BRAZIL Trends and Developments Contributed by: Patricia Barboza, Alinne Gordilho and Amanda Costa, CGM Advogados
Second Trend: LGPD and Technological Impacts on Internal Investigations The digital revolution has reached internal investiga - tions and brought with it complex regulatory risks. Interview recordings, automated transcripts, and AI tools promise speed and accuracy, but they also raise critical questions about privacy, security, and compli - ance with the LGPD. How can investigative efficiency be balanced with per - sonal data protection? This is the question that will guide corporate practices in the coming years. Companies that fail to adopt robust policies and ethi - cal technology risk severe sanctions and reputational damage, while those that anticipate these issues will be at the forefront of digital governance. The LGPD imposes a new paradigm for conducting internal investigations, requiring compliance with the principles of purpose, with data used strictly for fact- finding; necessity and minimisation, with the collection of only essential data; and transparency, through clear communication about data processing to employees and other data subjects. As companies deal with critical information that may include personal data (including sensitive data), such as statements, interview records, and behavioural data, it is essential to define the legal basis for pro - cessing. Depending on the circumstances, this may include compliance with legal obligations, legitimate interest, contract performance or other specific legal basis. With the digitisation of investigations, specific chal - lenges arise, such as: • the recording of interviews, which, depending on the case, may require the explicit consent of the person under investigation, and in any event demands strong security measures, such as secure storage and access control; • the use of AI for transcription and analysis, which can generate risks of leakage and bias, compro - mising the impartiality of the investigation and the
non-discrimination principle established by the LGPD; and • the sharing of data with third parties (consultan - cies, law firms, etc), which requires robust contrac - tual clauses and supplier auditing. To mitigate regulatory and reputational risks, it is rec - ommended to adopt clear internal policies on data collection, processing and disposal, including: • anonymisation of data whenever possible; • periodic auditing of technological tools; • proper recording of the relevant activities in the companies’ records of data processing activities (RoPA); • training of teams on LGPD and information secu - rity; and • specific channels to enable data subjects to exer - cise their rights. Companies that are part of a multinational group or that use global tools or platforms, such as transcription software, must ensure that data is processed on serv - ers in countries with an adequate level of protection or transferred abroad based on a valid mechanism, such as the Brazilian Standard Contractual Clauses, in accordance with the LGPD and the guidelines of the National Data Protection Agency (ANPD). The future points to increasing integration between technology and compliance, including: • AI applied to evidence screening in a context of big data analysis to identify patterns; • regulatory pressure for algorithmic transparency, with the requirement for explainability of automated decisions; and • greater oversight by the ANPD over data and infor - mation collection and storage practices in internal investigations. Companies that fail to adapt risk severe penalties and damage to their reputation. On the other hand, those that invest in data governance and ethical technology will be better prepared to conduct agile, secure and compliant investigations.
53 CHAMBERS.COM
Powered by FlippingBook