top of page

The costs of not having a unified
view of the incumbent in LGPD times

By Julio Costa - Service Director at MD2 Consultoria

It is not news to anyone that, since the consolidation of the GDPR (General Data Protection Regulation) and the bill that culminated in the LGPD (General Data Protection Law), the topic of Data Governance is increasingly in vogue in our country. If before this topic was seen by most companies as something nice to have, but not necessarily a priority or urgent; now it has become fundamental for them to be able to adapt to the requirements of the law. And this sense of urgency is mainly caused by the fear associated with the penalties provided by law: companies that fail to comply with the LGPD may be fined up to 2% of their turnover or the limit of R$50 million, per infraction. This context helps to explain the reason for this rush that we are observing for initiatives of compliance with the law, involving projects to support the establishment of processes and data governance programs.

Data governance represents the application of good practices involving people, processes and technology for the treatment of data itself, which includes collecting, processing, storing, sharing, analyzing and publishing them. Along these lines, for a good data governance program in light of the LGPD, it is essential that the company knows the data of its holders very well. Possess a unified view of its owner; that is, knowing what and where this data is stored, for what business purposes and linked to what legal hypotheses, whether or not they are shared with third parties and whether there is a record of consent for the purposes based on this hypothesis; it is the best way for the company to be able to guarantee, with quality and assertiveness, the rights of holders provided for by law.

Medium and large companies, which have dozens/hundreds of systems, with thousands/millions of holder records and that do not have this unified view of the holder, will certainly have difficulties in meeting the requirements set out in the LGPD, such as responding to a complete query from a holder, apply the right to be forgotten or have control over which holders have in fact consented to the use of their data for certain purposes. Let's imagine the following scenario:

  • A company that has 2 million holders and that this data is spread across 20 different systems/databases;

  • Per month, it will receive an average of 1,000 requests from data subjects, involving requests to forget, complete consultation, data portability or confirmation of the existence of treatment. NOTE: if we think of 1,000 requests from different holders, we are talking about only 0.05% of holders present in the company's bases;

  • If we imagine that, for each request, the company consumes 4 hours of work (thinking optimistically, as we will have minimal hours of the request attendant and those responsible for the systems who will have to support these queries to the databases) and that each hour of work has an average cost of R$90.00, we are talking about a monthly operating cost around R$360,000.00. That is, in 1 year, a projection of R$4,320,000.00. And understanding that this should last for years to come.

  • Also in this context, there is also the risk of human error in this process, which could generate a burden if information is delivered to the holder incorrectly or incompletely.

Despite the simplicity of the example above and the possibilities of varying these numbers according to the size and estimates of each company, I see that the LGPD brought even greater rationality to justify the need to consolidate a unified base of holders. In addition to reducing recurring operating costs, it will also deliver quality and security so that the company can respond to the requirements provided for by law, in addition to, of course, using this information to better understand its assets, support business initiatives based on the information qualified and control over what data can be used for each business purpose.

MD2, a company specialized in Data Governance and leader in the Brazilian market in MDM (Master Data Management) initiatives for People, through MD2 Quality Manager, delivers to its customers a unified view of holders, providing all the traceability of their data in the systems of origin, linking them to the business processes and data processing and thus allowing the entire management of the legal framework of these data (also including the management of consent). That is, through the implementation of MD2 Quality Manager, the company will be able to obtain complete and reliable information from its owner immediately, without the need to spend operational effort from the people responsible for the systems to obtain this information.

MD2 Quality Manager - Holder's 360 View*


MD2 Quality Manager - Holder Traceability in Systems/Databases*


* Images represent data from a fictitious owner.

bottom of page