of these requests, but other laws like this, such as GDPR, state the request has to be completed within 30 (thirty) (in some situations it can be extended up to 60 days). I VERY much suggest that you handle the request promptly and not exceed 30 (thirty) days.
The process for you may take a while to complete depending on the request and your capacity to address it - which obviously means waiting too long will only put you at more risk. Things like this, data security, are not things that can be put at the bottom of your to-do list, or even the middle of it for that matter.
LGDP does outline a timeframe in which you have to notify your site visitors of a data breach which we will address in the coming parts.
I am going to give you some homework to do before the next Part is posted - we may not know, or just have simply forgotten, what third-party apps we have installed on our site to make it run the way we want it to and therefore don't know exactly what information we are even collecting on our site visitors. I've had a lot of clients tell me there do not collect anything and after an audit of the third-party apps they've installed, they are actually collecting a llllllottt of information. We are responsible regardless if it's a "third-party" app.
Ignorance is not bliss with data protection laws. Well, and basically everything else in life...
Now - homework - take 10 minutes and look at all the third-party apps you have installed on your site. Screenshot the list, write them down, whatever you prefer. But you MUST know what you've installed. EVERY single teeny tiny app - even ones that simply collect emails to subscribe to your newsletter, or a contact form, etc. Everything. I will explain why even apps as insignificant as those are important in the next Part and what you need to do with the list.
See you then!
For more updates on LGDP, subscribe to Urban Consulting's compliance newsletter that comes out weekly just on LGDP. The newsletter only runs a few weeks when a new law is enacted to help you get ready and ensure you are compliant.
Let's be social!
This is not legal or financial advice and does not constitute a client-consultant relationship between you and Montanna Washburn or Urban Consulting, LLC d/b/a Complianceology. The information in this post is true and accurate at the time published and is subject to change at any time. You are encouraged to conduct your own due diligence, schedule a consulting call with Montanna, or speak with your legal counsel.