Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
Published on February 21, 2022 AUTHOR - Privacy Research Team
On January 28th 2022, Brazil’s national data protection authority, the ANPD, passed a major regulation which altered the application of the Lei Geral de Proteção de Dados Pessoais (LGPD) on ‘small businesses’. This resolution was passed as per the charge given to the ANPD by Article 55-J (XVIII) of the LGPD. These new regulations have reduced compliance requirements and eased adherence to data protection principles for small businesses, startups and micro enterprises covered under the LGPD.
This approach is in stark contrast to the EU’s approach towards GDPR compliance, which applies the same extensive compliance requirements on small businesses as it does on large multinational corporations. This has been the subject of a fair bit of criticism, as small businesses, start-ups and micro enterprises do not have the resources to comply with the entire breadth of the GPDR as compared to larger businesses and multinational corporations - thus making the GDPR a burden and an anti-competitive measure which reduces entrepreneurship and small business formation.
It is important to note that comprehensive privacy laws passed by US states such as the CCPA (which will be replaced by the CPRA in January 2023) apply only to businesses which cross a certain threshold (either in terms of revenue or the number of persons whose personal data they handle) - automatically, excluding smaller businesses who either do not have the resources to comply with the strict data protection requirements imposed by the law or do not have a significant volume of data for it to be deemed important for them to do so.
We have detailed the changes to LGPD application for small businesses, startups and microenterprises as per these new regulations:
As per Article 1 and 2 of these new regulations, they apply only to ‘Small-Sized Processing Agents’ which are defined as:
The Small-Sized Processing Agents which cannot take the advantage of these regulations are those which:
It is also important to note that:
As per Article 4 of these regulations, for a processing operation/treatment of personal data to be deemed a high risk treatment/processing, the processing operation/treatment must meet one general and one specific criteria:
The ANPD may provide guides and guidelines with the objective of assisting small-scale treatment agents in the evaluation of high-risk treatment and it will be the responsibility of the small sized entities to prove they are Small-Sized Processing Agents as per this regulation or fall within the exclusionary clauses, within 15 days of being provided notice by the ANPD.
As per Article 6 of the new regulations, the waiver or relaxation of the obligations set forth in this regulation does not exempt small processing agents from complying with other provisions of the LGPD, including the legal bases and principles, other legal, regulatory and contractual provisions relating to data protection personal data, as well as the rights of the data subjects (DSRs).
As per Article 16, the ANPD may require Small-Sized Processing Agents to comply with the original obligations of the LGPD, which might have been waived or made more flexible in this regulation, considering the relevant circumstances of the situation, such as the nature or volume of operations, as well as the risks to the data subject.
As per Article 9 of the new regulations, the ANPD will provide a simplified model to Small-Sized Processing Agents for the preparation and maintenance of ROPA (record of personal data processing activities) reports as they are required under Article 37 of the LGPD.
As per Article 10 of the new regulations, the ANPD shall pass further regulations for flexibility or a simplified procedure for reporting security incidents for Small-Sized Processing Agents.
As per Article 11 of these regulations, Small-Sized Processing Agents are not required to indicate the person in charge of the processing of personal data (i.e the Data Protection Officer - DPO) as required by Article 41 of the LGPD. However, those entities which do not appoint a person in charge must provide a communication channel with the data subject to comply with the provisions of Article 41(§2)(I) of the LGPD.
As per Article 14 of the new regulations, the following deadlines have been extended by granting Small-Sized Processing Agents a double period:
As per Article 15 of these regulations, Small-Sized Processing Agents may provide the simplified declaration referred to in Article 19(I) of the LGPD within a period of up to 15 days, counted from the date of the holder's request.
Note: The regulations also state that those deadlines which are not provided for in these regulations for Small-Sized Processing Agents will be determined by specific regulation.
The worldwide dynamics of accessing, protecting, and sharing personal data are rapidly evolving, necessitating businesses to become more privacy-conscious of their processes and responsible guardians of their customers' data, all while automating privacy and security operations for fulfilment of data subject rights and seamless compliance.
With an ever-growing database of users, businesses must embrace robotic automation to operationalize compliance and avoid falling behind in automating their processes.
Securiti is a renowned AI-powered data intelligence, data compliance, and governance solution. Owing to its PrivacyOps platform, organizations big or small can seamlessly comply with global data protection laws and regulations with a single click.
Request a demo today to discover how Securiti can operationalize compliance with LGPD.
See how easy it is to manage privacy compliance with robotic automation.