'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

What is Lei Geral de Proteção de Dados Pessoais (LGPD)

After the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) - which was subsequently replaced with the Consumer Privacy Rights Act (CPRA) - Brazil shook the field of data privacy and the internet industry when it introduced its own comprehensive data privacy regulation, Lei Geral de Proteção de Dados Pessoais (LGPD).

Brief History on the LGPD

According to recent statistics, Brazil has 140 million internet users (the population of the 10th largest country in the world), making it the one of the largest internet markets in Latin America and the fourth largest market in the world.

In previous years, Brazil has drafted over 40 legal regulations with regards to data privacy on a federal level, some which established general guidelines and some were sector-specific, leading to many overlaps and conflict between different laws across industries. The negative aspect of these sectoral laws is that they are applicable to specific industries and do not provide Brazilian internet users and consumers comprehensive protections. Also for organizations and businesses involved in multi-sectoral operations, complying with all of these different laws and their requirements is an expensive and difficult affair. This is why the new data protection law of Brazil known as the LGPD (Lei Geral de Proteção de Dados Pessoais) was set into motion to provide a more comprehensive and overall regulatory framework to data privacy.

The LGPD was passed by the Brazilian National Congress on the 14th of August, 2018. In August 2020 the President of Brazil approved the creation of the federal independent regulatory authority  - The Autoridade Nacional de Proteção de Dados (ANPD) - to interpret and enforce the LGPD and act as the national supervisory authority.

Despite the onset of the COVID pandemic and a planned delay in application till December 2020 or May 2021, the LGPD was signed into law on September 18th 2020 and it is in effect since then. The sanctions under the law shall not be enforced till August 1st, 2021.

Influence of GDPR

It is well known that the LGPD was drafted and based on the GDPR so much so that some people call it Brazil’s GDPR. The LGPD contains 65 articles which provide individuals with data subjects rights, impose obligations upon organizations for lawful processing of personal data, require notification of data breaches to the supervisory authority and affected data subjects, create a national supervisory authority to interpret and enforce the law, regulate international transfer of data, define lawful consent collection guidelines and impose heavy penalties on violators similar to the GDPR.

Essence of the LGPD law

LGPD provides:

  • 9 data subject rights requests exercisable by individual data subjects;
  • 10 legal bases for lawful processing;
  • Obligatory and transparent disclosure requirements for organizations to contain within their privacy policy;
  • Consent collection and management requirements for organizations;
  • Requirement for organizations to appoint a Data Protection Officer;
  • Special rights for children;
  • Data security requirements and mandatory breach notifications;
  • Regulations for international data transfers;
  • Obligation for organizations to provide Data Protection Impact Assessments (DPIAs) upon request of the ANPD;
  • Powers to the ANPD to make regulations for the application of the act and to receive complaints from data subjects and investigate any organization for suspected violations of the legal requirements of the LGPD;
  • Jurisdiction to ANPD to try suspected violators and impose various penalties and sanctions if they are found to be non-compliant.

Rights Under LGPD

The LGPD offers individual data subjects a set of 9 rights over their personal data which can be exercised against both public and private organizations under the LGPD, which is very different from the various federal sectoral laws in the past that offered only partial protections. This approach of the LGPD law is greatly influenced by the EU’s General Data Protection Regulation:

Right to be informed about the existence of the processing.

The right to access the data.

The right to correct inaccurate, incomplete or out-of-date data.

The right to block, anonymize, or delete excessive or unnecessary data or data that is not being processed in compliance with LGPD.

The right to the portability of data to another service by an express request.

The right to deletion of personal data which is processed with the consent of the data subject.

The right to information about private and public entities with which the data is shared.

The right to be informed about the possibility of denying consent and the consequences of such denial.

Right to revoke consent.

Definitions under LGPD

Following are the 19 definitions that come under LGPD.

Personal Data Information on an identifiable or identified natural person.
Sensitive Personal Data Personal data concerning ethnic or racial origin, political opinion, religious beliefs, trade union or philosophical, religious or political organization membership, data concerning health or genetic or biometric data, relating to a natural person.
Data Subject A natural person to whose personal data is the object of processing.
Consent Free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose.
Processing An operation carried out with personal data.
Database Structured set of personal data, kept in one or several locations, in electronic or physical support.
Processing Agents The controller and the operator.
Controller Natural person or legal entity, public or private law, that has competence to make decisions regarding the processing of personal data.
Operator Natural person or legal entity, public or private law, that processes personal data in the name of the controller.
Officer Natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority (the ANPD).
Anonymization Use of available and reasonable technical during processing, through which data loss the possibility of direct or indirect association with an individual.
Blocking Temporarily suspending the processing operation by means of retention of the database or personal data.
Deletion Exclusion of a set of data held within a database, irrespective of the procedure used.
International Data Transfer Transfer of personal data to an international entity or a foreign country of which the country is a member.
Shared Use of Data Communication, international transfer, dissemination, interconnection of data or shared processing of banks of personal data by public agencies and entities, in compliance with legal capabilities, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or among private entities.
Data Protection Impact Assessment Documentation from assigned controller which contains the description with regards to the proceedings of the data processing that could pose risks to fundamental rights and civil liberties, as well as safeguards and mechanisms to mitigate risk.
Research Body Body or entity from the public administration or nonprofit legal entity of private law, legally organized under the Brazilian law, with headquarters and jurisdiction in the Country. This body or entity includes in its institutional mission, in its corporate or statutory purposes basic or applied research of historical, scientific, technological or statistical nature; and (New Wording Given by Law No. 13,853/2019).
National Authority Body of the public administration responsible for the monitoring, supervising and implementing of the compliance with this Law in all national territory. (New Wording Given by Law No. 13,853/2019).

Legal Bases of Processing

Following are the 10 legal bases of processing:

  1. Consent of data subject
  2. Compliance of a legal obligation of the controller
  3. Execute policies provided in the regulation, or based on agreements, contracts, or similar instruments
  4. To carry out research studies by entities that ensure anonymization of personal data whenever necessary
  5. To execute preliminary procedures related to a contract of which the data subject is a party
  6. To exercise rights administrative, judicial or arbitration procedures
  7. To protect the physical safety of the third party or data subject
  8. To protect health, in a procedure carried out by health professionals or by health entities
  9. Fulfill legitimate interests of the third party or controller, except when the data subject's rights require personal data protection prevail
  10. To secure credit

Autoridade Nacional de Proteção de Dados (ANPD)

The National Data Protection Authority of Brazil -Autoridade Nacional de Proteção de Dados- (ANPD) is a federal public administration body that is a member of the Presidency of the Republic. Its main objective is:

  • To interpret the LGPD;
  • Create awareness among data subjects about their rights under the LGPD;
  • Ask organizations to conduct Data Protection Impact Assessments (DPIAs) and audit their data processing activities to ensure compliance;
  • Conduct public consultancies;
  • Create regulations for application of the LGPD and to keep it up-to-date to recent trends and technologies; 
  • To work with other regulatory bodies and keep a check on public authorities to which the LGPD applies;
  • To assess other jurisdictions if they provide adequate protections to data subjects data;
  • To regulate cross-border data transfers;
  • To undertake international cooperation initiatives with the supervisory authorities or data privacy regulators of other countries;
  • To promote and support technologies and studies which focus on providing data subjects greater control over their privacy;
  • To enforce the LGPD by receiving complaints of data subjects;
  • Investigating and proceeding against violating organizations and conducting hearings before enforcing sanctions and penalties.  

What is DPO under LGPD?

The DPO is the individual within an organization that has the following tasks under the LGPD:

  1. Oversee LGPD adoption process in the organization;
  2. Organise a data protection compliance program and monitor its implementation;
  3. Provide guidance to senior management of the organization with regards to compliance with LGPD.

Cross Border Data Transfer Guidelines

LGPD also regulates the cross-border transfer of personal data from Brazil to other countries and jurisdictions in a similar manner to the GDPR. Cross border transfers can only take place if:

  • The transfer of personal data is to organizations in jurisdictions which have an adequate level of protection
  • Adequate guarantees of compliance are in place with the rights of data subject provided by LGPD, These include:
    • Specific contractual clauses
    • Standard contractual clauses
    • Global corporate norms
    • Regularly issued stamps
  • The transfer is necessary for international legal cooperation
  • The transfer is necessary to protect life or physical safety of the data subject or of third party
  • Authorization has been provided by the ANPD
  • The transfer is subject to a commitment
  • The transfer is necessary for the legal attribution of public service or execution of a public policy

Obligations Under LGPD

LGPD imposes obligations on organizations dealing with and processing the user data of Brazilians. Some of the most important requirements are:

  • Processing can only happen under one of the lawful bases.
  • Data Protection Officers must be assigned by data controllers.
  • Data Protection Impact Assessments (DPIAs) must be taken when required by the ANPD.
  • Reasonable security measures must be in place to protect user data.
  • In case of breach, operators and controllers must provide breach notifications to the ANPD and to the affected users.
  • Operators and controllers must keep records of data processing activities.

Security Guidelines under LGPD

Following are some important security guidelines under LGPD:

  • There must be strict control on people that have data access by defining the liability of persons and have exclusive access privileges to certain users
  • Deployment of authentication mechanisms for records access
  • Creation of detailed inventory of access to connection records and access to applications
  • Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective measures

Breach Notification Requirements

  • Data Controllers are required to immediately notify the ANPD and affected data subjects of security incidents that may create risk or relevant damage to the data subjects.
  • The ANPD shall verify the seriousness of the incident if necessary to safeguard the data subjects’ rights, it may order the controller to adopt measures to mitigate or reverse the possible harm to the data subject.
  • The Notification sent by the data controller shall, at a minimum:
    • Define the nature of the affected individuals’ personal data;
    • Provide information regarding data subjects involved;
    • Indicate the security measures taken by the data controller to safeguard the affected data;
    • Describe the risks to the data subject generated by the incident;
    • Provide reasons for any delay of communication of the notification;
    • Lay down measures that were or will be adopted by the data controller to protect the affected data subjects from further harm.

Who Must Comply?

Unlike the CCPA, the LGPD does not take into account the size or revenue of a company, instead, it focuses on the information a company holds. Under article 3 of the LGPD, any organization that performs the following tasks are liable to comply with the LGPD:

Controller:
“Processing data within the territory of Brazil, Processing the data of individuals who are within the territory of Brazil. The location of the data operator is immaterial."

Operator:
“Processing data which was collected within the territory of Brazil.”

Exemptions of processing sensitive data

Article 11, mentions the limited situation under which sensitive data can be processed. These are:

  1. When the data subject or her/his legal representative specifically and distinctly consents, for the specific purposes
  2. Without consent from the data subject, in the situations when it is indispensable for:
    • Controller’s compliance
    • Shared processing of data for public administration
    • Studies carried out by research entity
    • Regular exercise of rights
    • Protecting the life or the safety of an individual
    • Ensuring the prevention of fraud

Fines Under LGPD

The LGPD (Lei Geral de Proteção de Dados) is clear when it comes to the consequences of non-compliance with the law. The penalty system ranges from:

Warnings to organizations in case of non-compliance with the intent of having the organization implement corrective measures.

Blocking or deletion of processing and data.

Daily fines which can go up to R50 million which approximates to €7.5 million.

Fines up to 2% of annual turnover in Brazil or R50 million per violation, which approximates to €7.5 million.

Maximum fines can reach upto 50 million Brazilian reais or 2% of a company’s annual turnover for a LGPD violation. It will be the ANPD’s responsibility to enforce such sanctions, when the LGPD comes into effect.

The LGPD (Lei Geral de Proteção de Dados) was designed in accordance with the EU's GDPR. The LGPD has global jurisdiction, which means that any website that processes personal data from individuals in Brazil has to comply.

To learn more about LGPD as well as other privacy regulations across the globe, and what your organization can do in order to comply, sign up to get a free copy of the PrivacyOps book.

Automating privacy operations across your organization

The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.

Get the Book

“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”

- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc

LGPD Compliance Checklist

The LGPD has a number of regulations that organizations need to be aware of before they can hope to stay in compliance with this legislation. Following is a quick checklist that can be a stepping stone towards compliance with the LGPD.

  1. Map out the ways your organization stores and processes data:
    The first step towards compliance is being able to constantly track where data is stored and how it is processed within the organization.
  2. Address the user rights the data subjects has on their data:
    Organizations need to be aware of the data subject rights and honor them in case a data subject decides to exercise these rights.
  3. Ensure Data security with appropriate security controls are in place:
    It is paramount that appropriate security controls are in place to protect the consumers data from unauthorized access or from breach.
  4. Create a system to tackle data breaches:
    Data breaches are almost unavoidable and organizations need to have a plan in place in case a breach occurs - from taking appropriate mitigation efforts to notifying affected data subjects - non compliance of these activities can be very costly for the organization.
  5. Carry out regular Data Protection Impact Assessments:
    It is important that an organization is always aware of its standing with regards to data privacy and security, which is why running regular DPIAs on your processing activities is recommended.
  6. Hire a Data Protection Officer if needed:
    A data protection officer is necessary to an organization since his/her tasks focus solely  on data privacy - it is recommended that one is hired to assist with the LGPD compliance requirements.
  7. Create a data processing agreement:
    Organizations need to make a written agreement between the operators and controllers and ensure they carry out necessary audits of their operators’ activities to ensure they are not non-compliant with the law.
  8. Revamp your privacy policy based on the LGPD:
    Finally, organizations need to rework their privacy policy and align it with the LGPD standards for transparency and necessary disclosures.

Automation Towards Compliance

Securiti is an award-winning compliance solution which revolves around the concept of PrivacyOps. The PrivacyOps framework calls for utilization of robotic automation, artificial intelligence and machine learning. This system automates the majority of tasks, freeing up resources for other business operations.

Securiti helps businesses map data over a web of internal and external systems and stitch a data graph to link personal data with each individual. It can also conduct automated internal assessment of policies as well as third-party vendors, manage consent and do a lot more! It is the ultimate tool towards compliance with LGPD as well as any other data privacy regulation in the world.

To learn how Securiti can help you on your journey towards compliance, while efficiently implementing privacy management, request a demo today.


Key facts

1

Applies to all companies processing the personal data of data subjects residing in Brazil, regardless of the company’s location.

2

Fines can range up to 2% of annual turnover in Brazil or R50 million per violation, which approximate to €7.5 million.

3

Brazil has over 140 million internet users.

4

Some people call the LGPD “Brazil’s GDPR”. If you’re already GDPR compliant, you are mostly within the provisions of the LGPD.

5

LGPD is in effect since September 18, 2020.