'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
After the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) - which was subsequently replaced with the Consumer Privacy Rights Act (CPRA) - Brazil shook the field of data privacy and the internet industry when it introduced its own comprehensive data privacy regulation, Lei Geral de Proteção de Dados Pessoais (LGPD).
According to recent statistics, Brazil has 140 million internet users (the population of the 10th largest country in the world), making it the one of the largest internet markets in Latin America and the fourth largest market in the world.
In previous years, Brazil has drafted over 40 legal regulations with regards to data privacy on a federal level, some which established general guidelines and some were sector-specific, leading to many overlaps and conflict between different laws across industries. The negative aspect of these sectoral laws is that they are applicable to specific industries and do not provide Brazilian internet users and consumers comprehensive protections. Also for organizations and businesses involved in multi-sectoral operations, complying with all of these different laws and their requirements is an expensive and difficult affair. This is why the new data protection law of Brazil known as the LGPD (Lei Geral de Proteção de Dados Pessoais) was set into motion to provide a more comprehensive and overall regulatory framework to data privacy.
The LGPD was passed by the Brazilian National Congress on the 14th of August, 2018. In August 2020 the President of Brazil approved the creation of the federal independent regulatory authority - The Autoridade Nacional de Proteção de Dados (ANPD) - to interpret and enforce the LGPD and act as the national supervisory authority.
Despite the onset of the COVID pandemic and a planned delay in application till December 2020 or May 2021, the LGPD was signed into law on September 18th 2020 and it is in effect since then. The sanctions under the law shall not be enforced till August 1st, 2021.
It is well known that the LGPD was drafted and based on the GDPR so much so that some people call it Brazil’s GDPR. The LGPD contains 65 articles which provide individuals with data subjects rights, impose obligations upon organizations for lawful processing of personal data, require notification of data breaches to the supervisory authority and affected data subjects, create a national supervisory authority to interpret and enforce the law, regulate international transfer of data, define lawful consent collection guidelines and impose heavy penalties on violators similar to the GDPR.
The LGPD offers individual data subjects a set of 9 rights over their personal data which can be exercised against both public and private organizations under the LGPD, which is very different from the various federal sectoral laws in the past that offered only partial protections. This approach of the LGPD law is greatly influenced by the EU’s General Data Protection Regulation:
Following are the 19 definitions that come under LGPD.
|Personal Data||Information on an identifiable or identified natural person.|
|Sensitive Personal Data||Personal data concerning ethnic or racial origin, political opinion, religious beliefs, trade union or philosophical, religious or political organization membership, data concerning health or genetic or biometric data, relating to a natural person.|
|Data Subject||A natural person to whose personal data is the object of processing.|
|Consent||Free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose.|
|Processing||An operation carried out with personal data.|
|Database||Structured set of personal data, kept in one or several locations, in electronic or physical support.|
|Processing Agents||The controller and the operator.|
|Controller||Natural person or legal entity, public or private law, that has competence to make decisions regarding the processing of personal data.|
|Operator||Natural person or legal entity, public or private law, that processes personal data in the name of the controller.|
|Officer||Natural person, appointed by the controller, who acts as a communication channel between the controller and the data subjects and the national authority (the ANPD).|
|Anonymization||Use of available and reasonable technical during processing, through which data loss the possibility of direct or indirect association with an individual.|
|Blocking||Temporarily suspending the processing operation by means of retention of the database or personal data.|
|Deletion||Exclusion of a set of data held within a database, irrespective of the procedure used.|
|International Data Transfer||Transfer of personal data to an international entity or a foreign country of which the country is a member.|
|Shared Use of Data||Communication, international transfer, dissemination, interconnection of data or shared processing of banks of personal data by public agencies and entities, in compliance with legal capabilities, or between these and private entities, reciprocally, with specific authorization, for one or more types of processing allowed by these public entities, or among private entities.|
|Data Protection Impact Assessment||Documentation from assigned controller which contains the description with regards to the proceedings of the data processing that could pose risks to fundamental rights and civil liberties, as well as safeguards and mechanisms to mitigate risk.|
|Research Body||Body or entity from the public administration or nonprofit legal entity of private law, legally organized under the Brazilian law, with headquarters and jurisdiction in the Country. This body or entity includes in its institutional mission, in its corporate or statutory purposes basic or applied research of historical, scientific, technological or statistical nature; and (New Wording Given by Law No. 13,853/2019).|
|National Authority||Body of the public administration responsible for the monitoring, supervising and implementing of the compliance with this Law in all national territory. (New Wording Given by Law No. 13,853/2019).|
Following are the 10 legal bases of processing:
The National Data Protection Authority of Brazil -Autoridade Nacional de Proteção de Dados- (ANPD) is a federal public administration body that is a member of the Presidency of the Republic. Its main objective is:
The DPO is the individual within an organization that has the following tasks under the LGPD:
LGPD also regulates the cross-border transfer of personal data from Brazil to other countries and jurisdictions in a similar manner to the GDPR. Cross border transfers can only take place if:
LGPD imposes obligations on organizations dealing with and processing the user data of Brazilians. Some of the most important requirements are:
Following are some important security guidelines under LGPD:
Unlike the CCPA, the LGPD does not take into account the size or revenue of a company, instead, it focuses on the information a company holds. Under article 3 of the LGPD, any organization that performs the following tasks are liable to comply with the LGPD:
“Processing data within the territory of Brazil, Processing the data of individuals who are within the territory of Brazil. The location of the data operator is immaterial."
“Processing data which was collected within the territory of Brazil.”
Article 11, mentions the limited situation under which sensitive data can be processed. These are:
The LGPD (Lei Geral de Proteção de Dados) is clear when it comes to the consequences of non-compliance with the law. The penalty system ranges from:
Maximum fines can reach upto 50 million Brazilian reais or 2% of a company’s annual turnover for a LGPD violation. It will be the ANPD’s responsibility to enforce such sanctions, when the LGPD comes into effect.
The LGPD (Lei Geral de Proteção de Dados) was designed in accordance with the EU's GDPR. The LGPD has global jurisdiction, which means that any website that processes personal data from individuals in Brazil has to comply.
To learn more about LGPD as well as other privacy regulations across the globe, and what your organization can do in order to comply, sign up to get a free copy of the PrivacyOps book.
The LGPD has a number of regulations that organizations need to be aware of before they can hope to stay in compliance with this legislation. Following is a quick checklist that can be a stepping stone towards compliance with the LGPD.
Securiti is an award-winning compliance solution which revolves around the concept of PrivacyOps. The PrivacyOps framework calls for utilization of robotic automation, artificial intelligence and machine learning. This system automates the majority of tasks, freeing up resources for other business operations.
Securiti helps businesses map data over a web of internal and external systems and stitch a data graph to link personal data with each individual. It can also conduct automated internal assessment of policies as well as third-party vendors, manage consent and do a lot more! It is the ultimate tool towards compliance with LGPD as well as any other data privacy regulation in the world.
To learn how Securiti can help you on your journey towards compliance, while efficiently implementing privacy management, request a demo today.