Data Protection Law and the culture change in the laboral routines of companies: the use of the data protection theme as a strategic tool


Despite being clear that Brazil’s Data Protection Law (”LGPD”) applies to employment relationships, it is not usual to discuss the practical conduct that should already have been adopted by Brazilian companies in order to be compliant with the legislation from a labor standpoint. The lack of attention to such internal compliance can be harmful, not only from a data protection point of view, but also from a strategic business development point of view.

In the last few years, and as a result of the LGPD, Brazilian companies of different types, profiles and sizes have mobilized to implement their “LGPD Adequacy Plan”. With common characteristcs, the basic structrue of this plan, in Brazil, have included, essentialy, measures to publicize the company's data protection rules and policies and to inform customers how the company intends to deal with the new legislation. In this sense, documents such as the Privacy Policy, Whistleblower Channel disclosure and Procedures for exclusion, rectification and/or anonymization of the personal data were adopted in a large scale.

However, such measures are intended to cover only part of the issues embedded in the LGPD, more focused on Consumer Law than any other branch of law. Therefore, this “external look” prevents the company from identifying the needs of its internal work environment.

Looking at the work environment is what allows the so-called internal adaptation of companies to the LGPD. This adaption, which is entirely related to Brazil’s Laboral Law, occurs when the focus of the project is based on the company's laboral routines that involve the collection, processing and use of employees’ personal data. This occurs since the job interview until the moment of a contractual rupture. For example: the collection of CVs; the collection of documents for the employee’s admission; the formalization of the employment contract; the collection of sensitive health data, among others. For each one of these moments (the routines) there will be steps and procedures that must be complied from a data protection legislation standpoint.

Therefore, compliance with LGDP can and should be used by executives (employers) to promote an effective and strategic culture change in the company. That means that the LGPD Adequacy Plan can serve as a tool for the implementation of modern projects that can transform the company's work environment into an environment not only in compliance with the law, but also innovative and welcoming for the employees.

The approach and dissemination of new policies and procedures to employees, even with the initial focus on the data protection theme, makes employees feel included in the context of the company and allows to also adress themes such as sustainability, diversity and inclusion and others that, in addition to fulfilling a finalistic role related to the legal issue of data protection, will also fulfill a strategic role in the company: help improve the work environment and, as a result, improve business development.

Below are examples of themes that can be added to the internal LGPD implementation project:

  • Moral harassment and sexual harassment Policies and Training.
  • Leadership Policies and Training.
  • Institution of Debate Channels or Whistleblower Channel.
  • Institution of Committees to deal with issues regarding diversity, gender and equality.

Including these issues can play a great role in combining the implementation of a necessary project to a strategic cultural transformation within the company.


Article provided by INPLP member: Fábio Lacaz (Andrade, Lacaz & Vasconcelos Advogados (ALV), Brazil)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)



What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.