How to Achieve LGPD Compliance: Brazil’s Data Protection Law
In late 2018, following in the footsteps of the European Union’s General Data Protection Regulation (GDPR) and other data privacy statutes, Brazil implemented Lei Geral de Proteção de Dados (LGPD). This May, the LGPD will come into full effect and companies will need to comply with its strict requirements regarding personal data and sensitive information. In this article, we’ll discuss the key differences between the LGPD and other privacy laws, and how your organization can ensure compliance.
What does LGPD involve?
As we covered on our blog when the LGPD was going into effect, it is a far-reaching data protection regulation intended to increase privacy and protect the data of Brazilian consumers. The key concept to understand is that the LGPD requires organizations to only process personal data for legitimate and clearly communicated purposes.
How does this differ from GDPR or the California Consumer Privacy Act?
There are now several different data privacy acts around the globe, and they can be easy to confuse. Below we’ve outlined some key differences to know.
- Definitions & Scope: Each of these regulations have their own definitions of “personal data.” The LGPD defines personal data similarly to GDPR, referring to any identifying information of a natural person. CCPA gets more granular, getting into consumer preferences, behaviors and aptitudes. In terms of scope, while GDPR and the LGPD cover a similar range, CCPA is somewhat smaller in scope. Additionally, the legal basis for data processing differs for each, as GDPR has six legal bases for data processing, the LGPD has ten and CCPA has no restrictions on legal bases whatsoever.
- Data Access Rights: When it comes to access rights, GDPR, CCPA, and the LGPD afford consumers’ rights to disclosure, access and deletion. Only the CCPA allows opt-outs for data that will be sold. The three pieces of legislation differ in the amount of time they afford businesses to answer data subjects’ access requests. GDPR and the LGPD have the right to rectification and the right to restrict processing under specific circumstances.
- Fines & Penalties: While violations of any of the legislation results in fines, they differ in amount. A violation of GDPR can result in 20 million euros or four percent of global turnover. CCPA violations cost between $100 and $750 per consumer per incident, or actual damages, up to $7,500 for each intentional violation, with no cap in fines. The LGPD violations account for 2 percent of gross revenue to a max of R$50 million.
You can review GDPR guidelines in our blog here.
How Can Businesses Achieve LGPD Compliance?
Businesses seeking to achieve LGPD compliance first need to understand the principles of processing data. This includes having a purpose for processing, transparency, and freedom in exercising rights and free access to the information. In order to meet the legal basis for processing data, organizations need to obtain consent from the user and the fulfillment of a legal or regulatory obligation. This consent is narrowly defined; consent must be “free, informed and unambiguous.”
In addition, organizations need to understand a user’s rights under the LGPD. As we covered earlier, under the LGDP data subjects have the right to both access and deletion. Beyond the user rights are controller and processor obligations under the LGPD. This includes responsibilities regarding cross-border data transfers, the appointment of a Data Protection Offer (DPO) and special involvement during security and data breaches. With transparency as a core principle, any agent involved in the processing of personal data needs to implement security, technical, and administrative measures.
How Can You Achieve LGPD Compliance with Ground Labs?
For all organizations, the best place to start is with awareness. Awareness of what personal data resides on the servers of your organization will allow you to implement these policies and compliance measures to ensure you are aligned with the LGPD and any data privacy measure. A data discovery tool like Ground Labs Enterprise Recon Pro has the ability to quickly and accurately search across your entire data estate and find over 300 sensitive data types and secure them properly. The solution is designed to quickly and accurately find personal and sensitive data types (i.e., credit cards, passport numbers, driver’s licenses) so that you can discover, remediate, and report on data wherever it resides.
From there, organizations can start implementing new LGPD policies and protocols to safeguard this information and avoid any potential fines. As more privacy laws follow the lead of GDPR and the LGPD, the earlier companies take on personal and sensitive data discovery, the better prepared they will be to adhere to data privacy laws.
Want to keep up with all our blog posts? Subscribe to our newsletter!Subscribe