Securiti announces a $75M Series C Funding Round
ViewAfter the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) - which was subsequently replaced with the Consumer Privacy Rights Act (CPRA) - Brazil shook the field of data privacy and the internet industry when it introduced its own comprehensive data privacy regulation, Lei Geral de Proteção de Dados Pessoais (LGPD).
According to recent statistics, Brazil has 140 million internet users (the population of the 10th largest country in the world), making it one of the largest internet markets in Latin America and the fourth largest market in the world.
In previous years, Brazil has drafted over 40 legal regulations with regards to data privacy on a federal level, some which established general guidelines and some were sector-specific, leading to many overlaps and conflict between different laws across industries. The negative aspect of these sectoral laws is that they are applicable to specific industries and do not provide Brazilian internet users and consumers comprehensive protections. Also for organizations and businesses involved in multi-sectoral operations, complying with all of these different laws and their requirements is an expensive and difficult affair. This is why the new data protection law of Brazil known as the LGPD (Lei Geral de Proteção de Dados Pessoais) was set into motion to provide a more comprehensive and overall regulatory framework to data privacy.
The LGPD was passed by the Brazilian National Congress on the 14th of August, 2018. In August 2020 the President of Brazil approved the creation of the federal independent regulatory authority - The Autoridade Nacional de Proteção de Dados (ANPD) - to interpret and enforce the LGPD and act as the national supervisory authority.
Despite the onset of the COVID pandemic and a planned delay in application till December 2020 or May 2021, the LGPD was signed into law on September 18th 2020 and it is in effect since then. The sanctions under the law shall not be enforced till August 1st, 2021.
It is well known that the LGPD was drafted and based on the GDPR so much so that some people call it Brazil’s GDPR. The LGPD contains 65 articles which provide individuals with data subjects rights, impose obligations upon organizations for lawful processing of personal data, require notification of data breaches to the supervisory authority and affected data subjects, create a national supervisory authority to interpret and enforce the law, regulate international transfer of data, define lawful consent collection guidelines and impose heavy penalties on violators similar to the GDPR.
LGPD provides:
The LGPD offers individual data subjects a set of 9 rights over their personal data which can be exercised against both public and private organizations under the LGPD, which is very different from the various federal sectoral laws in the past that offered only partial protections. This approach of the LGPD law is greatly influenced by the EU’s General Data Protection Regulation:
Right to be informed about the existence of the processing.
The right to access the data.
The right to correct inaccurate, incomplete or out-of-date data.
The right to block, anonymize, or delete excessive or unnecessary data or data that is not being processed in compliance with LGPD.
The right to the portability of data to another service by an express request.
The right to deletion of personal data which is processed with the consent of the data subject.
The right to information about private and public entities with which the data is shared.
The right to be informed about the possibility of denying consent and the consequences of such denial.
Right to revoke consent.
Following are the 19 definitions that come under LGPD.
Personal Data | Information on an identifiable or identified natural person. |
Sensitive Personal Data | Personal data concerning ethnic or racial origin, political opinion, religious beliefs, trade union or philosophical, religious or political organization membership, data concerning health or genetic or biometric data, relating to a natural person. |
Data Subject | A natural person to whose personal data is the object of processing. |
Consent | Free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose. |
Processing | An operation carried out with personal data. |
Database | Structured set of personal data, kept in one or several locations, in electronic or physical support. |
Processing Agents | The controller and the operator. |
Controller | Natural person or legal entity, public or private law, that has competence to make decisions regarding the processing of personal data. |
Operator | Natural person or legal entity, public or private law, that processes personal data in the name of the controller. |
Officer | Natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority (the ANPD). |
Anonymization | Use of available and reasonable technical during processing, through which data loss the possibility of direct or indirect association with an individual. |
Blocking | Temporarily suspending the processing operation by means of retention of the database or personal data. |
Deletion | Exclusion of a set of data held within a database, irrespective of the procedure used. |
International Data Transfer | Transfer of personal data to an international entity or a foreign country of which the country is a member. |
Shared Use of Data | Communication, international transfer, dissemination, interconnection of data or shared processing of banks of personal data by public agencies and entities, in compliance with legal capabilities, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or among private entities. |
Data Protection Impact Assessment | Documentation from assigned controller which contains the description with regards to the proceedings of the data processing that could pose risks to fundamental rights and civil liberties, as well as safeguards and mechanisms to mitigate risk. |
Research Body | Body or entity from the public administration or nonprofit legal entity of private law, legally organized under the Brazilian law, with headquarters and jurisdiction in the Country. This body or entity includes in its institutional mission, in its corporate or statutory purposes basic or applied research of historical, scientific, technological or statistical nature; and (New Wording Given by Law No. 13,853/2019). |
National Authority | Body of the public administration responsible for the monitoring, supervising and implementing of the compliance with this Law in all national territory. (New Wording Given by Law No. 13,853/2019). |
Following are the 10 legal bases of processing:
The National Data Protection Authority of Brazil -Autoridade Nacional de Proteção de Dados- (ANPD) is a federal public administration body that is a member of the Presidency of the Republic. Its main objective is:
The DPO is the individual within an organization that has the following tasks under the LGPD:
LGPD also regulates the cross-border transfer of personal data from Brazil to other countries and jurisdictions in a similar manner to the GDPR. Cross border transfers can only take place if:
LGPD imposes obligations on organizations dealing with and processing the user data of Brazilians. Some of the most important requirements are:
Following are some important security guidelines under LGPD:
Unlike the CCPA, the LGPD does not take into account the size or revenue of a company, instead, it focuses on the information a company holds. Under article 3 of the LGPD, any organization that performs the following tasks are liable to comply with the LGPD:
“Processing data within the territory of Brazil, Processing the data of individuals who are within the territory of Brazil. The location of the data operator is immaterial."
“Processing data which was collected within the territory of Brazil.”
Article 11, mentions the limited situation under which sensitive data can be processed. These are:
The LGPD (Lei Geral de Proteção de Dados) is clear when it comes to the consequences of non-compliance with the law. The penalty system ranges from:
Warnings to organizations in case of non-compliance with the intent of having the organization implement corrective measures.
Blocking or deletion of processing and data.
Daily fines which can go up to R50 million which approximates to €7.5 million.
Fines up to 2% of annual turnover in Brazil or R50 million per violation, which approximates to €7.5 million.
Maximum fines can reach upto 50 million Brazilian reais or 2% of a company’s annual turnover for a LGPD violation. It will be the ANPD’s responsibility to enforce such sanctions, when the LGPD comes into effect.
The LGPD (Lei Geral de Proteção de Dados) was designed in accordance with the EU's GDPR. The LGPD has global jurisdiction, which means that any website that processes personal data from individuals in Brazil has to comply.
To learn more about LGPD as well as other privacy regulations across the globe, and what your organization can do in order to comply, sign up to get a free copy of the PrivacyOps book.
The multi-disciplinary practice to grow trust-equity of your brand and comply with privacy regulations.
Get the Book“By leveraging the PrivacyOps constructs from this book across our organization we were able to not only save time and money but also mitigate the risks associated with manual methods of privacy management.”
- Marty Collins, Chief Privacy and Legal Officer, QuinStreet, Inc
The LGPD has a number of regulations that organizations need to be aware of before they can hope to stay in compliance with this legislation. Following is a quick checklist that can be a stepping stone towards compliance with the LGPD.
Securiti is an award-winning compliance solution which revolves around the concept of PrivacyOps. The PrivacyOps framework calls for the utilization of robotic automation, artificial intelligence and machine learning. This system automates the majority of tasks, freeing up resources for other business operations.
Securiti helps businesses map data over a web of internal and external systems and stitch a data graph to link personal data with each individual. It can also conduct an automated internal assessment of policies as well as third-party vendors, manage consent and do a lot more! It is the ultimate tool towards compliance with LGPD as well as any other data privacy regulations in the world.
To learn how Securiti can help you on your journey towards compliance, while efficiently implementing privacy management, request a demo today.
Applies to all companies processing the personal data of data subjects residing in Brazil, regardless of the company’s location.
Fines can range up to 2% of annual turnover in Brazil or R50 million per violation, which approximate to €7.5 million.
Brazil has over 140 million internet users.
Some people call the LGPD “Brazil’s GDPR”. If you’re already GDPR compliant, you are mostly within the provisions of the LGPD.
LGPD is in effect since September 18, 2020.
Get all the latest information, law updates and more delivered to your inbox
February 22, 2023
Suppose you own a luxury car. You wouldn’t just give its keys to anyone who asks, right? In fact, you would give your car...
February 20, 2023
No matter where you are, data is all around you and powers everything you do. Estimates suggest that a whopping 25,000 petabytes of data...
February 6, 2023
As your business grows, you'll undoubtedly need to outsource some tasks. Every expanding company needs third and even fourth-party suppliers, whether for purchasing supplies...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
3031 Tisch Way Suite 110 Plaza West, San Jose,
CA 95128