What you need to know about Brazil’s Lei Geral de Proteção de Dados (LGPD)

A new Brazilian privacy regulation, Lei Geral de Proteção de Dados, commonly referred to as LGPD, is here. Ahead of this security standard going into effect, we’re talking with our Co-Founder and Director of Corporate Development, Stephen Cavey. Read on as he shares more information about the regulation and what your company needs to do to comply with it. 

What is LGPD?

Short answer: you can think of it as Brazilian GDPR. LGPD is a far-reaching data protection regulation intended to increase privacy and protect the data of Brazilian consumers. As with GDPR as an EU law, LGPD is a Brazilian law which applies to any company that makes its website or services available to Brazilian citizens, including US companies.

It grants Brazilian consumers the right to: 

  • Confirm the existence of data processing of their personal information
  • Access the data that has been collected 
  • Correct incomplete, inaccurate, or out-of-date data
  • Anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with LGPD
  • Transfer data to another service or product provider, by means of an express request 
  • Delete personal data processed with the consent of the data subject
  • Request information about public and private entities with which the controller has shared data
  • Request Information about the possibility of denying consent and the consequences of such denial and the right to revoke consent


When does it take effect?

The LGPD goes into effect on 15 February, 2020. It does not have an enforceable date like the California Consumer Privacy Act (now in effect; enforceable beginning 1 July 2020), but companies are expected to make reasonable efforts to meet the requirements in a timely manner, as defined by the national authority, or face penalties. Non-compliance with the requirements of LGPD could result in fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (fifty million reais) per infringement, approximately USD 12.9 million.*

What does this mean for your company? 

If your company is one that must comply with LGPD, you will need to implement policies, procedures, and protocols that:

  • Enable Brazilian consumers to exercise their rights 
  • Ensure consumer requests are fulfilled completely, accurately, and timely. To do this effectively, you need to know what personal information you have, where the information is located and how that information is being used in your organisation. This is where sensitive data discovery plays an instrumental role. 
  • Put safeguards in place to protect consumer personal data in your possession. A sensitive data discovery solution can not only help you find the data, but remediate it and report on it so it stays secure. 

Once you have these measures in place, you’ll need to continuously monitor your systems to find and secure sensitive data in order to remain compliant and be audit-ready. 

How does LGPD categorise personal data? 

LGPD states that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment. While this definition will likely be clarified as Brazil nears implementation of LGPD, this regulation takes a broad view of what data qualifies as personal data, even more expansive than GDPR.

How is it similar to GDPR? Different? 

At its core, the LGPD emulates GDPR with the intention of providing consumers with more control over their personal data, providing transparency, and holding companies accountable for how they’re collecting, using, and protecting data. Just like with GDPR in the European Union, LGPD applies in Brazil to organisations offering goods and services to persons in Brazil (no matter where the processing occurs). Similarly, consumers are given the right to request access to their personal information and ask for it to be deleted. LGPD also calls for the appointment of a Data Protection Officer (DP0) to oversee policies and procedures related to meeting LGPD regulatory requirements and to keep in compliance on an ongoing basis.  

Keep in mind, there are a few key differences.

As noted, LGPD grants Brazilian citizens the rights of erasure and a right of access to personal data. As compared to GDPR, LGPD imposes shorter deadlines for the controllers to comply with data subject requests (15 days instead of GDPR-imposed 30 days). Data controllers must notify personal data breaches to the National Data Protection Authority and to the affected individuals.

LGPD requires businesses and organisations to hire a DPO with one notable exception—LGPD does not provide any exceptions for small businesses or small-scale processing. All data controllers are expected to comply with the regulations set forth. 

LGPD calls for stricter restrictions to the cross-border transfer of personal data. Such transfers are allowed to (i) countries deemed by the data protection authority to provide an adequate level of data protection, or (2) where in force using standard contractual clauses or other mechanisms approved by the data protection. **

For a refresher on GDPR, check out our blog

How Ground Labs can help?

Here’s the silver lining: If your organisation has implemented procedures and policies to be GDPR- compliant, you have the foundation in place to comply with LGPD and other privacy laws. What’s most important in each of these cases is to have a solution in place  like Ground Labs Enterprise Recon to discover your sensitive data and secure it appropriately. The solution is designed to quickly and accurately search across your entire data estate to find more than 200 sensitive data types (i.e., credit cards, passport numbers, driver’s licenses) so that you can discover, remediate, and report on sensitive data wherever it resides. 

Since we fully expect more privacy laws to be enacted in the coming months and years, taking the necessary first step towards compliance—sensitive data discovery—is essential to adhering to what is becoming the new norm in data privacy legislation. As governments at both the national and local level advocate for their citizens and residents, it’s critical organisations comply with their efforts to increase data privacy and protect personal information for its constituents. 

1. https://www.onetrust.com/what-is-the-brazil-general-data-protection-law-lgpd/

2. https://www.pnm.adv.br/wp-content/uploads/2018/08/Brazilian-General-Data-Protection-Law.pdf

Want to keep up with all our blog posts? Subscribe to our newsletter!