A consultation has been launched to debate a proposal for simplified rules and exemptions relation to data protection for small and medium enterprises (SMEs) and startups in Brazil.
In the proposed framework put forward on Monday (30), the National Data Protection Authority (ANPD) plans to exempt smaller companies from maintaining a data protection officer. Instead, having a communication channel for data holders would be sufficient. Moreover, according to the proposed rules, SMEs and new tech-based firms could also be represented by business entities, legal entities or individuals, meaning companies could outsource part of the tasks relation to data protection.
“This regulatory alternative aims to guarantee the rights of [data] holders, while bringing balance between the rules contained in the General Data Protection Regulations and the size of the data processing agent”, said Arthur Sabbat, a director at ANPD and rapporteur of the proposal.
The measures aimed at providing greater flexibility outlined in the proposal also includes different compliance deadlines for smaller firms, as well as the exemption from the obligation to keep records of personal data processing operations. The ANPD will hold a public hearing on September 14 and 15 to debate the proposal and receive manifestations from society about the draft resolution.
The discussion around the adaptation of the current data protection rules for small and medium businesses started to gather pace in June. At the time, ANPD’s Sabbat said the idea was to introduce “feasible” rules for SMEs, and that these companies are often diverting staff from commercial and other core functions to data protection duties, and that’s is not the authority’s goal. Rather, the intention is to adapt the rules so that firms can ensure compliance at a minimal level.
A survey by Brazilian martech RD Station carried out with more than 1,100 SMEs from different segments has found that 48% see finding complete and objective information on the subject as the biggest hurdle to compliance, while 20% mentioned the lack of access to tools to adapt their business to the requirements. Lack of technical knowledge of the legal team appeared in 13% of responses, while the lack of resources to adapt to the data protection rules was the main reason for non-compliance for 8% of those polled.