IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
After the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) - which was subsequently replaced with the Consumer Privacy Rights Act (CPRA) - Brazil shook the field of data privacy and the internet industry when it introduced its own comprehensive data privacy regulation, Lei Geral de Proteção de Dados Pessoais (LGPD).
According to recent statistics, Brazil has 140 million internet users (the population of the 10th largest country in the world), making it one of the largest internet markets in Latin America and the fourth largest market globally.
In previous years, Brazil has drafted over 40 legal regulations with regard to data privacy on a federal level, some of which established general guidelines, and some were sector-specific, leading to many overlaps and conflicts between different laws across industries. The negative aspect of these sectoral laws is that they apply to specific industries and do not provide comprehensive protections for Brazilian internet users and consumers. Also, for organizations and businesses involved in multi-sectoral operations, complying with all of these different laws and their requirements is an expensive and difficult affair. This is why Brazil's new data protection law, known as the LGPD (Lei Geral de Proteção de Dados Pessoais), was set into motion to provide a more comprehensive and overall regulatory framework for data privacy.
The Brazilian National Congress passed the LGPD on the 14th of August, 2018. In August 2020, the President of Brazil approved the creation of the federal independent regulatory authority - the Autoridade Nacional de Proteção de Dados (ANPD) - to interpret and enforce the LGPD and act as the national supervisory authority.
Despite the onset of the COVID pandemic and a planned delay in application till December 2020 or May 2021, the LGPD came into force on September 18th, 2020, and it has been in effect since then.
It is well known that the LGPD was drafted and based on the GDPR, so much so that some people call it Brazil’s GDPR. The LGPD contains 65 articles that provide individuals with data subject rights, impose obligations upon organizations for lawful processing of personal data, require notification of data breaches to the supervisory authority and affected data subjects, create a national supervisory authority to interpret and enforce the law, regulate international transfer of data, define lawful consent collection guidelines and impose heavy penalties on violators similar to the GDPR.
LGPD provides:
The LGPD offers individual data subjects a set of 9 rights over their personal data, which can be exercised against both public and private organizations under the LGPD, which is very different from the various federal sectoral laws in the past that offered only partial protections. This approach of the LGPD law is greatly influenced by the EU’s General Data Protection Regulation:
Following are the 19 definitions that come under LGPD.
Following are the 10 legal bases of processing:
The National Data Protection Authority of Brazil -Autoridade Nacional de Proteção de Dados- (ANPD) is a federal public administration body that is a member of the Presidency of the Republic. Its main objective is:
The DPO is the individual within an organization that has the following tasks under the LGPD:
LGPD also regulates the cross-border transfer of personal data from Brazil to other countries and jurisdictions in a similar manner to the GDPR. Cross-border transfers can only take place if:
LGPD imposes obligations on organizations dealing with and processing the user data of Brazilians. Some of the most important requirements are:
Following are some important security guidelines under LGPD:
Unlike the CCPA, the LGPD does not consider a company's size or revenue. Instead, it focuses on the information a company holds. Under Article 3 of the LGPD, any organization that performs the following tasks are liable to comply with the LGPD:
Article 11 of the LGPD mentions the limited situations under which sensitive data can be processed. These are:
The LGPD provides for the following administrative sanctions to be applied by the ANPD in case any violation of the provisions of the LGPD is committed by the data processing agents:
The application of the administrative sanction by the ANPD is governed by the Regulation of Dosimetry and Application of Administrative Sanctions (‘Regulation’); issued vide Resolution CD/ANPD No. 4, of February 24, 2023. In addition to classifying the violations based on severity levels, the Regulation provides for parameters and criteria for the application of each administrative sanction as well as the methodology for calculating the amount of fine sanctions.
To learn more about LGPD and other privacy regulations across the globe, and what your organization can do to comply, sign up to get a free copy of the PrivacyOps book.
The LGPD has a number of regulations that organizations need to be aware of before they can hope to stay in compliance with this legislation. Following is a quick checklist that can be a stepping stone toward compliance with the LGPD.
Securiti is an award-winning compliance solution that revolves around the concept of PrivacyOps. The PrivacyOps framework calls for using robotic automation, artificial intelligence and machine learning. This system automates the majority of tasks, freeing up resources for other business operations.
Securiti helps businesses map data over a web of internal and external systems and stitch a data graph to link personal data with each individual. It can also conduct automated internal assessments of policies as well as third-party vendors, manage consent and do a lot more! It is the ultimate tool for compliance with LGPD as well as any other data privacy regulation in the world.
To learn how Securiti can help you on your journey towards compliance, while efficiently implementing privacy management, request a demo today.
The LGPD has an extra-territorial application and applies to every activity of processing personal data, which:
Fines for non-compliance can range up to 2% of annual turnover in Brazil or R$ 50 million per violation, which is approximately €11 million.
Under the LGPD, processing personal data belonging to children and adolescents is subject to additional measures and must be done in their best interest.
Data related to a deceased person do not constitute personal data for LGPD purposes and, therefore, are not subject to the level of protection of the LGPD.
LGPD stands for "Lei Geral de Proteção de Dados," which translates to the "General Data Protection Law" in Brazil. It is the country's comprehensive data protection legislation.
LGPD (Brazil's General Data Protection Law) and GDPR (General Data Protection Regulation) are similar in goals and principles, but they are distinct regulations. While both aim to protect individuals' data privacy rights, they have differences in their specific requirements and applicability.
The penalties for LGPD violations in Brazil can range from warnings to fines of up to 2% of the company's revenue, limited to a total of 50 million Brazilian reais (BRL) per infraction. Fines can vary depending on the nature and severity of the violation.
The LGPD grants Brazilian citizens several rights, including the right to access their personal data, request corrections, delete, portability, and information about data processing activities. Individuals can also revoke consent and receive information about entities with whom data is shared.
LGPD data subjects are individuals whose personal data is being processed by organizations covered by the General Data Protection Law in Brazil. These individuals have rights and protections under the LGPD.
Yes, the LGPD has a legal basis in Brazil. It was enacted as Law No. 13,709/2018 and became effective in September 2020, establishing data protection and privacy regulations.
Anas Baig is a Product Marketing Manager with a proven track record in the cybersecurity industry. He has been a prominent contributor to numerous esteemed publications, including Infosecurity Magazine, CSO Online, Tripwire, Security Affairs, Network Computing, Security Boulevard, and several other renowned cybersecurity blogs.His in-depth knowledge and extensive experience in the industry make him a trusted source for cutting-edge insights and information in the ever-evolving world of cybersecurity.
Get all the latest information, law updates and more delivered to your inbox
November 21, 2023
What is PCI DSS Compliance? Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a set of security standards and guidelines...
October 12, 2023
PCI DSS Compliance Checklist: Protecting Customer’s Data The ecommerce industry experienced a significant boom right after the Covid-19 pandemic hit the world. More and...
September 29, 2023
The European Union’s (EU) General Data Protection Regulation (GDPR) has emerged as a significant legal framework governing data privacy and protection. As the use...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128