What is LGPD and How to Become Compliant in 2022?

After the European General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA) - which was subsequently replaced with the Consumer Privacy Rights Act (CPRA) - Brazil shook the field of data privacy and the internet industry when it introduced its own comprehensive data privacy regulation, Lei Geral de Proteção de Dados Pessoais (LGPD).

Brief History on the LGPD

According to recent statistics, Brazil has 140 million internet users (the population of the 10th largest country in the world), making it one of the largest internet markets in Latin America and the fourth largest market in the world.

In previous years, Brazil has drafted over 40 legal regulations with regards to data privacy on a federal level, some which established general guidelines and some were sector-specific, leading to many overlaps and conflict between different laws across industries. The negative aspect of these sectoral laws is that they are applicable to specific industries and do not provide Brazilian internet users and consumers comprehensive protections. Also for organizations and businesses involved in multi-sectoral operations, complying with all of these different laws and their requirements is an expensive and difficult affair. This is why the new data protection law of Brazil known as the LGPD (Lei Geral de Proteção de Dados Pessoais) was set into motion to provide a more comprehensive and overall regulatory framework to data privacy.

The LGPD was passed by the Brazilian National Congress on the 14th of August, 2018. In August 2020 the President of Brazil approved the creation of the federal independent regulatory authority  - The Autoridade Nacional de Proteção de Dados (ANPD) - to interpret and enforce the LGPD and act as the national supervisory authority.

Despite the onset of the COVID pandemic and a planned delay in application till December 2020 or May 2021, the LGPD was signed into law on September 18th 2020 and it is in effect since then. The sanctions under the law shall not be enforced till August 1st, 2021.

Influence of GDPR

It is well known that the LGPD was drafted and based on the GDPR so much so that some people call it Brazil’s GDPR. The LGPD contains 65 articles which provide individuals with data subjects rights, impose obligations upon organizations for lawful processing of personal data, require notification of data breaches to the supervisory authority and affected data subjects, create a national supervisory authority to interpret and enforce the law, regulate international transfer of data, define lawful consent collection guidelines and impose heavy penalties on violators similar to the GDPR.

Essence of the LGPD law

LGPD provides:

• 9 data subject rights requests exercisable by individual data subjects;
• 10 legal bases for lawful processing;
• Obligatory and transparent disclosure requirements for organizations to contain within their privacy policy;
• Consent collection and management requirements for organizations;
• Requirement for organizations to appoint a Data Protection Officer;
• Special rights for children;
• Data security requirements and mandatory breach notifications;
• Regulations for international data transfers;
• Obligation for organizations to provide Data Protection Impact Assessments (DPIAs) upon request of the ANPD;
• Powers to the ANPD to make regulations for the application of the act and to receive complaints from data subjects and investigate any organization for suspected violations of the legal requirements of the LGPD;
• Jurisdiction to ANPD to try suspected violators and impose various penalties and sanctions if they are found to be non-compliant.

Definitions under LGPD

Following are the 19 definitions that come under LGPD.

Legal Bases of Processing

Following are the 10 legal bases of processing:

1. Consent of data subject
2. Compliance of a legal obligation of the controller
3. Execute policies provided in the regulation, or based on agreements, contracts, or similar instruments
4. To carry out research studies by entities that ensure anonymization of personal data whenever necessary
5. To execute preliminary procedures related to a contract of which the data subject is a party
6. To exercise rights administrative, judicial or arbitration procedures
7. To protect the physical safety of the third party or data subject
8. To protect health, in a procedure carried out by health professionals or by health entities
9. Fulfill legitimate interests of the third party or controller, except when the data subject's rights require personal data protection prevail
10. To secure credit

Autoridade Nacional de Proteção de Dados (ANPD)

The National Data Protection Authority of Brazil -Autoridade Nacional de Proteção de Dados- (ANPD) is a federal public administration body that is a member of the Presidency of the Republic. Its main objective is:

• To interpret the LGPD;
• Create awareness among data subjects about their rights under the LGPD;
• Ask organizations to conduct Data Protection Impact Assessments (DPIAs) and audit their data processing activities to ensure compliance;
• Conduct public consultancies;
• Create regulations for application of the LGPD and to keep it up-to-date to recent trends and technologies;
• To work with other regulatory bodies and keep a check on public authorities to which the LGPD applies;
• To assess other jurisdictions if they provide adequate protections to data subjects data;
• To regulate cross-border data transfers;
• To undertake international cooperation initiatives with the supervisory authorities or data privacy regulators of other countries;
• To promote and support technologies and studies which focus on providing data subjects greater control over their privacy;
• To enforce the LGPD by receiving complaints of data subjects;
• Investigating and proceeding against violating organizations and conducting hearings before enforcing sanctions and penalties.

What is DPO under LGPD?

The DPO is the individual within an organization that has the following tasks under the LGPD:

1. Oversee LGPD adoption process in the organization;
2. Organise a data protection compliance program and monitor its implementation;
3. Provide guidance to senior management of the organization with regards to compliance with LGPD.

Cross Border Data Transfer Guidelines

LGPD also regulates the cross-border transfer of personal data from Brazil to other countries and jurisdictions in a similar manner to the GDPR. Cross border transfers can only take place if:

• The transfer of personal data is to organizations in jurisdictions which have an adequate level of protection
• Adequate guarantees of compliance are in place with the rights of data subject provided by LGPD, These include:
  • Specific contractual clauses
  • Standard contractual clauses
  • Global corporate norms
  • Regularly issued stamps
• The transfer is necessary for international legal cooperation
• The transfer is necessary to protect life or physical safety of the data subject or of third party
• Authorization has been provided by the ANPD
• The transfer is subject to a commitment
• The transfer is necessary for the legal attribution of public service or execution of a public policy

Obligations Under LGPD

LGPD imposes obligations on organizations dealing with and processing the user data of Brazilians. Some of the most important requirements are:

• Processing can only happen under one of the lawful bases.
• Data Protection Officers must be assigned by data controllers.
• Data Protection Impact Assessments (DPIAs) must be taken when required by the ANPD.
• Reasonable security measures must be in place to protect user data.
• In case of breach, operators and controllers must provide breach notifications to the ANPD and to the affected users.
• Operators and controllers must keep records of data processing activities.

Security Guidelines under LGPD

Following are some important security guidelines under LGPD:

• There must be strict control on people that have data access by defining the liability of persons and have exclusive access privileges to certain users
• Deployment of authentication mechanisms for records access
• Creation of detailed inventory of access to connection records and access to applications
• Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective measures

Breach Notification Requirements

• Data Controllers are required to immediately notify the ANPD and affected data subjects of security incidents that may create risk or relevant damage to the data subjects.
• The ANPD shall verify the seriousness of the incident if necessary to safeguard the data subjects’ rights, it may order the controller to adopt measures to mitigate or reverse the possible harm to the data subject.
• The Notification sent by the data controller shall, at a minimum:
  • Define the nature of the affected individuals’ personal data;
  • Provide information regarding data subjects involved;
  • Indicate the security measures taken by the data controller to safeguard the affected data;
  • Describe the risks to the data subject generated by the incident;
  • Provide reasons for any delay of communication of the notification;
  • Lay down measures that were or will be adopted by the data controller to protect the affected data subjects from further harm.

Who needs to comply?

Unlike the CCPA, the LGPD does not take into account the size or revenue of a company, instead, it focuses on the information a company holds. Under article 3 of the LGPD, any organization that performs the following tasks are liable to comply with the LGPD:

Exemptions of processing sensitive data

Article 11, mentions the limited situation under which sensitive data can be processed. These are:

1. When the data subject or her/his legal representative specifically and distinctly consents, for the specific purposes
2. Without consent from the data subject, in the situations when it is indispensable for:
   • Controller’s compliance
   • Shared processing of data for public administration
   • Studies carried out by research entity
   • Regular exercise of rights
   • Protecting the life or the safety of an individual
   • Ensuring the prevention of fraud

LGPD Compliance Checklist

The LGPD has a number of regulations that organizations need to be aware of before they can hope to stay in compliance with this legislation. Following is a quick checklist that can be a stepping stone towards compliance with the LGPD.

1. Map out the ways your organization stores and processes data:
   The first step towards compliance is being able to constantly track where data is stored and how it is processed within the organization.
2. Address the user rights the data subjects has on their data:
   Organizations need to be aware of the data subject rights and honor them in case a data subject decides to exercise these rights.
3. Ensure Data security with appropriate security controls are in place:
   It is paramount that appropriate security controls are in place to protect the consumers data from unauthorized access or from breach.
4. Create a system to tackle data breaches:
   Data breaches are almost unavoidable and organizations need to have a plan in place in case a breach occurs - from taking appropriate mitigation efforts to notifying affected data subjects - non compliance of these activities can be very costly for the organization.
5. Carry out regular Data Protection Impact Assessments:
   It is important that an organization is always aware of its standing with regards to data privacy and security, which is why running regular DPIAs on your processing activities is recommended.
6. Hire a Data Protection Officer if needed:
   A data protection officer is necessary to an organization since his/her tasks focus solely  on data privacy - it is recommended that one is hired to assist with the LGPD compliance requirements.
7. Create a data processing agreement:
   Organizations need to make a written agreement between the operators and controllers and ensure they carry out necessary audits of their operators’ activities to ensure they are not non-compliant with the law.
8. Revamp your privacy policy based on the LGPD:
   Finally, organizations need to rework their privacy policy and align it with the LGPD standards for transparency and necessary disclosures.