What is Lei Geral de Proteção de Dados Pessoais (LGPD)
LGPD (Lei Geral de Proteção de Dados Pessoais) is the data privacy law of Brazil, aimed at providing Brazilian consumers more control over their personal information. In many respects, LGPD is similar to the General Data Protection Law (GDPR) of the European Union, but there are some significant differences. LGPD goes into effect in early August 2020 and organizations must comply with this regulation in order to avoid fines and penalties by the newly-created Brazilian regulatory authority, Autoridade Nacional de Proteção de Dados (ANPD).
Obligations Under LGPD
LGPD imposes some very important obligations on organizations dealing with and processing the user data of Brazilians. Some of the most important requirements are:
Processing of data by organizations can only happen under certain lawful bases.
Data Protection Officers (DPOs) must be assigned by data controllers.
Organizations must undertake Data Protection Impact Assessments (DPIAs) when required by the ANPD.
Organizations must take reasonable security measures to protect user data.
In case of a breach incident, controllers and processors must provide breach notifications to the ANPD and to the affected users as quickly as possible.
Data transfers are allowed only when the entity or country has an adequate protection framework.
Controllers and processors must keep records of data processing activities and are encouraged to take internal measures such as privacy governance programs for the accountable handling of user data.
Who Must Comply?
According to article 3 of LGPD, if an organization performs the following tasks, they are required to comply with LGPD:
Controller: “Processing data within the territory of Brazil, Processing the data of individuals who are within the territory of Brazil. The location of the data processor is immaterial.
Processor:
“Processing data which was collected within the territory of Brazil.”
Rights Under LGPD
LGPD offers its constituents the nine following rights:
Right to be informed about the existence of the processing.
The right to access the data.
The right to correct inaccurate, incomplete or out-of-date data.
The right to block, anonymize, or delete excessive or unnecessary data or data that is not being processed in compliance with LGPD.
The right to the portability of data to another service by an express request.
The right to deletion of personal data which is processed with the consent of the data subject.
The right to information about private and public entities with which the data is shared.
The right to be informed about the possibility of denying consent and the consequences of such denial.
Right to revoke consent.
These rights can be enforced through complaints and private actions brought about by data subjects.
Fines Under LGPD
Under the LGPD, the penalty system ranges from:
Warnings to organizations in case of non-compliance with the intent of having the organization implement corrective measures.
Blocking or deletion of processing and data.
Daily fines which can go up to R50 million which approximates to €11 million.
Fines up to 2% of annual turnover in Brazil or R50 million per violation, which approximates to €11 million.
To learn more about LGPD as well as other global privacy regulations,
and what to do in order to comply, sign up to get a free copy of the PrivacyOps book
SECURITI.ai’s award-winning compliance solution revolves around the concept of PrivacyOps, which calls for utilizing robotic automation, artificial intelligence and machine learning to provide enterprises with a system that automates majority of compliance tasks, freeing up crucial resources for other areas of business.
SECURITI.ai helps businesses discover data over a web of internal and external systems, stitch a data graph to link personal data with each individual, conduct automated internal assessment of policies as well as third-party vendors, manage consent and do a lot more!
While businesses may hesitate to take the leap towards automation from their current manual methods with the fear of costs and change in infrastructure, it is evident that automation is truly the way forward. Automation will increase the ROI as well as increase productivity, lowering cost and improving accuracy, in other words, it will pay for itself and bring organizations a number of benefits along with it.
Key facts
1
Applies to all companies processing the personal data of data subjects residing in Brazil, regardless of the company’s location.
2
Fines can range up to 2% of annual turnover in Brazil or R50 million per violation, which approximate to €11 million.
