Introduction
The LGPD (Lei Geral de Proteção de Dados Pessoais, or General Data Protection Law) is a Brazilian data protection law that went into effect on August 16, 2020. It is designed to regulate the collection, use, and storage of personal data of individuals in Brazil.
The LGPD applies to both Brazilian and foreign companies that process the personal data of individuals in Brazil, as well as companies that offer goods or services to individuals in Brazil or that monitor the behavior of individuals in Brazil.
Non-compliance with the LGPD can result in significant fines and other penalties for businesses, including administrative fines, damages to individuals, and even the suspension of the processing of personal data.
It is, therefore, crucial for businesses to ensure that they are compliant with the LGPD to avoid potential legal and reputational risks.
National Data Protection Authority
The National Data Protection Authority (ANPD) is the Brazilian government agency responsible for enforcing the country’s data protection laws, including the General Data Protection Law (LGPD). The National Data Protection Authority is responsible for regulating personal data collection, processing, and storage and ensuring that companies and organizations comply with the LGPD.
It has the power to investigate and enforce penalties for non-compliance and to provide guidance and support to organizations seeking to comply with the LGPD. The National Data Protection Authority also serves as a resource for individuals seeking to exercise their data protection rights. It also provides education and awareness campaigns to help the public understand their rights under the LGPD. Overall, the ANPD is crucial in promoting data protection and privacy in Brazil.
Key Obligations and Steps for LGPD Compliance
In Brazil, the LGPD is a law that aims to protect personal data by requiring companies to get permission from individuals before collecting or using their information. This law also gives individuals the right to request access to, correction of, or removal of their data, as well as the right to object to processing their data.
Complying with the LGPD requires businesses to implement technical and administrative measures to protect personal data and respect the rights of individuals. An LGPD compliance checklist can help companies to ensure that they have considered all relevant requirements under the LGPD and are taking appropriate steps to comply with the law.
To follow the requirements of the LGPD, businesses must take several actions, including:
Identify personal data being collected and processed
The LGPD requires businesses only to collect and process personal data necessary for the specific purpose for which it is being collected. This means businesses must carefully consider the types of personal data they are collecting and ensure that they only contain the minimum amount of data needed to achieve their intended purpose.
To identify the personal data being collected and processed, businesses should conduct a data mapping exercise to identify all personal data flows within their organization. This may include identifying the sources of personal data, the types of personal data being collected, the purposes for which the data is being collected, and the recipients of the data.
Once the personal data flows have been identified, businesses should review the data to ensure that it is being collected and processed in compliance with the LGPD. This may include checking that individuals have given their explicit consent to processing their personal data, that the data is being collected and processed for a specific and legitimate purpose, and that the data is being protected with appropriate technical and organizational measures.
Appoint a data protection officer (DPO)
Under the Brazilian General Data Protection Law (LGPD), businesses that process large amounts of personal data or carry out high-risk processing activities must appoint a data protection officer (DPO).
Data protection officers must be assigned by a data controller, and they are responsible for ensuring that the business is complying with the LGPD and other data protection laws and for advising the business on its data protection obligations.
The DPO is also responsible for handling requests from individuals exercising their rights under the LGPD, such as the right to access, rectify, erase, or object to processing their personal data.
In order to fulfill their responsibilities, the DPO should have a strong understanding of data protection laws and best practices, as well as the specific data processing activities of the business. The DPO should also be familiar with the technical and organizational measures in place to protect personal data and be able to identify and address any potential risks to personal data.
Appointing a DPO is an essential step for businesses to take in order to ensure compliance with the LGPD and protect the rights of individuals. It is also vital for businesses to ensure that the DPO has the necessary resources and support to fulfill their responsibilities effectively.
Implement appropriate technical and administrative measures to protect personal data
The Brazilian General Data Protection Law (LGPD) requires businesses to implement appropriate measures to protect personal data against unauthorized access, misuse, and loss.
There are several technical and administrative measures that businesses can implement to protect this data, depending on the specific risks and needs of the business. Some standard measures include:
Encryption
Encrypting personal data can protect it against unauthorized access, particularly when transmitted over networks or stored on devices.
Access controls
Implementing access controls, such as passwords and authentication protocols, can prevent unauthorized access to personal data.
DATA Security audits
Regular data security audits can help businesses identify and address vulnerabilities in their data protection systems and processes.
Data minimization
By only collecting and processing the minimum amount of personal data necessary for a specific purpose, businesses can reduce the risk of unauthorized access and misuse.
Data retention policies
Establishing clear data retention policies can help businesses ensure that personal data is only kept for as long as needed and is securely erased or anonymized data when it is no longer needed.
Obtain consent for data collection and processing
Under the Brazilian General Data Protection Law (LGPD), businesses are required to obtain explicit consent from individuals before collecting and processing their personal data.
To obtain consent, businesses must provide individuals with clear and concise information about the purpose for which the data will be used and their rights under the LGPD. This information should be provided in a manner that is easily understandable and accessible and must be presented clearly and prominently.
Consent must be given freely, and individuals must be able to withdraw their consent at any time easily. Businesses must also ensure that individuals are not subjected to any negative consequences for withdrawing their consent.
Obtaining consent is an important step for businesses to take in order to ensure compliance with the LGPD and protect the rights of individuals. It is also vital for businesses to keep records of the consent they have obtained to demonstrate compliance with the LGPD if necessary.
Provide clear and concise information about data processing in privacy policies and terms of use
Businesses are required to provide individuals with information about the purposes for which their personal data will be used, as well as information about their rights under the LGPD.
Privacy policies and terms of use are key documents that businesses use to provide this information to individuals. They should be written in a clear and easily understandable manner and accessible to all individuals who may be affected by the data processing activities of the business.
In order to be compliant with the LGPD, privacy policies and terms of use should include information about the types of personal data that will be collected and processed, the purposes for which the data will be used, and the rights of individuals concerning their personal data. They should also include information about the technical and organizational measures in place to protect personal data and how individuals can exercise their rights under the LGPD.
By providing clear and concise information about data processing in privacy policies and terms of use, businesses can help to ensure compliance with the LGPD and protect the rights of individuals. It is also important for businesses to regularly review and update their privacy policies and terms of use to ensure that they keep up with any changes to the law and best practices in data protection.
Implement a process for responding to data subject requests
Under the Brazilian General Data Protection Law (LGPD), individuals have a number of rights in relation to their personal data, including the right to access, rectify, erase, and object to the processing of their personal data. They also have the right to request the portability of their data to another service provider.
In order to comply with the LGPD, businesses must implement a process for handling requests from individuals exercising their rights. This process should be clearly documented and include steps for verifying the identity of the individual making the request, reviewing the request to ensure that it is valid and justified, and responding to the request promptly and appropriately.
It is crucial for businesses to have a clear process in place for responding to data subject requests, as this helps to ensure that they are meeting their obligations under the LGPD and protecting the rights of individuals. It is also important for businesses to ensure that they have the necessary resources and support in place to handle requests efficiently and effectively.
Conduct regular data protection impact assessments (DPIAs)
Under the Brazilian General Data Protection Law (LGPD), businesses are required to conduct DPIAs in certain circumstances, such as when they are planning to implement new data processing activities or considering using new technologies that may have an impact on the rights of individuals.
A data protection impact assessment (DPIA) is a risk assessment process that helps businesses to identify and address the potential risks to personal data that may be associated with their data processing activities. It involves examining the nature, scope, context, and purposes of the processing, as well as the likely risks to the rights of individuals.
By conducting regular DPIAs, businesses can ensure that they are meeting their obligations under the LGPD and minimizing the risk of non-compliance. It is also essential for businesses to document their DPIAs and keep them up to date in order to be able to demonstrate compliance with the LGPD if necessary.
Implement a process for reporting data breaches to the authorities
Under the LGPD, businesses are required to report certain types of data breaches to the authorities within a specified time frame.
A data breach is defined as any unauthorized access, use, disclosure, destruction, or alteration of personal data that results in, or is likely to result in, harm to individuals. This may include incidents such as cyber-attacks, unauthorized access to personal data, or the loss or theft of data storage devices.
In order to comply with the LGPD, businesses must have a clear process for identifying and reporting data breaches. This process should involve steps for identifying the cause of the breach, assessing the impact on individuals, and taking steps to mitigate any potential harm. It should also include procedures for communicating the breach to the authorities and affected individuals.
Tell me the meaning of personal data under LGPD
LGPD has broad definitions regarding information. Like GDPR, personal data in relation to the LGPD relates to information about identified individuals. All data relating to identifiable individuals are regarded individually as being ‘personal data’. It includes information a single person might combine with other information to obtain identification information.
What about the LGPD and Anonymized data?
Data that cannot directly or indirectly be used for identification is not included in LGPD. Nevertheless, when the privacy of the anonymized data can be removed or based on behavioral profiling, then the LGPD still applies. Typical personal data include basic identification and medical data, including names, health genetic & biometric information, Internet data, IP and personal email address/phone numbers, or other data that can be used to identify you personally. Nonpersonally identifiable information includes company names, company email addresses such as info@company.com, and identifying information.
Special note on sensitive data under the LGPD
Generally, a person can only share sensitive data that are distinct from “normal” people’s personal info. Various rules apply. Sensitive data can be identified by genetic and biological characteristics or by using genetic or biometric data. Because the processing of sensitive information is more likely to pose a threat of discrimination, sensitive data needs extra protections and legal bases.
Brazil LGPD: Definitions
The LGPD defines important words in Article 5. This list helps clarify the legal scope and jurisdiction.
How does LGPD define personal data?
The statutory definition of “personal information” by the LGPD means information concerning an identifiable natural person”. A “Natural person” is a living individual compared with a legally identifiable person. Unlike other privacy legislation, the LGPD does NOT restrict a definition to a set of specific identifications of data. It also provides no specific example of personal information. The LGPDs definition of personal information is in line with GDPR regulations. In the future, Brazilian regulators will likely look more specifically at data that includes personal information.
The difference between a controller and a processor
The key players at Brazils LGPD were “controller” and “processor”. A controller can be a public or private entity with the authority to make decisions about personal data processing. When a company collects personal information from a mailing list, it holds these records. Processing entities are private individuals who process information in their name. When e-commerce companies receive business mailing lists, they act as processors for them.
The meaning of sensitive personal data
The LGPD defines a variety of information types as personal information, which includes: The data is confidential, is regulated by specific laws affecting the use of personal information, and must be handled carefully.
The definition of a data subject
The LGPD definition is used to describe the Personal Data Subject. A data subject can be any person in your organization that is connected to your business.
Tips for implementing LGPD compliance
Implementing compliance with the Brazilian General Data Protection Law (LGPD) can be a complex process, as it requires businesses to put in place a range of technical and organizational measures to protect personal data and ensure the rights of individuals are respected.
However, there are a number of steps that businesses can take to make the process of implementing LGPD compliance easier and more effective. Some tips for implementing LGPD compliance include:
Conduct regular training for employees on data protection best practices
Ensuring all employees are aware of the data protection rules and regulations that apply to their work is crucial for implementing LGPD compliance. Regular training sessions can cover topics such as data protection best practices, the rights of data subjects, and the steps employees should take to protect personal data.
Review and update contracts with third parties to ensure they meet LGPD requirements
If your organization shares personal data with third parties, such as service providers or partners, it is essential to ensure that these contracts and agreements comply with LGPD requirements. Review and update these agreements as necessary to ensure compliance.
Regularly review and update data protection policies and procedures
The LGPD is a new and evolving piece of legislation, and it is important to regularly review and update your organization’s data protection policies and procedures to ensure that you are complying with the latest requirements. This may include establishing guidelines for handling personal data, setting up procedures for handling data breaches, and responding to requests from data subjects.
Conclusion
LGPD compliance is essential for businesses operating in Brazil. By following the data protection rules and regulations outlined in the LGPD, companies can protect the rights of individuals and avoid fines and penalties. While implementing LGPD compliance may require some effort and resources, the benefits of having a strong data protection program in a place far outweigh the costs. Not only will a compliance program help an organization avoid costly fines and legal issues, it will also help to build trust with clients and stakeholders, as well as protect the reputation of the organization. Ultimately, LGPD compliance is a key aspect of responsible and ethical business practices, and it is essential for any organization operating in the digital age.
The Pandectes GDPR Compliance app helps eCommerce businesses comply with data privacy laws, including the GDPR, LGPD, and others. It offers tools like a cookie manager, cookie compliance, and a data subject requests portal. The app simplifies compliance with data privacy laws and helps protect the personal data of customers and clients.