LGPD: Brazil’s Data Protection Law Explained
What is Brazil’s LGPD?
Brazil’s Lei Geral de Proteção de Dados Pessoais do Brasil, also known as LGPD, is a data protection law implemented on August 14, 2018, after years of debate and consultation. The data protection law was inspired by and is relatively similar to the European Union’s General Data Protection Regulation, also known as GDPR. Brazil’s new data protection law, LGPD, will go into effect in May 2021 and require companies to comply with strict requirements related to the processing of personal data and sensitive personal data.
What is Personal Information?
The LGPD also defines what personal data or personal information is, similar to the GDPR’s own definition of personal data. The LGPD states that personal information or personal data can refer to any data that, either by itself or combined with other data, can identify a natural person or subject them to a particular treatment.
Does LGPD Apply to My Business?
Follow these guidelines regarding who LGPD applies to and who is exempt:
Who It Applies To
The LGPD applies to any public or private individual or company with personal data processing activities carried out in Brazil, including the collection of personal data, regardless of where the company is geographically located. Companies that offer or supply goods or services in Brazil must also comply with LGPD.
It is also important to note that LGPD does not just apply to data collected from Brazilian citizens. Any individual who has personal data collected while inside Brazil is also protected under LGPD.
Who is Exempt
LGPD does not apply to data processing by a person who is processing data for personal purposes, for journalistic, artistic, literary, or academic purposes, or for national security, national defense, public safety, or a criminal investigation.
LGPD Compliance: The Nine Rights
Article 18 of LGPD explains the nine fundamental rights that data subjects have under LGPD, including:
- The right to access the data
- The right to confirmation of the existence of the processing
- The right to correct incomplete, inaccurate, or out-of-date data
- The right to anonymize, block or delete unnecessary or excessive data or data not being processed in compliance with the LGPD
- The right to delete personal data processed with the consent of the data subject
- The right to the portability of data to another service or product provider, through an express request
- The right to information about public and private entities with which the controller has shared data
- The right to information about the possibility of denying consent and the consequences of such denial
- The right to revoke consent
LGPD for Business
Here is everything you need to know about your responsibilities as a business, as it pertains to the LGPD:
Obligations from Businesses
LGPD imposes the following obligations on businesses:
- Inform, correct, anonymize, delete, or provide a copy of the data if requested by the data subject
- Delete customer data after the relevant relationship terminates
- Appoint a DPO officer responsible for receiving complaints and communications
- Adopt technical and administrative data security measures to protect personal data from unauthorized access, accidents, destruction, and loss
- Provide a data breach notification to both the data subjects and local authorities in case of a breach
Outgoing President Michel Temer signed an executive order on December 28, 2018, that officially created the ANPD, which stands for Brazilian National Data Protection Authority ( Autoridade Nacional de Proteção de Dados in Portuguese). The authority fully enforces all aspects of the LGPD. It is technically independent of the Brazilian government, although it is tied directly to the office of the president.
Section 55(j) of Executive Order no. 869/18 establishes that the ANPD has the authority to, among other things:
- Issue rules and regulations regarding data protection and privacy;
- Within the administrative sphere, exclusively interpret the LGPD, including cases in which the law is silent;
- Request information regarding the processing of personal data from data processors and controllers;
- Exclusively oversee and impose administrative sanctions for violations of the LGPD;
- Promote data protection and privacy within the Brazilian society; and
- Develop studies regarding domestic and international data protection and privacy practices and establish partnerships with authorities from other counties to increase international cooperation.
Under the Brazil LGPD (also known as LGPD Brasil), fines and penalties are not as punitive as the GDPR. The maximum administrative sanctions under the LGPD are 2% of the company’s Brazilian revenue of up to $8.9 million per infraction, compared to 4% of global revenue or up to $23.8 million under GDPR compliance.
How to Become LGPD Compliant
In order to be LGPD compliant, your business needs to create the position of Chief of Data Treatment, which is the data protection officer or DPO in charge of the data processing operation. Your DPO is responsible for accepting complaints and communications from data subjects and the national data protection authority as well as orienting employees about good practices and performing other duties determined by the controller or outlined in complementary rules.
If a data breach occurs, the controller needs to provide a data breach notification to the National Data Protection Authority (ANPD) and the data subject in a reasonable time period if the breach is likely to cause risk or harm to the data subjects. Your breach notification notice should contain information about the data subjects involved, a description of the nature of the affected personal data, indication of the security measures used, the risks generated by the incident, the reasons for the delay of communication, if any, and the privacy protection measures that were or will be adopted.
LGPD Definition of what is not personal data in Article 1212:
“Anonymized data shall not be considered personal data, for purposes of this Law, except when the process of anonymization to which the data were submitted has been reversed, using exclusively its own means, or when it can be reversed applying reasonable efforts.”
By irreversibly masking personal information and sensitive data, organizations would be protected if this anonymized data was exposed during an accidental or malicious breach.