LGPD: What Is the Brazilian General Data Protection Law and How to Comply with It
Following the European General Data Protection Regulation (GDPR) that went into effect in May, 2018, and the California Consumer Privacy Act (CCPA) that went into effect in January, 2020, we’re about to see one more data policy going official, this time in Brazil.
Since by far there is no national data protection authority to enforce the law’s directives, we should expect changes and updates to the existing version of the LGPD. The establishment of a Brazilian Data Protection Authority (DPA) is still in progress, so it’s a bit forward to give an ultimate recap of the LGPD’s requirements. Note that any of the below may undergo further changes.
However, in general, the main focus of the LGPD, as well as of its influencer GDPR, is to set up data protection principles, determine the legal base for personal data processing, set up restrictions and limitations, encourage data security and specify accountability in case of security incidents.
What Is the LGPD?
Lei Geral de Proteção de Dados (LGPD) is a new customer data policy that is expected to go into effect on August 15, 2020 (May, 2021 by some sources). It applies to organizations (regardless of their physical location) that carry out data processing operations in Brazil with the purpose to provide goods or services to individuals located in Brazil:
- process data that belongs to individuals located in Brazil;
- process personal data that was collected in Brazil (data belonging to a data subject who was in Brazil at the time of collection).
A processing operation under the LGPD is defined as any operation carried out with personal data, such as
- evaluation or control of the information,
What Data It Applies To
The LGPD applies to personal data that is defined as any information related to an identified or identifiable natural person. It also applies to sensitive personal data that is defined as personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.
There are no clear directives concerning anonymized/pseudonymised data. In general, it shouldn’t be considered personal data; however when used to build behavioral profiles of identified individuals, such data can be considered personal data.
What Organizations It Applies To
The LGPD applies to any organization (individual/organization, public/private, small-size/enterprise, Brazil-based/extraterritorial) that collects or processes personal data in Brazil for marketing purposes, regardless of its location. Such an organization is defined and addressed in the law as a data controller or processor. If your company collects and processes personal data of people located in Brazil yet is located in Los-Angeles, you still need to be LGPD-compliant.
The LGPD doesn’t cover data collected by individuals for personal purposes; data collected for academic or journalistic purposes; data collected for national security purposes.
The LGPD obligates data controllers and processors to ensure data security and protect it from unauthorized access or unlawful processing.
Data Subject and Their Rights
A data subject is a key term in the new law. The LGPD defines a data subject as a natural person to whom the personal data that are the object of processing refers to.
Data subjects have the following rights in terms of their personal data:
- Awareness and confirmation of the existence of data processing;
- Access to personal data;
- Correction of inaccurate in way data;
- Anonymization or pseudonymization or removal of pieces of data that have been collected or processed without compliance with the LGPD;
- Disclosure of any third parties with whom personal data is shared;
- Access to the customer policy information and consent revocation terms and conditions;
- Revocation of consent.
All these rights can be exercised free of charge.
Under the LGPD, the international transfer of personal data is permitted to countries or international organizations that ensure an adequate level of protection of personal data, or when the controller ensures compliance with the LGPD’s norms.
Best Marketing Automation Tools & Solutions
If an organization violates the LGPD, the legislation establishes the maximum fine for a violation of 2% of a company’s revenue in Brazil, for the prior fiscal year, excluding taxes. The fine can make up to 50 million Brazilian Reals (about €11 million or $13 million).
By far, there are no guidelines on more specific fines per violation that can be different in terms of data breaches volume, affected parties, and consequences. There are also no conditions for payment procedures and what body would enforce these fines.
We’d also expect to see categorization of penalties based on the company’s revenue, because $13 million isn’t that big sum for companies with sales amounted to billions.
Personal data – information regarding an identified or identifiable natural person.
Sensitive personal data – personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person.
Data subject – a natural person to whom the personal data that are the object of processing refers to.
Controller – a natural person or legal entity, of public or private law, that has the competence to make the decisions regarding the processing of personal data.
Processor – a natural person or legal entity, of public or private law, that processes personal data in the name of the controller.
Data Protection Officer (DPO) – a natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority.
Processing – any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation, or control of the information, modification, communication, transfer, dissemination or extraction.
GDPR vs. LGPD: Main Differences
Both policies have numerous similarities as the LGPD was inspired by the GDPR and based on many of its positions. However, there are key differences as well.
|Legal basis for data processing|
|Excluded from the processing.||Can be considered personal data and therefore protected as personal when used to build upon or create behavioral profiles on individuals (if the given individual is identified).|
|Is required only with regard to the offering of information society services.||Is required with regard to any processing of personal data.|
|Data Protection Officer (DPO)|
|Is required under certain circumstances that are established.||Is a mandatory position for controllers only. A controller should appoint such an officer or outsource this appointment to a third party according to the nature and the size of the covered entity or the volume of data processing. There are no specific circumstances the LGPD limits the DPO appointment to.|
|Data Protection Impact Assessment (DPIA)|
|Is required under specific circumstances that are established.||Is required under specific circumstances that are not established.|
|Data breach/Security Incident|
|Is required to be reported to the local data protection authority within 72 hours after data breach discovery.||Is required to be reported to the national authority and to the data subject. No time frame is specified.|
|Response to data processing objection|
|Requests must be replied to in any event within 1 month from the receipt of the request. The time frame can be extended to 2 additional months due to the complexity and volume of requests.||Data controllers must respond immediately to a data subject request.|
|Access to personal data|
|Must be provided in any event within 1 month from the receipt of the request. The time frame can be extended to 2 additional months due to the complexity and volume of requests.||Must be provided within a period of up to 15 days from the receipt of the request.|
How to Comply with the LGPD
The LGPD requires companies to implement all possible protective measures and react to any inquiries on the part of a data subject. That means as a business you’re required to
- provide a notice, inform, fix, anonymize or deanonymize personal data upon request of the data subject;
- delete personal data upon request of the data subject or delete it after the agreed consent duration expires terminates;
- ensure technical and administrative security measures to protect personal data from breach, unauthorized access, processing without consent other security incidents.
And the first step before taking more specific measures should be a complete analysis of your current processing activities:
- Determine personal data processing activities your company is running that fall under the LGPD regulation;
- Identify all technologies you use for data collection, tacking and processing;
- Identify if you’re processing any personal data that can be identified as sensitive information.
- Identify what legal basis under the LGPD you apply to process personal data.
- Identify which of your current processing activities, if any, do not comply with the LGPD’s requirements;
- Revise and update, if needed, your agreements with third parties you share with or sell data to. Under the LGPD, the data subject has the right to disclosure of any third parties and the corresponding related data.
After a full analysis, you’ll know what aspects of your processing activities, customer policy and external agreements may need adjustments, and prioritize them correspondingly. However, there is a high chance you’ll have to implement much of the following.
Whatever technology (cookies, tags, pixels) is used to track your website visitor activity, you need to provide notice and obtain consent for each of these technologies. You also need to specify
- The purpose of the particular technology and corresponding data collection (and the received consent must be specific to such purposes).
- Duration of data storage;
- Options to revoke consent if needed.
A common practice of today is to provide cookie settings/preferences where a user can specify what data processing they accept and consent to its use.
Make sure you only collect the data you really need and do use to fulfill your marketing needs. There is little use in collecting every piece of information (and spending resources ensuring its security and law compliance) you actually never plan to use.
The situation with privacy policies over the last 3 years suggests we’ll be seeing more of such laws like CCPA and LGPD. And you’ll have to comply with each even if you have only one visitor located in the corresponding category. So it’s better to optimize the scope of personal information you process today.
Send a notification about policy updates.
You may consider including a checkbox in your email and the recipient to confirm that they have read and agree to the new policy. The more data you collect and store, the more careful you should be about the owner’s consent.
Appoint a data protection officer.
If you’re defined as a controller by the LGPD, it looks like now you need to have one more specialist in your team that would be responsible for communication between you, data subjects and the authoritative bodies. Their identity and contacts should be publicly disclosed, preferably on the controller's website.
Hopefully, this requirement may be reconsidered by the corresponding Brazilian authority (as soon as it’s established) taking into account the company’s type, size, and volume of data processing operations.
Keep the record of the third parties you share the personal data to.
Under the GDPR, a person has the right to disclosure of any third parties with whom personal data is shared. So you need to know who you transfer the data, what data, and under what conditions, and be ready to provide the corresponding information upon request.
Implement a procedure to respond to data subject requests.
Be prepared to send a data breach notification to both the data subject and the authorities in case of a breach or any other security incident. Your reaction should be as quick. You are to reply to the request concerning data processing objection immediately after its receipt; and you are to reply to the request concerning access to personal data within 15 days from the receipt.
Be prepared to provide a Data Protection Impact Assessment.
The LGPD requires a company (controller) to be ready to provide a data protection report to assess data processing activities and whether they observe the rights of data subjects under specific circumstances.
These circumstances, however, aren’t specified. The Brazilian authority can request a DPIA when considered necessary, and it must include at least:
- description of the types of data processed;
- methods used to collect the data;
- methods of information security used;
- description of mechanisms used to mitigate the risks related to the processing of the personal data involved.
In general, the purpose of the new data protection act is good and worthy – to give people more control over processing of their personal data that has been growing dramatically. However, the absence of a single authority that would be responsible for composition, regulation and enforcement of law provisions makes this and alike incentives a real headache for marketers and company legal departments.