The Queen’s Gambit and strategies for decision-making in data governance under the LGPD (Brazilian General Data Protection Law).

The Queen’s Gambit and Strategies for Decision-Making in Data Governance under the LGPD (Brazilian General Data Protection Law) Adalberto Simão Filho and Janaina de Souza Cunha Rodrigues What kind of contribution to systematic and regular legal studies of the LGPD could a television series, essentially dealing with chess games related to the interviewee’s life experience, generate? The unmissable series titled The Queen’s Gambit, with over 62 million views on streaming services worldwide, was based on the book written by Walter Tevis, published in 1983, and adapted, scripted, and directed by Scott Frank, starring Anya Taylor-Joy as the main character Elizabeth Harmon, who, as a chess player, achieved successive victories until becoming world champion. Throughout the chapters, the author seeks to demonstrate the close relationship between chess moves and the actions, events, and consequences related to the protagonist, whose personality is richly constructed. The author does not shy away from imbuing her with an existential philosophical vision within the context of her life of sacrifice and overcoming challenges, described from a young age, as well as the other characters around her who, recognizing certain characteristics of her personality, altruistically sacrifice themselves for her, contributing to her achieving positive results, including personal growth. In this scenario, strategic and thoughtful decision-making is essential and fundamental to success in competitions, and the main character achieves this through exercises in previewing numerous moves (by fixing her gaze on any point in space), relying on the contribution of those chess players she has defeated along her journey who have joined her in the same ideal of making her victorious, predictively practicing all plausible and possible moves for her opponents, in order to obtain the desired opportunity. But the character’s present and real choices are linked to her past and family circumstances, which include her mother’s death in a car accident and her upbringing and education in an orphanage where, at a young age, she began her contact with the fascinating game of chess. Her first lessons were given by a dedicated caretaker who taught her the game’s moves in the orphanage’s basement during his free time, and to whom she paid a moving posthumous tribute, dedicating one of her overwhelming victories. These brief lines do not intend to spoil this acclaimed series, but rather to contribute to drawing an analogical and metaphorical parallel, aiming to demonstrate the importance of accurate and temporally efficient decision-making in managing LGPD (Brazilian General Data Protection Law) matters, based on the evaluation of past and present circumstances, with a view to a protective and inclusive future. Although the intended correlation adapts to the entire content of the LGPD,Here we present an excerpt from Article 50 of this law, which mentions that controllers and operators, within the scope of their competencies, for the processing of personal data, individually or through associations, may formulate rules of good practices and governance that establish the conditions of organization, the operating regime, the procedures, including complaints and petitions from data subjects, security standards, technical standards, specific obligations for the various parties involved in the processing, educational actions, internal mechanisms for supervision and risk mitigation, and other aspects related to the processing of personal data. The primary question that arises lies in understanding the need to formulate these rules aimed at developing internal policies of good practices and data governance, as an option or as an imposed obligation or duty. The decision-making process for all those who are in the process of adapting their business or institutional framework to the terms of the LGPD (Brazilian General Data Protection Law), from a purely financial point of view, will be clear, as these policies require solid planning, financial outlay, preparation, involvement of people, and maintenance so that they can be implemented efficiently. Thus, there is a clear correlation between the choices and consequences of the manager’s decision-making and the character’s decision-making, through the choice of the opening move known as the Queen’s Gambit. To better understand this relational symmetry, let’s return to the game of chess and a brief explanation of the context surrounding this move. Composed of 16 white and black pieces on each side of the board, the game of chess involves logical reasoning and constant strategy where, in a match aimed at checkmating the opponent, the element of luck is eliminated. According to history, chess originated in the 6th century in India, under the name Shaturanga, and was also practiced in China and Persia. In its current form, development occurred in Southwestern Europe in the mid-15th century, with chess being recognized as a sport by the International Olympic Committee in 2001. We will not discuss the workings and rules of this game here. However, for the intended analogy, it is appropriate to mention the conceptual view that, in the game of chess, a battle is waged between two kingdoms, starting with a group of soldiers (pawns) who must primarily protect the King. There is also the Queen and three levels of officers called Bishop, Knight, and Rook, each of whom has a specific trajectory and movement on the board, linked to their purposes and their protective functions and aspirations in the game. There are important characteristics that should be observed in these infantry pawn soldiers. They are trailblazers and enable the others to advance into the enemy field, even though they have restricted and inferior movements compared to the other characters in the battle.In this context of pitched battle, there can be no regrets in their trajectory, and no regression is allowed. When one of these soldiers manages to advance on the board to the last rank on the opponent’s side (the eighth rank), it immediately undergoes a transformation and is turned into an important queen, if the original queen had already been eliminated, or even into a bishop, rook, or knight, at the player’s discretion and depending on the previous losses of these similar pieces in the game. Therefore, a pawn, from an existential point of view, is essentially a resplendent Queen in bud. The expression “Gambit” (or “cambito,” which is synonymous with thin legs in Brazil) originates from the Italian *gambetta* (little leg), which is the diminutive of *gamba*. In turn, “Queen’s Gambit” is an expression used to represent an initial opening move in chess where an infantry soldier, a “pawn,” can be summarily sacrificed to gain an advantage and enable winning the game, in the way the chess player envisions, with the opponent having to accept or reject the “Queen’s Gambit.” If this move is accepted, the opening pawn will be sacrificed immediately, generating an initial advantage for the one who made the move. In our view, this metaphor can clearly be applied to decision-making regarding matters involving the LGPD (Brazilian General Data Protection Law) and, in particular, to the interpretation of Article 50. Based on a superficial and superficial economic analysis of law, without considering the complete context of the LGPD and its relationship with business and institutional needs and expectations, one could choose “not to sacrifice the pawn” at the very beginning of the law’s applicability. In other words, this option can be constructed from the following narrative: If Article 50 of the law clearly uses the expression “may formulate rules of good practices and governance,” this means that it is merely an option and, therefore, it will not be necessary at this time to allocate resources, assets, and work to the development of internal policies that can meet this provision. Thus, metaphorically speaking, we will not begin this phase with a “Queen’s Gambit” that would lead to the sacrifice of a pawn, as we will have time to build a suitable structural scenario throughout the game. The counterpoint to this reasoning would be the following: although it is recognized that, in theory, nothing prevents the preparation foreseen by law with the establishment of good data governance policies and best practices, given that Article 50 presents a mere option and not a duty or obligation, considering the impact of the LGPD (Brazilian General Data Protection Law) on the legal field of third parties; its preventive and protective character and in observance of its set of principles and foundations, the ideal would be to execute the “Queen’s Gambit” move immediately, right at the opening, even with enormous risks of “sacrificing the pawn”.By imposing what is necessary for the immediate implementation of the proposed policies, reducing uncertainties, generating future security in the process and possible success. Based on a systematic set of principle-based norms, the LGPD (Brazilian General Data Protection Law) also advocates for the adaptation and compliance by the agents subject to it, of a series of routines aimed at protecting personal data, through the pursuit of harmonization, the establishment of standards for the protection of privacy and personal data, the creation of a complete system of protection and standardization, in such a way that it will be up to market agents, within the scope of social responsiveness, to create procedures to generate the adequacy and protection of the protected rights, through appropriate models and the effective adoption of best practices in data governance. Thus, observing the rule contained in article 50 of the LGPD, from its paragraphs, the implementation of the suggested policies will comply with a set of rules that are linked to the finalistic purpose of the norm. The first paragraph mentions that when establishing rules of good practice, the controller and the operator must consider, when processing data, its nature, scope, and purpose, as well as the probability and severity of the risks, considering the benefits arising from the data processing. In turn, from the second paragraph of the same article, it can be inferred that, in applying the principles established in the LGPD (Brazilian General Data Protection Law), the controller, once the structure, scale, and volume of its operations have been observed, as well as the sensitivity of the data processed and the probability of generating harm to its holders, may implement a privacy governance program with minimum requirements provided for in the law and also demonstrate the effectiveness of its program, especially at the request of the national authority or another entity responsible for promoting compliance with good practices or codes of conduct, which, independently, promote compliance with the Law. Thus, paying attention to the foundations of the LGPD, based on respect for privacy; informational self-determination; freedom of expression, information, communication, and opinion; the inviolability of intimacy, honor, and image; Economic and technological development and innovation; free enterprise, free competition, and consumer protection; and human rights, the free development of personality, dignity, and the exercise of citizenship by natural persons, make the decision-making process more intuitive when considering the “Queen’s Gambit” tactic in initiating procedures for adapting to the LGPD (Brazilian General Data Protection Law). Article 50, containing the provision of an option, must be interpreted in harmony with the other legal provisions, demonstrating, in reality, that this option is a duty, insofar as it constitutes a programmatic rule aligned with the foundation and principles of the data protection system, conceived by the legislator for the State’s achievement.of the social purposes foreseen. And this power-duty that justifies the decision-making by the company or institution to immediately implement the policies mentioned by the legislator finds full resonance and harmony with the principles that guide the Brazilian personal data protection system, embodied in purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, accountability, and reporting as a way for the data controller to demonstrate the adoption of effective measures capable of proving compliance with personal data protection regulations and, including, the effectiveness of these measures. From this point of view, data governance cannot be reduced to a simple adequacy check regarding compliance with legal dictates because there is a real need to adopt an efficient system to detect risks, weaknesses, and harmful data exposures, so that mitigation and/or annulment is possible. Thus, there is a duty to build an efficient compliance and prevention program, corroborating a scenario that demonstrates best practices and good faith on the part of agents in the governance and processing of personal data, in addition to all efforts made to mitigate any data breach incident that may occur. The LGPD (Brazilian General Data Protection Law), when addressing issues related to integrity programs, encouraging data processing agents to formulate rules of good practice and governance that establish conditions, security standards, technical standards, and risk mitigation mechanisms, also demonstrates the need for and current pursuit of Accountability in order to establish a new vision regarding responsibility in the protection and processing of personal data, as an autonomous category within the list of fundamental rights, bringing to this normative content the necessary independence from other existing protection rights in the legal system. Given the principle-based nature of the rule, this power described in Article 50 should not be interpreted in isolation, just as none of the articles of the LGPD (Brazilian General Data Protection Law), in our view, should be analyzed in isolation, as it is necessary to evaluate the entire system in which the rule, or a specific article thereof, is embedded. Once the decision is made to immediately develop the relevant protective policies arising from Article 50, when issuing a Code of Best Practices, an organizational and ethical standard may be adopted containing a specific chapter dedicated to formulating rules of good practices and data governance. With regard to data processing and protection, certain conformities must be followed in establishing these regulations, paying attention to their nature, scope, purpose, and the probability of risks and benefits arising from the processing of the data subject’s data.Given the protective purpose of the standard, two principles can be observed in the development of the Best Practices Code. The first is focused on security, which requires the use of efficient and existing technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination of data. The second principle is reserved for prevention, which relates to measures that can be adopted to prevent and mitigate the occurrence of damages due to incidents in the processing and/or storage of personal data. An adequate governance program should aim to establish a relationship of trust with the data subject, through transparent action that ensures mechanisms for their active participation in the control and destination of their personal data. Furthermore, it should be integrated into the company’s overall corporate governance structure, as already mentioned, and should establish the rules for applying internal and external supervision mechanisms. Monitoring a data governance program should include incident response and remediation plans to minimize risks, and should be continuously improved and updated, with periodic evaluations. There is also the extremely positive aspect for the data owner/consumer when the company/institution, or whoever is legally obligated to do so, effectively proposes to make the necessary internal adjustments to structure a data governance program and protective policies. This involves transparency for the consumer and the possibility of prior adherence to specific policies when offering services, especially through applications. In this context, the practice of some service providers simply denying access to a service because the consumer disagrees with the privacy policy or the content of some of its provisions would not be applicable. Denying services to someone who disagrees with how their data is used seems out of step with the spirit of the LGPD (Brazilian General Data Protection Law), and data governance rules can initially correct this delicate issue. We now return to the intended parallel regarding the consistent management decision-making process of establishing a move in the style of the “Queen’s Gambit,” which leads to the initial sacrifice of the pawn, resulting in the immediate implementation of legal dictates aimed at the complete security and protection of data, or implementing a data governance program, as established in Article 50, using only a final variable, focused on the costs and investments necessary for the adoption and implementation of this system, as a way to generate the necessary compliance, deferring the executive measures in time and space.The data governance system, combined with the concepts of good corporate governance, aims to adopt best practices that can lead to a harmonious relationship between all agents responsible for data processing: data subjects, companies, institutions, and markets. The need to adopt codes of conduct regarding the protection of personal data is also part of the European General Data Protection Regulation (GDPR), which inspired Brazilian legislation. Section 5 deals with Codes of Conduct and Certification, and in particular, Article 40 governs the promotion by Member States, supervisory authorities, the Data Protection Committee, and the Data Protection Commission of the development of codes of conduct intended to contribute to the correct application of the regulation, taking into account the characteristics of different processing sectors and the specific needs of companies. From this European perspective, associations and other bodies representing categories of data controllers or processors can also develop codes of conduct to specify best practices in the areas suggested. This regulation aims to seek equitable and transparent treatment in matters of data protection, observing the legitimate interests of data controllers in specific contexts, implementing specific provisions on topics such as the pseudonymization of personal data; the need for information to be provided to the public and data subjects; the provision for the exercise of data subjects’ rights; specifications on information provided to children and their protection, and the manner in which the consent of the holder of parental responsibility for the child must be obtained; extrajudicial actions and other dispute resolution procedures between data controllers and data subjects and measures designed to ensure the security of processing; notification of personal data breaches to supervisory authorities and communication of these personal data breaches to data subjects. It should be noted that codes of conduct are important in the implementation of European public policies and must be submitted to the Supervisory Authority for compliance, prior review and approval. Afterwards, these codes will be registered, made available to the public according to the principle of publicity, and supervised by it or by an organization accredited by the Control Authority, generating absolute transparency. As the Brazilian National Data Protection Authority (ANPD) implements its policies, it seems that the issue of data governance will gain strength and structure, generating the expectation and need for its immediate and effective implementation, in a comprehensive manner, as is the case in Europe. By adding more variables to the construction of the initially presented parallel,It may be possible to achieve strict efficiency in immediate decision-making through a management move similar to the “Queen’s Gambit,” potentially sacrificing a pawn by immediately implementing a data governance program and related policies. This aims to protect personal data in accordance with legal regulations and public policies, consequently preventing and mitigating risks arising from leaks and incidents, and representing an act of social citizenship. Finally, in the real game of chess that is business and institutional life, once the set of circumstances surrounding the decision to adopt the LGPD (Brazilian General Data Protection Law), its form of adaptation, intensity, and timing, combined with the rationalization of its objectives, costs, and investments involved, and efforts to properly comply with the legal system for the protection of personal data, what will your move be? Let’s play… As Beth Harmon would say. Originally published in: https://www.migalhas.com.br/coluna/migalhas-de-protecao-de-dados/340576/o-gambito-da-rainha-e-as-estrategias-para-a-tomada-de-decisao-na-lgpd