Brazilian General Data Protection Law

Statistics show consumers are becoming more concerned with how their personal data is collected and used. In response to surveys conducted in 2018, two-thirds of U.S. adults expressed a desire for laws to give them more “privacy, security and control” when it comes to data, and 71% said they were concerned about the way their data was collected and used.

This concern extends outside the U.S., and countries around the world are putting new data protection regulations in place to address consumers’ growing distrust of the companies with which they interact. The Brazilian General Data Protection Law or LGPD which is “Lei Geral de Proteção de Dados” in Portuguese, approved in August of 2018, is one such regulation set to go into effect in early 2020 with the goal of bringing protections similar to those of the EU’s General Data Protection Regulation (GDPR) to Brazil’s residents.

What is the Scope of the LGPD?

Brazil’s new regulation applies to businesses and organizations operating online and offline in both the public and private sectors. This includes any entity processing the personal data of Brazilian citizens. Like the GDPR, the LGPD is extraterritorial, meaning organizations in any country with branches in Brazil or offering services to Brazilian markets is required to comply.

The LGPD holds both controllers and processors responsible for data security. Controllers are defined as those who determine “the purposes and means of the processing of personal data,” and processors are the entities handling the actual act of data processing. It’s a risk-based approach designed to discern and mitigate potential threats to consumer data through a set of principles and actions.

What Does Compliance Entail?

The LGPD shares many characteristics with the GDPR and includes additional parameters relating to data processing and user requests. To be in compliance, businesses must adhere to “lawful grounds” and principles for processing data, including fairness, accountability, non-discrimination, accuracy and transparency in data use.

Anyone whose data is collected and processed has the right to access, cancel or exclude data, as well as to revoke previous consent, object to data processing or ask for an explanation of data use. Any request for access to personal data or for data to be erased must be fulfilled within 15 days.

Other key points in the LGPD include:

• Obtaining “informed, unambiguous” consent for data processing from all users
• Appointing a data protection officer (DPO)
• Providing notification of data breaches within a “reasonable” time frame
• Building privacy measures into business models, products and services
• Setting standards for information security

What is “Personal Information,” According to the LGPD?

Privacy regulations differ on the exact definition of personal information, which can mean businesses complying with one set of laws may not meet the standards of another. To fulfill the obligations set forth in the LGPD, information must be protected if it:

• Allows for the identification of a natural person
• Can be used to make a person the target of “certain behavior”
• Could be used, in theory, to discriminate against an individual on the basis of race, ethnic origin, religion, political stance or health status
• Can “unequivocally” identify a person, such as in the case of genetic or biometric data
• Anonymized data that has been reverse-engineered or is used to profile behaviors

Tips for Better Compliance

Failing to comply with the LGPD standard can cost a business 2% of its turnover in Brazil from the previous fiscal year, up to $13,305,675 per violation. Daily fines may also be issued to non-compliant companies as a way to prompt them to put proper privacy and security parameters in place.

Businesses falling under the scope of the LGPD can avoid fines and penalties by becoming familiar with the specifics of the new regulations and taking additional steps to strengthen data security in general. These may include:

• Publishing a clear privacy policy easily accessible and understood by consumers
• Being unambiguous about the types of privacy protection used for data at rest, in use and in transit
• Conducting data protection impact assessments to visualize data processing activities in projects, cite potential risks and identify steps for mitigation

If it’s unclear whether current policies meet compliance requirements, businesses may benefit from working with a data privacy lawyer or certified data protection expert to determine appropriate actions.

Businesses and organizations need to understand the impact of the LGPD in the context of the full scope of current data protection regulations, as well as any other regulations introduced in the coming years. If other countries follow suit, it’s likely more laws with international reach will go into effect, requiring businesses around the world to become more diligent in the way they protect data. Working closely with security personnel to develop embedded security processes, close gaps and monitor for flaws in systems creates a framework on which businesses and organizations can rely as compliance becomes more complex.