Products
By Use Cases By Roles
Data Command Center
View
Learn more

AI Security & Governance

Discover, assess, and safeguard AI usage

Learn more

Asset and Data Discovery

Discover dark and native data assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Prevent sensitive data sprawl through real-time streaming platforms

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Secure sensitive data in hybrid multicloud and SaaS environments

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog datasets and enable users to find, understand, trust and access data

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle

Learn more

Compliance Management

Automate Compliance with Global AI and Data Frameworks using Common Controls and Tests
Data Controls Orchestrator
View
Data Command Center
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

AI Security & Governance

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

AI Security & Governance

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View

AI Security & Governance

View

Compliance Management

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Databricks

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

CPRA
California Privacy Rights Act

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA Compliance Solution

View

Brazil's LGPD

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

LGPD for Small Businesses and Startups

Published February 21, 2022

On January 28th 2022, Brazil’s national data protection authority, the ANPD, passed a major regulation which altered the application of the Lei Geral de Proteção de Dados Pessoais (LGPD) on ‘small businesses’. This resolution was passed as per the charge given to the ANPD by Article 55-J (XVIII) of the LGPD. These new regulations have reduced compliance requirements and eased adherence to data protection principles for small businesses, startups, and micro enterprises covered under the LGPD.

This approach is in stark contrast to the EU’s approach towards GDPR compliance, which applies the same extensive compliance requirements on small businesses as it does on large multinational corporations. This has been the subject of a fair bit of criticism, as small businesses, start-ups, and micro enterprises do not have the resources to comply with the entire breadth of the GPDR as compared to larger businesses and multinational corporations - thus making the GDPR a burden and an anti-competitive measure which reduces entrepreneurship and small business formation.

It is important to note that comprehensive privacy laws passed by US states such as the CCPA (which will be replaced by the CPRA in January 2023) apply only to businesses which cross a certain threshold (either in terms of revenue or the number of persons whose personal data they handle) - automatically, excluding smaller businesses who either do not have the resources to comply with the strict data protection requirements imposed by the law or do not have a significant volume of data for it to be deemed important for them to do so.

We have detailed the changes to LGPD application for small businesses, startups and microenterprises as per these new regulations:

1. Application

As per Article 1 and 2 of these new regulations, they apply only to ‘Small-Sized Processing Agents’ which are defined as:

micro-companies, small companies, startups, legal entities governed by private law, including non-profits;
- micro-companies and small companies: business partnership, simple partnership, sole proprietorship limited liability company, pursuant to art. 41 of Law No. 14,195, of August 26, 2021 and entrepreneurs referred to in art. 966 of Law No. 10,406, of January 10, 2002 (Civil Code), including individual micro-entrepreneurs, duly registered in the Commercial Companies Registry or in the Civil Registry of Legal Entities, which fall under the terms of art. 3 and 18-A, §1 of Complementary Law No. 123, of December 14, 2006; and natural persons and depersonalized private entities that process personal data, assuming typical controller or operator obligations;
- Startups: business or corporate organizations, nascent or in recent operation, whose performance is characterized by innovation applied to a business model or to products or services offered, which meet the criteria provided for in Chapter II of Complementary Law No. 182, of 1st June 2021.

The Small-Sized Processing Agents which cannot take the advantage of these regulations are those which:

Subject the personal data of data subjects to high-risk treatment/processing;
Earns gross revenue higher than the limit established in art. 3, II, of Complementary Law nº 123, of 2006 or, in the case of startups, in art. 4, § 1, I, of Complementary Law No. 182, of 2021; or
belong to a de facto or de jure economic group, whose global revenue exceeds the limits referred above, as the case may be.

It is also important to note that:

These regulations do not apply to the processing of personal data carried out by a natural person for exclusively private and non-economic purposes, as well as in the other cases provided for in art. 4 of the LGPD.

2. High risk treatment/processing

As per Article 4 of these regulations, for a processing operation/treatment of personal data to be deemed a high risk treatment/processing, the processing operation/treatment must meet one general and one specific criteria:

General criterias are defined as:
- large-scale processing of personal data:The processing of personal data on a large scale will be characterized by a processing operation compromising personal data which covers a significant number of data subjects, also considering the volume of data involved, as well as the duration, frequency and geographic extent of the treatment carried out; and
- processing of personal data that may significantly affect the interests and fundamental rights of the holders:The processing of personal data that may significantly affect interests and fundamental rights of data subjects will be characterized, among other situations, in those in processing activities which may prevent the exercise of rights or the use of a service by the data subjects, as well as cause material or moral damages to them, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud or identity theft.
Specific criterias are:
- use of emerging or innovative technologies;
- surveillance or control of areas accessible to the public;
- decisions made solely on the basis of automated processing of personal data, including those intended to define the personal, professional, health, consumer and credit profile or aspects of the holder's personality; or
- use of sensitive personal data or personal data of children, adolescents and the elderly.

The ANPD may provide guides and guidelines with the objective of assisting small-scale treatment agents in the evaluation of high-risk treatment and it will be the responsibility of the small sized entities to prove they are Small-Sized Processing Agents as per this regulation or fall within the exclusionary clauses, within 15 days of being provided notice by the ANPD.

3. Non-exempt provisions

As per Article 6 of the new regulations, the waiver or relaxation of the obligations set forth in this regulation does not exempt small processing agents from complying with other provisions of the LGPD, including the legal bases and principles, other legal, regulatory and contractual provisions relating to data protection personal data, as well as the rights of the data subjects (DSRs).

As per Article 16, the ANPD may require Small-Sized Processing Agents to comply with the original obligations of the LGPD, which might have been waived or made more flexible in this regulation, considering the relevant circumstances of the situation, such as the nature or volume of operations, as well as the risks to the data subject.

4. Data Subject Rights

As per Article 7 of these regulations, Small-Sized Processing Agents must provide information on the processing of personal data and meet the requests of data subjects (DSR request fulfillment) in accordance with the provisions of arts. 9 and 18 of the LGPD, through electronic, printed or any other means to facilitate access to information.
As per Article 8 of the new regulations, Small-Sized Processing Agents, even those falling within the exclusionary clause of performing high risk processing activities/treatments can organize themselves through entities representing the business activity, legal entities or natural persons for the purposes of negotiation, mediation and conciliation of complaints submitted by data subjects.

5. Simplified ROPAs

As per Article 9 of the new regulations, the ANPD will provide a simplified model to Small-Sized Processing Agents for the preparation and maintenance of ROPA (record of personal data processing activities) reports as they are required under Article 37 of the LGPD.

6. Simplified Breach Notifications

As per Article 10 of the new regulations, the ANPD shall pass further regulations for flexibility or a simplified procedure for reporting security incidents for Small-Sized Processing Agents.

7. Exemption from appointing Data Protection Officer (DPO)

As per Article 11 of these regulations, Small-Sized Processing Agents are not required to indicate the person in charge of the processing of personal data (i.e the Data Protection Officer - DPO) as required by Article 41 of the LGPD. However, those entities which do not appoint a person in charge must provide a communication channel with the data subject to comply with the provisions of Article 41(§2)(I) of the LGPD.

8. Safety and Good Practices

As per Article 12 of these regulations, Small-Sized Processing Agents must adopt essential and necessary administrative and technical measures, based on minimum information security requirements for the protection of personal data.
- The Small-Sized Processing Agents must consider the level of risk to the privacy of data subjects and their particular circumstances.
- Compliance with the recommendations and good practices of prevention and safety disclosed by the ANPD, including through guidance guides, will be considered as compliance with the provisions of Article 52(§1)(VIII) of the LGPD.
As per Article 13 of these regulations, Small-Sized Processing Agents must establish a simplified information security policy, which includes essential and necessary requirements for the protection of processing of personal data, in order to protect it from unauthorized access and from accidental or illegal situations.
- The simplified information security policy must take into account the implementation costs, as well as the entity’s structure, scale and volume of operations.
- Finally, The ANPD will consider the existence of a simplified information security policy for the purposes of determining a fine for non-compliance as it is required to do in Article 6(X) and Article 52(§1),(VIII) and (IX) of the LGPD.

9. Extended Timelines

As per Article 14 of the new regulations, the following deadlines have been extended by granting Small-Sized Processing Agents a double period:

For fulfilling the DSR requests regarding the processing of a data subject’s personal data, as provided for in Article 18(§3) and (§5) of the LGPD;
For notifying the affected data subjects and the ANPD of the occurrence of a security incident that may cause significant risk or damage - unless, there is a potential compromise to the physical or moral integrity of the data subjects or to national security due to the breach;
For providing a clear and complete declaration, as required by Article 19(II) of the LGPD.
For presentation of information, documents, reports and records requested by the ANPD to other processing agents.

As per Article 15 of these regulations, Small-Sized Processing Agents may provide the simplified declaration referred to in Article 19(I) of the LGPD within a period of up to 15 days, counted from the date of the holder's request.

Note: The regulations also state that those deadlines which are not provided for in these regulations for Small-Sized Processing Agents will be determined by specific regulation.

How Securiti Can Help

The worldwide dynamics of accessing, protecting, and sharing personal data are rapidly evolving, necessitating businesses to become more privacy-conscious of their processes and responsible guardians of their customers' data, all while automating privacy and security operations for fulfilment of data subject rights and seamless compliance.

With an ever-growing database of users, businesses must embrace robotic automation to operationalize compliance and avoid falling behind in automating their processes.

Securiti is a renowned AI-powered data intelligence, data compliance, and governance solution. Owing to its PrivacyOps platform, organizations big or small can seamlessly comply with global data protection laws and regulations with a single click.

Request a demo today to discover how Securiti can operationalize compliance with LGPD.