BY Stephen Cavey | 03/03/2020
What you need to know about Brazil’s Lei Geral de Proteção de Dados (LGPD)
A new Brazilian privacy regulation, Lei Geral de Proteção de Dados, commonly referred to as LGPD, is here. Ahead of this security standard going into effect, we’re talking with our Co-Founder and Director of Corporate Development, Stephen Cavey. Read on as he shares more information about the regulation and what your company needs to do to comply with it.
What is LGPD?
Short answer: you can think of it as Brazilian GDPR. LGPD is a far-reaching data protection regulation intended to increase privacy and protect the data of Brazilian consumers. As with GDPR as an EU law, LGPD is a Brazilian law which applies to any company that makes its website or services available to Brazilian citizens, including US companies.
It grants Brazilian consumers the right to:
When does it take effect?
The LGPD goes into effect on 15 February, 2020. It does not have an enforceable date like the California Consumer Privacy Act (now in effect; enforceable beginning 1 July 2020), but companies are expected to make reasonable efforts to meet the requirements in a timely manner, as defined by the national authority, or face penalties. Non-compliance with the requirements of LGPD could result in fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (fifty million reais) per infringement, approximately USD 12.9 million.*
What does this mean for your company?
If your company is one that must comply with LGPD, you will need to implement policies, procedures, and protocols that:
Once you have these measures in place, you’ll need to continuously monitor your systems to find and secure sensitive data in order to remain compliant and be audit-ready.
How does LGPD categorise personal data?
LGPD states that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment. While this definition will likely be clarified as Brazil nears implementation of LGPD, this regulation takes a broad view of what data qualifies as personal data, even more expansive than GDPR.
How is it similar to GDPR? Different?
At its core, the LGPD emulates GDPR with the intention of providing consumers with more control over their personal data, providing transparency, and holding companies accountable for how they’re collecting, using, and protecting data. Just like with GDPR in the European Union, LGPD applies in Brazil to organisations offering goods and services to persons in Brazil (no matter where the processing occurs). Similarly, consumers are given the right to request access to their personal information and ask for it to be deleted. LGPD also calls for the appointment of a Data Protection Officer (DP0) to oversee policies and procedures related to meeting LGPD regulatory requirements and to keep in compliance on an ongoing basis.
Keep in mind, there are a few key differences.
As noted, LGPD grants Brazilian citizens the rights of erasure and a right of access to personal data. As compared to GDPR, LGPD imposes shorter deadlines for the controllers to comply with data subject requests (15 days instead of GDPR-imposed 30 days). Data controllers must notify personal data breaches to the National Data Protection Authority and to the affected individuals.
LGPD requires businesses and organisations to hire a DPO with one notable exception—LGPD does not provide any exceptions for small businesses or small-scale processing. All data controllers are expected to comply with the regulations set forth.
LGPD calls for stricter restrictions to the cross-border transfer of personal data. Such transfers are allowed to (i) countries deemed by the data protection authority to provide an adequate level of data protection, or (2) where in force using standard contractual clauses or other mechanisms approved by the data protection. **
For a refresher on GDPR, check out our blog.
How Ground Labs can help?
Here’s the silver lining: If your organisation has implemented procedures and policies to be GDPR- compliant, you have the foundation in place to comply with LGPD and other privacy laws. What’s most important in each of these cases is to have a solution in place like Ground Labs Enterprise Recon to discover your sensitive data and secure it appropriately. The solution is designed to quickly and accurately search across your entire data estate to find more than 200 sensitive data types (i.e., credit cards, passport numbers, driver’s licenses) so that you can discover, remediate, and report on sensitive data wherever it resides.
Since we fully expect more privacy laws to be enacted in the coming months and years, taking the necessary first step towards compliance—sensitive data discovery—is essential to adhering to what is becoming the new norm in data privacy legislation. As governments at both the national and local level advocate for their citizens and residents, it’s critical organisations comply with their efforts to increase data privacy and protect personal information for its constituents.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world shift to remote work environments, the need to keep sensitive data safe and protected is even more urgent. To help companies navigate these uncertain times and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.