Gabriel Araújo Souto, Fellow, Datasphere Initiative
In my previous fellowship blog post at the Datasphere Initiative, I discussed the relevance of establishing an Ethics and Data Governance Board (EDGB) in Brazil to comply with the Brazilian Data Protection Regulation (LGPD) and foster a culture of data protection. The EDGB would serve as a mechanism for legal compliance, transparency, and accountability in handling personal data. It would provide guidance and oversight, both for LGPD compliance and the development of a data governance culture within companies.
The post highlights examples such as the TikTok Security Council and the Ministry of Economy Central Data Governance Committee as potential models for designing an EDGB. These examples demonstrate the importance of multistakeholder oversight and the involvement of affected communities in decision-making processes. The post concludes by emphasizing the implications of the LGPD for Brazilian companies and the potential benefits of establishing an EDGB. It also mentions that a step-by-step guide for forming an EDGB in the context of the LGPD will be proposed in a future post to support the development of a culture of data protection, privacy, and trust.
In this blog, I will provide a detailed guide outlining the process of establishing an EDGB within the framework of the LGPD.
Data governance – at the firm level – means defining and monitoring compliance with strategies for managing a company’s data, including the definition of policies, guidelines, roles, responsibilities, and processes for data management.¹ It acts as an articulating framework, identifying problems, avoiding public relations damages, seeking opportunities, proposing initiatives, monitoring, and orchestrating the execution of actions aimed at improving maturity in the use of data and compliance with the strategic direction established for them.
In that sense, practical steps must be taken to ensure the proper functioning of an External Data Governance (EDGB).
1. Establish a data governance policy
A data governance policy will have better enforcement when responsibility for managing data is shared across business, operations, and technology. The adoption of a culture that encourages the debate on problems and opportunities with data, as well as the direction and prioritization of improvement actions, becomes much more comprehensive and effective when it involves several units of a company. Thus one of the best places to practice this kind of approach is in an EDGB.
Matters related to data governance should be discussed in an EDGB. That is, the creation of an EDGB dedicated to understanding, implementing, and monitoring a data governance program is a recommended practice for adapting the company to the LGPD. The policies and procedures should be reviewed and updated regularly to ensure that they remain in compliance with the LGPD.
2. Appointment of a Data Protection Officer (DPO)
The second step in implementing an EDGB is to appoint a DPO. The DPO will be responsible for ensuring compliance with the LGPD and for communicating with the EDGB. The DPO will also be responsible for developing and implementing data protection policies and procedures, as well as for conducting regular risk assessments to identify and mitigate any potential risks to personal data.
An appointment of a DPO is important for the EDGB because the DPO plays a crucial role in ensuring compliance with the LGPD. The DPO is responsible for developing and implementing data protection policies and procedures, such as the data governance policy, as well as for conducting regular risk assessments to identify and mitigate any potential risks to personal data. The DPO will also be responsible for communicating with the EDGB and for reporting any issues or breaches to the EDGB.
3. Select EDGB members
Although not mandated by the LGPD, the introduction of the EDGB serves as a valuable framework for both legal compliance and the promotion of a data protection culture. Implementing the EDGB helps prevent potential repercussions such as misuse of personal data, lawsuits, boycotts, and reputational damage. By proactively establishing the EDGB, companies can demonstrate their commitment to responsible data practices and mitigate the risks associated with mishandling personal information.
The EDGB should not only be composed of a diverse group of individuals with relevant expertise in data protection, law, and technology but also representatives of the potentially affected communities. A multistakeholder approach in this selection of external individuals to the organization should be taken into consideration. This is because having a diverse set of perspectives and skill sets can help to ensure that the EDGB is able to identify and address a wide range of potential risks and that the EDGB can make informed decisions about data governance.
Having representatives from the communities affected by data collection, access, and use can contribute to the setting of the process of governance and also access and benefit sharing. Having experts in data governance and related fields on the EDGB can also help to ensure that it is able to understand the implications of LGPD on the company, as well as other regulations that may apply to the company’s operations. Additionally, having an EDGB that is independent of the company’s management can also help to ensure that it can make unbiased and objective decisions about data governance. This diversity of representatives is already applied, for example, with ESG boards as a way to implement the company’s ESG governance.²
4. Create an efficient reporting strategy
Finally, reporting is an essential aspect of the EDGB’s role in ensuring compliance with the LGPD and protecting personal data. Reporting helps to keep all stakeholders informed and aware of any issues or concerns related to data protection, and can also help to identify and address any potential risks to personal data.
Effective reporting fosters the EDGB to stay informed about the data governance policy that is in place and to identify any areas that may require improvement. By keeping all stakeholders informed and aware, reporting creates a culture of transparency and trust around data protection. Additionally, reporting can also help to ensure that any issues or breaches are identified and addressed in a timely manner, which is essential for maintaining compliance with the LGPD.
In conclusion, the LGPD has significant implications for Brazilian companies and requires them to comply with specific requirements for the collection, storage, and usage of personal data. One way to ensure compliance with the LGPD is to establish an EDGB. By implementing it, Brazilian companies can ensure that they are in compliance with the LGPD and that they are protecting the personal data of their customers and users.
Therefore, the implementation of an EDGB is a necessary step for Brazilian companies to effectively manage and protect data while also ensuring compliance with the LGPD. The EDGB can be implemented through a four-step process: (i) establishing a data governance program, (ii) appointing a DPO, (iii) composing a diverse group of individuals, and (iv) creating an efficient reporting strategy. The EDGB can provide guidance and oversight to help companies comply with the LGPD and manage their data assets effectively.
The next step in my fellowship is to host an event in the form of a webinar about the EDGB proposal in Brazilian companies with key stakeholders. Speakers and detailed information will be shared this spring on the Datasphere Initiative’s social media.
1 See Davies, T. (2022). Data Governance and the Datasphere Literature Review. Datasphere Initiative. https://www.thedatasphere.org/datasphere-publish/data-governance-and-the-datasphere/
2 See Washington, P. (Feb. 9, 2023). ESG Is Changing Boards. Investors Should Look Closely. Barron’s. https://www.barrons.com/articles/esg-boards-investors-conference-board-51675886249