The recent publication of documents by the working groups of the National Data Protection Council (CNPD) containing subsidies for developing Brazil's National Personal Data Protection and Privacy Policy provides a comprehensive assessment of considerations and recommendations involving the financial market.
The financial market, a fundamental pillar for Brazil's economic and technological development, stands at the center of a crucial debate on personal data protection. Recognized for its high sensitivity to information security due to stringent regulations, the financial sector tends to be more advanced in implementing data protection practices (CNPD GTT5). Brazil's General Data Protection Law (LGPD) lists economic and technological development and innovation among its foundations, underscoring the need to protect fundamental rights to foster responsible innovation and sustainable competitiveness in the country (CNPD GTT5).
However, the Brazilian population demonstrates high concern about the misuse of their data, especially biometric data (32% very concerned and 28% concerned), and about possible resulting financial harm (CNPD GTT5). Concern is even more pronounced regarding financial institutions (37% very concerned and 46% concerned) when transmitting biometric data (CNPD GTT5). In response, Brazil's National Data Protection Authority (ANPD) has intensified its monitoring activities over the financial and telecommunications markets (CNPD GTT1-GTT5), including issuing technical notes on the active offering of credit services based on the processing of INSS beneficiary data (CNPD GTT1-GTT5). ANPD's actions extend to preventive measures, such as prohibiting Tools for Humanity from offering financial incentives for World Network (World App) membership, aiming to protect individuals' free will, especially in situations of social and economic vulnerability (CNPD GTT1-GTT5).
Despite regulatory advances, the compliance landscape presents challenges. Only 25% of Brazilian companies reported having a dedicated area or employees responsible for personal data protection in 2023, with this number being significantly lower for small companies (22%) compared to medium (43%) and large ones (56%) (CNPD GTT5). Smaller companies, including those in the financial sector, frequently delay adopting data protection measures, prioritizing more urgent investments for short-term economic survival (CNPD GTT5). Recurring issues include lack of technical clarity in fulfilling data subject rights requests (portability, data copies), uncertainty about international data transfers, and difficulty in calculating high risks in personal data processing (CNPD GTT2-GTT5).
In this context, Personal Data Governance emerges as a strategic necessity, essential for data quality, security, and availability, driving competitiveness and regulatory compliance (CNPD GTT3-GTT5). Implementing robust data governance practices is crucial for mitigating regulatory, financial, and reputational risks (CNPD GTT3). The financial sector, being highly regulated, is encouraged to adopt measures ensuring its resilience against cyber threats (CNPD GTT1). Proposed solutions for the sector include creating clear technical criteria for data delivery and secure authentication, as well as developing standardized protocols for interoperability and portability (CNPD GTT2-GTT5).
Personal data are, in fact, fundamental for credit protection, serving as the basis for assessing society's financial capacity and promoting economic efficiency (CNPD GTT5). Information such as financial history, payment habits, and income are crucial for financial institutions to assess default risk, promoting fair and personalized decisions (CNPD GTT5). Furthermore, data processing and protection are essential for combating digital scams and fraud, a growing challenge associated with the low digital literacy of victims (CNPD GTT5).
Transparency, however, is a notable challenge in the credit scoring system, which frequently lacks technical clarity, not allowing data subjects to challenge or access all data considered in their assessment (CNPD GTT5). The LGPD (Art. 20) guarantees the data subject's right to request a review of decisions made solely on the basis of automated processing of personal data that affect their interests, including credit profile decisions (CNPD GTT5). It is the controller's duty to provide clear information about the criteria and procedures used for automated decisions (CNPD GTT5). To ensure compliance, it is recommended that controllers and operators of credit scoring systems make available access portals so that data subjects can check the processed data and the weight of each piece of information in the assessment (CNPD GTT5).
Finally, data protection in Brazil's financial market is not merely a legal obligation, but a strategic factor for trust, security, and economic development. ANPD, together with other regulatory bodies and civil society, seeks to consolidate a national policy that ensures the balance between fostering innovation and safeguarding data subjects' rights, preparing citizens and organizations for the full exercise of digital citizenship in an increasingly dynamic and interconnected environment.
Access here the full text of all CNPD working group documents.
Note: The text includes source references in parentheses that support the points made (in the format CNPD GTTx, where X represents the number of the working group involved). To access the reference content, simply follow the link above and select the desired working group report.
This post was summarized from its original version using AI, with human review.