What is Brazil’s LGPD Compliance?

After the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) - which was subsequently replaced with the Consumer Privacy Rights Act (CPRA) - Brazil shook the field of data privacy and the internet industry when it introduced its own comprehensive data privacy regulation, Lei Geral de Proteção de Dados Pessoais (LGPD).

Brief History of the LGPD

According to recent statistics, Brazil has 140 million internet users (the population of the 10th largest country in the world), making it one of the largest internet markets in Latin America and the fourth largest market globally.

In previous years, Brazil has drafted over 40 legal regulations with regard to data privacy on a federal level, some of which established general guidelines, and some were sector-specific, leading to many overlaps and conflicts between different laws across industries. The negative aspect of these sectoral laws is that they apply to specific industries and do not provide comprehensive protections for Brazilian internet users and consumers. Also, for organizations and businesses involved in multi-sectoral operations, complying with all of these different laws and their requirements is an expensive and difficult affair. This is why Brazil's new data protection law, known as the LGPD (Lei Geral de Proteção de Dados Pessoais), was set into motion to provide a more comprehensive and overall regulatory framework for data privacy.

The Brazilian National Congress passed the LGPD on the 14th of August, 2018. In August 2020, the President of Brazil approved the creation of the federal independent regulatory authority  - the Autoridade Nacional de Proteção de Dados (ANPD) - to interpret and enforce the LGPD and act as the national supervisory authority.

Despite the onset of the COVID pandemic and a planned delay in application till December 2020 or May 2021, the LGPD came into force on September 18th, 2020, and it has been in effect since then.

Influence of GDPR

It is well known that the LGPD was drafted and based on the GDPR, so much so that some people call it Brazil’s GDPR. The LGPD contains 65 articles that provide individuals with data subject rights, impose obligations upon organizations for lawful processing of personal data, require notification of data breaches to the supervisory authority and affected data subjects, create a national supervisory authority to interpret and enforce the law, regulate international transfer of data, define lawful consent collection guidelines and impose heavy penalties on violators similar to the GDPR.

Essence of the LGPD Law

LGPD provides:

• 9 data subject rights requests exercisable by individual data subjects;
• 10 legal bases for lawful processing;
• Obligatory and transparent disclosure requirements for organizations to contain within their privacy policy;
• Consent collection and management requirements for organizations;
• Requirement for organizations to appoint a Data Protection Officer;
• Special rights for children;
• Data security requirements and mandatory breach notifications;
• Regulations for international data transfers;
• Obligation for organizations to provide Data Protection Impact Assessments (DPIAs) upon request of the ANPD;
• Powers to the ANPD to make regulations for the application of the act and receive complaints from data subjects, and investigate any organization for suspected violations of the legal requirements of the LGPD;
• Jurisdiction to ANPD to try suspected violators and impose various penalties and sanctions if they are found to be non-compliant.

Rights under LGPD

The LGPD offers individual data subjects a set of 9 rights over their personal data, which can be exercised against both public and private organizations under the LGPD, which is very different from the various federal sectoral laws in the past that offered only partial protections. This approach of the LGPD law is greatly influenced by the EU’s General Data Protection Regulation:

• Right to be informed about the existence of the processing.
• The right to access the data.
• The right to correct inaccurate, incomplete, or out-of-date data.
• The right to block, anonymize, or delete excessive or unnecessary data or data that is not being processed in compliance with LGPD.
• The right to the portability of data to another service by an express request.
• The right to deletion of personal data which is processed with the consent of the data subject.
• The right to information about private and public entities with which the data is shared.
• The right to be informed about the possibility of denying consent and the consequences of such denial.
• The right to revoke consent.

Definitions under LGPD

Following are the 19 definitions that come under LGPD.

1. Personal Data
   Information on an identifiable or identified natural person.
2. Sensitive Personal Data
   Personal data concerning ethnic or racial origin, political opinion, religious beliefs, trade union or philosophical, religious or political organization membership, data concerning health, or genetic or biometric data, relating to a natural person.
3. Data Subject
   A natural person to whose personal data is the object of processing.
4. Consent
   Free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose.
5. Processing
   An operation carried out with personal data.
6. Database
   Structured set of personal data, kept in one or several locations, in electronic or physical support.
7. Processing Agents
   The controller and the operator.
8. Controller
   Natural person or legal entity, public or private law, that has the competence to make decisions regarding the processing of personal data.
9. Operator
   Natural person or legal entity, public or private law, that processes personal data in the name of the controller.
10. Officer
    Natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority (the ANPD).
11. Anonymization
    Use of available and reasonable technical during processing, through which data loss the possibility of direct or indirect association with an individual.
12. Blocking
    Temporarily suspending the processing operation by means of retention of the database or personal data.
13. Deletion
    Exclusion of a set of data held within a database, irrespective of the procedure used.
14. International Data Transfer
    Transfer of personal data to an international entity or a foreign country of which the country is a member.
15. Shared Use of Data
    Communication, international transfer, dissemination, interconnection of data or shared processing of banks of personal data by public agencies and entities, in compliance with legal capabilities, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or among private entities.
16. Data Protection Impact Assessment
    Documentation from the assigned controller which contains the description regarding the proceedings of the data processing that could pose risks to fundamental rights and civil liberties, as well as safeguards and mechanisms to mitigate risk.
17. Research Body
    Body or entity from the public administration or nonprofit legal entity of private law, legally organized under Brazilian law, with headquarters and jurisdiction in the Country. This body or entity includes in its institutional mission, in its corporate or statutory purposes, basic or applied research of historical, scientific, technological or statistical nature; and (New Wording Given by Law No. 13,853/2019).
18. National Authority
    Body of the public administration responsible for the monitoring, supervising and implementing of compliance with this Law in all national territory. (New Wording Given by Law No. 13,853/2019).
19. Security Incident
    Security Incident means any confirmed adverse event related to the violation of properties of confidentiality, integrity, availability, and authenticity of personal data security.
    
20. Authenticity
    Authenticity means property by which it is ensured that the information was produced, sent, modified, or destroyed by a specific natural person, equipment, system, body or entity.
    
21. Confidentiality
    Confidentiality means property by which it is ensured that personal data is not available or not disclosed to unauthorized persons, companies, systems, bodies or entities.
22. Availability
    Availability means property by which it is ensured that personal data is accessible and usable, on demand, by a natural person or a certain duly authorized system, body or entity. 
23. Integrity
    Integrity means property by which it is ensured that personal data has not been modified or destroyed in an unauthorized or accidental manner.
    

10 Legal Bases of Processing

Following are the 10 legal bases of processing:

1. Consent of data subject.
2. Compliance with a legal obligation of the controller.
3. Execute policies provided in the regulation or based on agreements, contracts, or similar instruments.
4. To carry out research studies by entities that ensure the anonymization of personal data whenever necessary.
5. To execute preliminary procedures related to a contract to which the data subject is a party.
6. To exercise rights through administrative, judicial, or arbitration procedures.
7. To protect the physical safety of the third party or data subject.
8. To protect the health, in a procedure carried out by health professionals or by health entities.
9. Fulfill legitimate interests of the third party or controller, except when the data subject's rights require personal data protection prevail.
10. To secure credit.

Autoridade Nacional de Proteção de Dados (ANPD)

The National Data Protection Authority of Brazil -Autoridade Nacional de Proteção de Dados- (ANPD) is a federal public administration body that is a member of the Presidency of the Republic. Its main objective is:

• To interpret the LGPD;
• Create awareness among data subjects about their rights under the LGPD;
• Ask organizations to conduct Data Protection Impact Assessments (DPIAs) and audit their data processing activities to ensure compliance;
• Conduct public consultancies;
• Create regulations for the application of the LGPD and keep it up-to-date with recent trends and technologies;
• To work with other regulatory bodies and keep a check on public authorities to which the LGPD applies;
• To assess other jurisdictions if they provide adequate protections to data subjects data;
• To regulate cross-border data transfers;
• To undertake international cooperation initiatives with the supervisory authorities or data privacy regulators of other countries;
• To promote and support technologies and studies which focus on providing data subjects greater control over their privacy;
• To enforce the LGPD by receiving complaints of data subjects;
• Investigating and proceeding against violating organizations and conducting hearings before enforcing sanctions and penalties.

What is DPO under LGPD?

The DPO is the individual within an organization that has the following tasks under the LGPD:

1. Oversee the LGPD adoption process in the organization;
2. Organize a data protection compliance program and monitor its implementation;
3. Provide guidance to senior management of the organization with regard to compliance with LGPD.

Cross Border Data Transfer Guidelines

LGPD also regulates the cross-border transfer of personal data from Brazil to other countries and jurisdictions in a similar manner to the GDPR. Cross-border transfers can only take place if:

• The transfer of personal data is to organizations in jurisdictions that have an adequate level of protection;
• Adequate guarantees of compliance are in place with the rights of data subject provided by LGPD, These include:
  • Specific contractual clauses;
  • Standard contractual clauses;
  • Global corporate norms;
  • Regularly issued stamps.
• The transfer is necessary for international legal cooperation;
• The transfer is necessary to protect the life or physical safety of the data subject or of a third party;
• The ANPD has provided the authorization;
• The transfer is subject to a commitment;
• The transfer is necessary for the legal attribution of public service or execution of a public policy.

Obligations under LGPD

LGPD imposes obligations on organizations dealing with and processing the user data of Brazilians. Some of the most important requirements are:

• Processing can only happen under one of the lawful bases.
• Data controllers must assign Data Protection Officers.
• Data Protection Impact Assessments (DPIAs) must be taken when required by the ANPD.
• Reasonable security measures must be in place to protect user data.
• In case of a breach, operators and controllers must provide breach notifications to the ANPD and to the affected users.
• Operators and controllers must keep records of data processing activities.

Security Guidelines under LGPD

Following are some important security guidelines under LGPD:

• There must be strict control on people that have data access by defining the liability of persons and have exclusive access privileges to certain users.
• Deployment of authentication mechanisms for records access.
• Creation of a detailed inventory of access to connection records and access to applications.
• Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective measures.

Breach Notification Requirements

• Data Controllers are required to notify the ANPD and affected data subjects of security incidents that may create significant risk or relevant damage to the data subjects within three working days.
• The ANPD shall verify the seriousness of the incident if necessary to safeguard the data subjects’ rights, it may order the controller to adopt measures to mitigate or reverse the possible harm to the data subject.
• A security incident would pose a significant risk to the data subjects if it affects their interests and fundamental rights of them, and involve at least one of the following criteria.
  1. Sensitive personal data;
  2. Data on children, adolescents, or elderly people;
  3. Financial data;
  4. Authentication data in systems;
  5. Data protected by legal, judicial, or professional secrecy; or
  6. Large-scale data.

Security incidents would be considered to pose a significant risk if they would cause material or moral damage to data subjects, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud, or identity theft.

Content of Notification to the Regulatory Authority

The Notification sent by the data controller to the ANPD shall, at a minimum:

1. Define the nature of the affected individuals’ personal data;
2. Provide information regarding data subjects involved;
3. Indicate the security measures taken by the data controller to safeguard the affected data;
4. Describe the risks to the data subject generated by the incident;
5. Provide reasons for any delay in communication of the notification;
6. Lay down measures that were or will be adopted by the data controller to protect the affected data subjects from further harm.
7. The date of occurrence of the incident, when possible to determine, and the date of its knowledge by the controller;
8. The data of the person in charge or whoever represents the controller;
9. Identification of the controller and, if applicable, a declaration that he is an agent of small treatment;
10. Operator identification, when applicable;
11. Description of the incident, including the main cause, if it is possible to identify;
12. The total number of data subjects whose data is processed in the processing activities affected by the incident.

The information may be supplemented, in a well-founded manner, within a period of twenty working days, counting from the date of communication.

Content of Notification to the Data Subjects

The notice issued to the data subjects must contain the following:

1. Description of the nature and category of personal data affected;
2. The technical and security measures used to protect data, observing the commercial and industrial secrets;
3. The risks related to the incident with identification of possible impacts on data subjects;
4. The reasons for the delay, if the communication was not made within the deadline;
5. The measures that have been or will be adopted to reverse or mitigate the effects of the incident, when applicable;
6. The date of knowledge of the security incident;
7. The contact for obtaining information and, when applicable, the contact details of the in charge.

Record Keeping

The businesses are required by the LGPD to maintain adequate records of their data processing activities, especially when the data processing activity is based on legitimate interest.
Moreover, the controller must keep a record of the security incident, including that not communicated to the ANPD and the data subjects, for a minimum period of five years. The record must keep:

1. The date of knowledge of the incident;
2. The general description of the circumstances in which the incident occurred;
3. The nature and category of affected data;
4. The number of affected data subjects;
5. Risk assessment and possible damage to data subjects;
6. Measures to correct and mitigate the effects of the incident, when applicable;
7. The form and content of the communication, if the incident has been reported to the ANPD and the data subjects;
8. The reasons for the lack of communication, when applicable.

Who Must Comply

Unlike the CCPA, the LGPD does not consider a company's size or revenue. Instead, it focuses on the information a company holds. Under Article 3 of the LGPD, any organization that performs the following tasks are liable to comply with the LGPD:

1. Processing data within the territory of Brazil,
2. Processing the data of individuals who are within the territory of Brazil. The location of the data operator is immaterial.
3. Processing data which is collected within the territory of Brazil.

Exemptions of processing sensitive data

Article 11 of the LGPD mentions the limited situations under which sensitive data can be processed. These are:

1. When the data subject or her/his legal representative specifically and distinctly consents for the specific purposes.
2. Without consent from the data subject, in situations when it is indispensable for:
   1. Controller’s compliance;
   2. Shared processing of data for public administration;
   3. Studies carried out by research entity;
   4. Regular exercise of rights;
   5. Protecting the life or the safety of an individual;
   6. Ensuring the prevention of fraud.

Penalties for Non-compliance under LGPD

The LGPD provides for the following administrative sanctions to be applied by the ANPD in case any violation of the provisions of the LGPD is committed by the data processing agents:

• Warning;
• Simple Fine, up to a maximum limit of 2% of the gross revenue of the legal entity or R$ 50,000,000, whichever is lower;
• Daily Fine, up to a maximum limit of 2% of the gross revenue of the legal entity or R$ 50,000,000, whichever is lower;
• Disclosure and publicization of the violation;
• Blocking of personal data to which violation relates until its regularization;
• Deletion of personal data to which violation relates;
• Partial suspension of the operation of the database related to the violation;
• Suspension of the personal data processing activity related to the violation; and
• Partial or total prohibition of the data processing activities.

The application of the administrative sanction by the ANPD is governed by the Regulation of Dosimetry and Application of Administrative Sanctions (‘Regulation’); issued vide Resolution CD/ANPD No. 4, of February 24, 2023. In addition to classifying the violations based on severity levels, the Regulation provides for parameters and criteria for the application of each administrative sanction as well as the methodology for calculating the amount of fine sanctions.

To learn more about LGPD and other privacy regulations across the globe, and what your organization can do to comply, sign up to get a free copy of the PrivacyOps book.

LGPD Compliance Checklist

The LGPD has a number of regulations that organizations need to be aware of before they can hope to stay in compliance with this legislation. Following is a quick checklist that can be a stepping stone toward compliance with the LGPD.

1. Map out the ways your organization stores and processes data:
   The first step towards compliance is being able to constantly track where data is stored and how it is processed within the organization.
2. Address the user rights the data subjects have on their data:
   Organizations need to be aware of the data subject rights and honor them in case a data subject decides to exercise these rights.
3. Ensure Data Security with appropriate security controls in place:
   It is paramount that appropriate security controls are in place to protect the consumer's data from unauthorized access or from a breach.
4. Create a system to tackle data breaches:
   Data breaches are almost unavoidable and organizations need to have a plan in place in case a breach occurs - from taking appropriate mitigation efforts to notifying affected data subjects - non-compliance with these activities can be very costly for the organization.
5. Carry out regular Data Protection Impact Assessments (DPIA):
   It is important that an organization is always aware of its standing with regard to data privacy and security, which is why running regular DPIAs on your processing activities is recommended.
6. Hire a Data Protection Officer if needed:
   A data protection officer is necessary to an organization since his/her tasks focus solely on data privacy - it is recommended that one is hired to assist with the LGPD compliance requirements.
7. Create a data processing agreement:
   Organizations need to make a written agreement between the processors and controllers and ensure they carry out necessary audits of their processors’ activities to ensure they are not non-compliant with the law
8. Revamp your privacy policy based on the LGPD:
   Finally, organizations need to rework their privacy policy and align it with the LGPD standards for transparency and necessary disclosures.

Automation Towards Compliance

Securiti is an award-winning compliance solution that revolves around the concept of PrivacyOps. The PrivacyOps framework calls for using robotic automation, artificial intelligence and machine learning. This system automates the majority of tasks, freeing up resources for other business operations.

Securiti helps businesses map data over a web of internal and external systems and stitch a data graph to link personal data with each individual. It can also conduct automated internal assessments of policies as well as third-party vendors, manage consent and do a lot more! It is the ultimate tool for compliance with LGPD as well as any other data privacy regulation in the world.

To learn how Securiti can help you on your journey towards compliance, while efficiently implementing privacy management, request a demo today.

Key Facts about LGPD