SCHEDULE

  • WORKSHOP
  • MAIN EVENT
  • 8:00 am - 9:00 am
  • Registration
  • 9:00 am - 10:30 am
  • BLUE ROOM
  • Privacy and security by design: how to implement

The General Data Protection Law, as well as the General Data Protection Regulation and other laws dealing with Data Protection and Security have introduced specific rules enshrining a number of very specific rights and obligations, which permit even a reinterpretation of the principles of privacy and self-determination and require adjustment of processes, systems, programs, personnel training, creation of a data protection culture, mapping, impact assessment, and other mechanisms needed on the path to compliance. It is an in-depth analysis and inventory of all data already being handled – which may be a Herculean but necessary task. In another step, there is no reason for performing new processing without compliance and then seek adjustment. Instead, security and privacy is needed by default in all processes, followed by compliance monitoring. Thus, actions will be more proactive (rather than reactive), with end-to-end security, transparency, and compliance with applicable standards. For such a level, we need to talk about privacy and security by design

  • 9:00 am - 10:30 am
  • PURPLE ROOM
  • Data Protection Impact Assessments: a comprehensive overview

The Data Protection Impact Assessment (DPIA) is required whenever processing poses a potential risk to civil liberties and fundamental rights and involves recommending measures, safeguards, and mechanisms to mitigate such risk, as defined by the Brazilian General Data Protection Law. The National Authority can require the preparation of such assessment, which will be mandatory depending on factors to be analyzed on a case-by-case basis, such as the category of data and the type of processing. What are these categories and types? Who is responsible for preparing this report? What is its minimum content? How will the report demonstrate that the company has successfully transformed the legal provisions into technical and procedural action plans?

  • 9:00 am - 10:30 am
  • WHITE ROOM
  • Unraveling anonymization and pseudonymization

The General Data Protection Law aims to protect identified or identifiable personal data of individuals, humans. Thus, the LGPD will not apply to personal data that does not directly or indirectly allow identification of its subject. For this reason, there is a rush to implement anonymization processes, so that data is collected and processed without the limitations imposed by the LGPD, based on the legitimate interests of subjects. Also, it should be noted that requesting data anonymization is one of the rights that data subjects can exercise. Pseudonymization, in turn, is the process whereby data can no longer be directly or indirectly associated with an individual, but by using additional information kept separately by the controller in a controlled and secure environment. In this context, validity and effectiveness of the anonymization process will depend on whether or not it can be reversed – which is one of the most complex aspects of the matter, and it should also be considered that, although the National Authority has the power to provide standards and techniques related to the anonymization process, no such guidelines exist at present. After all, research indicates that the combination of two data – say nonsensitive – can allow identification of an individual. Furthermore, depending on the data, it can represent a unique pattern, which is, obviously, sufficient to identify an individual. So, what needs to be considered about the effectiveness and validity of these procedures? What mechanisms have been used? How do these processes challenge technology enhancement? What are the consequences in case of reversibility or identifiability of the subject from cross-checking of data?

  • 10:30 am - 11:00 am
  • Coffee Break
  • 11:00 am - 12:30 pm
  • BLUE ROOM
  • The 10 legal bases for processing: how to identify them

Consent is maybe the best known legal basis for legitimate data processing. It turns out that consent, though easily detectable and proven with the required objectivity, must be considered as one of the last ways of legitimizing processing because of its volatility. Therefore, analyzing this and the other 9 legal bases for data processing and understanding how each of them applies to your business or not, can be crucial in raising the basis for your data processing to a more stable and, in some cases, unquestionable level.

  • 11:00 am - 12:30 pm
  • PURPLE ROOM
  • Data Mapping: legal and technical aspects

Data protection laws have introduced a number of principles, obligations, and rights that must be observed. Thus, Privacy and Security by design, adjustment and implementation of the LGPD are on the agenda of major market players. It turns out that talking about adjustment and these other processes makes sense only if data mapping is addressed as well. After all, what process needs to be adjusted? What is the data cycle? Where is the data that must be secured? How do data discovery and data mapping complement each other? In this workshop, we will deepen these discussions and understand the techniques and challenges of this critical phase of a compliance program.

  • 11:00 am - 12:30 pm
  • WHITE ROOM
  • Corporate Governance: structuring internal policies

Data protection is not just about proper documentation of information or compliance with contractual provisions on responsibilities. It involves a complex process that should consider the company’s three lines of defense: People, Compliance, and External Audit; such that if one line fails, there is still another to protect data. To conduct this process, therefore, each of the affected areas must be involved, with clear rules regarding the security structure, including each role’s access levels and responsibilities for performance and compliance, as well as proper awareness programs and, if applicable, specialized training and education. These and other points are addressed by Corporate Governance, which is responsible for structuring and enforcing internal policies.

  • 12:30 pm - 2:00 pm
  • Coffee Break
  • 2:00 pm - 3:30 pm
  • BLUE ROOM
  • Controller/Processor: the importance of having a formal definition of the agents’ roles

The processor must act within the limits set by the controller. However, as shown in the case involving Cambridge Analytica and giant Facebook, these roles are not always clear when an incident happens. It turns out that, while on the one hand, each party’s responsibility is a legal matter, on the other hand, it is the agreement between them that must specify the limits of the controller’s request and of the processor’s performance, and each side should analyze their role in data processing and the contractual provisions, especially considering that some clauses allow for strict or broad interpretations of what was really intended. In addition, it should be noted that the relationship between the parties may, in certain cases, change the contractual matrix and give rise to originally unforeseen responsibilities, where, once again, the diligence of those involved in formalizing the agreements is important.

  • 2:00 pm - 3:30 pm
  • PURPLE ROOM
  • Data breach: far beyond data leak

A data breach causes data leakage and exposure of often thousands of data subjects, with potential breach of an individual’s privacy, intimacy, data allowing predictive analysis of particular actions and thoughts, among other situations that put the individual in a clear position of vulnerability. Indeed, data breach can reveal and devastate the privacy of data subjects, leading to dismissal, extortion, and even suicide – as in the well-known Ashley Madison case. However, not only the subject is exposed. At a different level, the controller itself is exposed, revealing much about it, especially negative aspects, which can jeopardize the security and future of its business.

  • 2:00 pm - 3:30 pm
  • WHITE ROOM
  • Right of access, portability and deletion of personal data: how to enforce data subjects’ rights

Law and technology are essential to comply with Privacy and Data Protection rules. It is up to law practitioners to interpret the rule in the light of numerous principles, making it as effective as possible, in harmony with the Federal Constitution. However, there are situations in which this interpretation challenges technology measures not yet implemented – whether because of their cost or because of the state of the art, that is, there is not yet a mechanism for achieving exactly what is intended. This is the case, for example, of interception of conversations made via instant messaging applications to investigate heinous crimes. Interpretation of the law holds the possibility of the measure. However, technology companies say compliance with the measure would be impossible. At the same time and again illustrating the topic, there is fierce discussion about the technical mechanisms necessary for deleting subjects’ data. After all, there is already technology that allows recovery of deleted data. So, how to make the determination of the law compatible with the technical and actual feasibility to implement it?

  • 3:30 pm - 4:00 pm
  • Coffee Break
  • 4:00 pm - 6:00 pm
  • BLUE ROOM
  • Public and private entities: data sharing and interaction

Law and technology are essential to comply with Privacy and Data Protection rules. It is up to law practitioners to interpret the rule in the light of numerous principles, making it as effective as possible, in harmony with the Federal Constitution. However, there are situations in which this interpretation challenges technology measures not yet implemented – whether because of their cost or because of the state of the art, that is, there is not yet a mechanism for achieving exactly what is intended. This is the case, for example, of interception of conversations made via instant messaging applications to investigate heinous crimes. Interpretation of the law holds the possibility of the measure. However, technology companies say compliance with the measure would be impossible. At the same time and again illustrating the topic, there is fierce discussion about the technical mechanisms necessary for deleting subjects’ data. After all, there is already technology that allows recovery of deleted data. So, how to make the determination of the law compatible with the technical and actual feasibility to implement it?

  • 4:00 pm - 6:00 pm
  • PURPLE ROOM
  • Banking industry / means of payment: how to align the LGPD with industry standards

BACEN’s (Brazilian Central Bank) Resolution 4658/2018 and Circular 3909/2018 establish guidelines on the Cyber Security Policy and requirements for contracting cloud data storage and processing services, directed to institutions authorized to operate by the BACEN, such as banks and payment institutions. In April 2019, a Law was enacted changing the rules on positive credit reporting, raising an important discussion about credit modeling, escalating knowledge, and use of data to protect (or not) credit and the economy. The market is eagerly awaiting the Central Bank to regulate Open Banking and is studying the impact of this opening and the possibility of developing new related business. These are just some of the industry standards related to banking and data processing. The topic is of special interest in this industry, including the discussion about the possible processing of sensitive data from industry-specific transactions, such as purchases at drugstores, payments made, or any geolocation data collected by apps of the institutions. Thus, because data is the new currency, the discussion on banking industry standards and the LGPD is pressing and urgent.

  • 4:00 pm - 6:00 pm
  • WHITE ROOM
  • Sensitive data: restrictions and handling

Not only for legal, but above all ethical reasons, sensitive personal data deserve special safeguards. The General Data Protection Law provides that the processing of sensitive personal data should be given special attention and is subject to specific processing conditions. Sensitive personal data reveals the racial or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, data concerning health, genetic or biometric data, data concerning sex life or sexual orientation. Note that this treatment applies to any and all forms of so-called personal data: text, biometric, image, sound, etc. Thus, it is important to emphasize that treating such data as deserved not only ensures privacy but also prevents data from being used against its own subjects, often restricting them from exercising their rights. In this panel, discussion will focus on the distinction between nonsensitive and sensitive personal data, the best criterion for such distinction, possible interpretations from different contexts, and the possibility of turning nonsensitive into sensitive personal data through, for example, artificial intelligence.

  • 9:00 am - 9:15 am
  • blue room
  • Opening
  • 9:15 am - 10:10 am
  • Blue room
  • Keynote internacional: Future (and History) of Privacy

Dados estão na pauta das empresas, do governo, da sociedade; nos estudos sobre inovação, nas notícias sobre segurança, incidentes e ataques. O mundo está alerta e em debate sobre tantas possibilidades e tantos riscos que eles proporcionam. Quais seriam os limites necessários para resguardar a privacidade dos usuários, sem tolher a inovação e os novos modelos de negócios? Quais valores precisam ser ponderados para que o privacy by design e by default não se limitem a uma mera ideologia, mas simbolizem, isto sim, o início de uma sociedade que harmoniza a autodeterminação com a disrupção, inovação e tecnologia?

  • 10:15 am - 10:40 am
  • Coffee Break
  • 10:45 am - 11:45 am
  • BLUE ROOM
  • CEOs’ Perspectives on the LGPD

How does this executive face the challenges and impacts of the General Data Protection Law on their business and on how to ensure that data subjects exercise their rights? What criteria have they adopted to prioritize opportunities for improvement and practice of their internal processes, using the Law itself as a competitive edge?

  • 11:50 am - 12:20 pm
  • BLUE ROOM
  • There is less than one year left before the effective date of the LGPD. Are we ready?

After years of discussion involving the business sector, academia, and civil society, the Brazilian General Data Protection Law (LGPD), Law No. 13709/2018, was enacted in August 2018, which has placed Brazil among the countries that have a general law specifically on Data Protection and Privacy. Defining concepts, obligations, and severe sanctions, the law has introduced rules on data security and processing based on important principles, such as purpose, adequacy, necessity, open access, prevention, and non-discrimination. On the other hand, it has expressly granted users broad rights, including the right to data access, correction, portability, and deletion. Among the sanctions, it has introduced the possibility of warning, publicity of the violation, blocking, or erasure of data, in addition to a fine that can reach R$ 50,000,000.00 (fifty million reais) or 2% of the latest annual turnover of the private-sector entity, group, or conglomerate in Brazil. In December 2018, MP [Executive Order] 869/2018 created the National Data Protection Authority (ANPD) and, among other provisions, assigned it the duties of ensuring protection of personal data, issuing rules and procedures, requesting information on the validity of processing, inspecting and imposing sanctions for noncompliance with the LGPD. The Law will come into full force in August 2020. And given that there are only a few months left, the question is: How do our mapping, impact reports, governance and compliance programs address the LGPD? Are we ready to respond to requests from the ANPD and provide security to our customers, partners, and employees or do we still need to move forward in this direction?

  • 12:25 pm - 1:55 pm
  • Lunch
  • 2:00 pm - 2:55 pm
  • BLUE ROOM
  • Inspections and sanctions: how data protection laws are being applied worldwide

The Cambridge Analytica scandal was reported worldwide, where the British advisory firm that worked for Donald Trump’s presidential election campaign exposed data of 87 million Facebook users and, after intensive investigations, in January 2019 pleaded guilty for having exceeded the limits imposed by the Facebook data controller, resulting in a fine of £15,000 (US$ 19,100 or 16,700 euros). In March 2019, in Brazil, SENACON filed two lawsuits against Facebook for breach of personal data, including in transactions with the British firm Cambridge Analytica.
Uber is also being investigated in Brazil as a result of a leak that was finally disclosed to the authorities, after a year hidden under an unspoken agreement, revealing the data vulnerability of 57 million users and drivers, which has already resulted in: a settlement with the U.S. Government, under which Uber assumed a fine of US$ 148 million, a conviction by the United Kingdom and the Netherlands Data Protection Authorities in an amount equivalent to R$ 4.5 million, and ongoing investigations, including in Brazil.
In another step, Google was ordered by the French Data Protection Authority to pay 50 million euros for breach of personal data because, according to the Authority, Google failed to act transparently.
What factors were considered in imposing the sanctions? What have the Authorities been strongly and exemplarily condemning, and what has been effective in demonstrating companies’ diligence and compliance with Data Protection and Privacy standards? Is the demonstration of such diligence and of the mechanisms adopted during and after the incident considered in the penalty determination?

  • 2:00 pm - 2:55 pm
  • PURPLE ROOM
  • Diagnosis and gap analysis: mapping out legal, procedural and technological risks

Data cycle mapping is one of the most important steps in implementing the LGPD. In this process, rather than portraying the current scenario, it is necessary to identify vulnerabilities and nonconformities and recommend necessary improvements, whether procedural or technological. Based on the current and the desired situation, a detailed Action Plan should be prepared covering training, processes, systems, compliance monitoring and contingency measures, and other mechanisms to ensure diligent exercise of obligations and responsibilities under the LGPD, including in the event of incidents.

  • 3:00 pm - 3:50 pm
  • BLUE ROOM
  • Legitimate interests: unveiling the most controversial legal basis

The General Data Protection Law provides 10 legal bases for processing. Some situations are quite objective and clear, such as consent: either you have or you do not have it. Other situations call for a special analysis of the relationship between the parties involved, such as the contractual basis. And one of the bases is the trivial, but often controversial, legitimate interest, which, according to the law, can support processing of personal data only for… “legitimate purposes”! In an non-exhaustive list, the LGPD indicates that such processing is permitted to support and promote the controller’s activities and to protect the regular exercise of rights or provision of services, under the law. Of course, such vague concepts generate discussion about this legal basis. However, the LGPD has two very specific points about legitimate interests: obligation to make processing transparent to the data subject and possibility for the National Authority to require an Impact Report. Then, this legal basis must be unraveled so that the answers to such questions – which, to some extent, will be part of the Impact Report – are clear, accurate, logical, and easy to understand.

  • 3:00 pm - 3:50 pm
  • PURPLE ROOM
  • Compliance and Personal Data Protection: legal rules and internal procedures

The Compliance area is responsible for establishing and enforcing Internal Policies and Processes in an integrated way with other areas of the company, considering the operational risks, the best techniques to mitigate them, and the legal responsibility of the company and of each agent. Of course, it should not act as a deterrent for ideas, innovation, and advancements, but rather play a guiding role, on different fronts, so that the care for legality, prevention, and data security becomes a cultural standard.

  • 3:50 pm - 4:15 pm
  • Coffee Break
  • 4:20 pm - 5:15 pm
  • BLUE ROOM
  • Artificial Intelligence and Personal Data Protection

At a public hearing in Brasilia in April, Ms. Juliana Abrusio, when commenting on automated decision-making to the Joint Committee reviewing MP 869/2018 (which amends the General Data Protection Law), was categorical in stating that by focusing on the area of automated decision-making we are talking about artificial intelligence and when we talk about automated decision-making, we cannot limit the scope of discussion to human review. Such a review is no doubt of utmost and legitimate importance. However, it takes a practical and not just ideological approach. Technological advancement should be exploited to its full potential, but cannot serve to minimize the reach of the law, including, but not limited to, in terms of non-discrimination and access to information, which calls for an interpretation that encompasses the right to a clear explanation, so that users whose data is subject to automated processing retains the right to control and possession of the data, even when we are talking about processing by machine learning. How to harmonize the different valid interests and rights of users with the state of the art and technological advancement? What conversations need to be held on the topic?

  • 4:20 pm - 5:15 pm
  • PURPLE ROOM
  • DPO: who to appoint, how to prepare and what are their duties?

As Renato Opice Blum states, “… the best guidelines on this matter continue to be caution and common sense – watchwords for any Internet user, public figure, or regular citizen.” In order to arrive at these common guidelines, the DPO, within each company, has the role of planning, monitoring, and supervising the program for compliance with applicable Data Protection and Privacy Laws, and establishing an appropriate action plan in case of incidents, and taking all necessary steps to ensure that the plan is followed in case of incidents. Faced with such a complex and important role, the professional who takes on this role needs skills such as knowledge of processes, laws, technology, and easy communication with the different areas that deal with data. How to find this multidisciplinary professional, what roles do they need to play, how to identify their numerous abilities or train them?

  • 5:20 pm - 6:15 pm
  • BLUE ROOM
  • ANPD (Brazilian Data Protection Authority) and CNPD (Brazilian Data Protection Board). Formation, supervision and sanctions: what will happen in Brazil?

The National Data Protection Authority (ANPD) and the National Data Protection and Privacy Council (CNPD) were created in December 2018 by MP 869/2018, which specified that the ANPD’s duties include the following: request information at any time from personal data controllers and operators that conduct personal data processing operations; inspect and impose sanctions in case of data processing in violation of the law. The National Data Protection and Privacy Council (CNPD) stated that its duties include to propose strategic guidelines and provide subsidies for the preparation of the National Personal Data Protection and Privacy Policy and for the ANPD’s performance; to recommend actions to be taken by the ANPD; and prepare studies and hold public debates and hearings on privacy and personal data protection. It should be noted that both bodies will have to work closely to regulate and guide companies on minimum requirements for compliance with the LGPD, paving the way to the exercise of the Principle of Confidence. Precisely for this reason, it has been discussed what agents should participate in such bodies and what effects possible appointments will have, especially due to the principles, concepts, and technical standards regarding Privacy and Data Protection and the significant sanctions for noncompliance under the general law.

  • 5:20 pm - 6:15 pm
  • PURPLE ROOM
  • DPO: structuring of the position, the area and responsibilities of the agents and of the officer

The LGPD determines that it will be up to the controller to appoint a DPO (Data Protection Officer) and disclose the identity and contact details of this professional in a clear and objective manner. It briefly describes some activities that are the responsibility of the DPO and states that the National Authority may establish rules on definitions and attributions of the person in charge. Though concise, the Brazilian law leaves some important matters open, such as the structure of the position, its autonomy, and the limits of its responsibility. Is the DPO responsible for supervising all areas of the company dealing with personal data, including top management? If an incident is found to involve the company’s president and board, who should the DPO report to? Does the DPO act alone or can they be integrated in one area and take on additional duties? Are there any guarantees for the performance of their duties? Under what circumstances should they report to the National Authority and what is the responsibility of the agents involved? Can international practices and the European General Data Protection Regulation fill any gaps?