What is the LGPD?

Your Guide to the LGPD, Brazil’s One-Stop Shop Data Protection Law

Brazil used to have more than 40 statutes governing personal data at the federal level. That is before LGPD (Lei Geral de Proteção de Dados) came into effect last year. Some of these statutes were contradictory and others were simply enforced inconsistency. 

So, what is the LGPD and how does it work? Read on to find out more about this bold attempt to replace and supplement what had become a disparate bundle of laws with one meaningful whole. 

What Is the LGPD?

The LGPD shares many similarities with the EU’s GDPR (General Data Protection Regulation). Those who are GDPR compliant will have already completed much, but not quite all of the work needed to comply with the LGPD because of these parallels.

The LGPD’s goal is to improve an individual’s control and rights over their personal data while at the same time attempting to simplify the regulatory environment for international trade and business.

Like the GDPR in the EU, any organization that processes the data of people in Brazil must abide by the LGPD regardless of its physical location or headquarters. Even if a business operates from another nation, if the data is used to promote the offer of goods or services to individuals in Brazil then the organization must be LGPD compliant.

Unlike the GDPR, the LGPD applies to businesses of all sizes. Although there are a few exceptions, including the collection of data exclusively for journalistic, artistic, and academic purposes. These exceptions also extend to matters of public safety and national defense too.

The Types of Data Protected           

The LGPD defines personal data in broad terms. The data can include any information related to an identified or identifiable natural person. In the text, the word ‘identifiable’ refers to the types of information that an organization might put together for work purposes, that could then be used to identify someone. In effect, the LGPD classifies almost any data as personal data.

The LGPD makes provisions related to sensitive personal data. This data that is considered especially prone to discriminatory practice includes information about:

• Racial or ethnic origin
• Religious belief or political opinion
• Membership of a trade union or a religious, philosophical, political organization 
• Health status, and genetic or biometric data 

Due to the sensitive nature of this data, businesses may only use it in certain circumstances. Article 11 of the 65 LGPD Articles explains what these are.

LGPD Compliance and Protecting the Rights of Individuals

Brazil’s general principles of data protection are the cornerstone of the LGPD’s compliance requirements. These sit alongside the protection of individuals’ rights outlined in the law.

Article 18 of the LGPD sets out these rights and makes it clear that individuals should be able to exercise them in a way that’s open and accessible. Here’s a description of some of those key rights:

1. Individuals should have access to the data along with the chance to amend any that’s not complete, accurate, or up-to-date.
2. If it is determined that the processing of data is ever out of compliance with the provisions of the law, or is excessive or unnecessary, then the blocking, anonymization, or deletion of the data may take place. 
3. Individuals have a right to access a copy of their personal data processed by the controller upon an express request.  
4. The deletion of any processed personal data may take place when the data subject has given permission to do so. This is outlined in the circumstances set out in Article 16 of the law.
5. Information about private and public entities that the controller has shared data with should be publicly available.
6. Individuals should have the opportunity to revoke consent to their personal data.
   

The LGPD expands on issues related to an individual’s right to information and specifically on the sharing of data. This separate right addresses what happens in circumstances when there is a refusal to consent. 

This is a step further than what the GDPR does as this also gives individuals greater transparency and a better understanding of the impact of their choices.

General Principles of the LGPD

The LGPD lays out 10 principles to consider when processing personal data. These are there to help the Brazilian Data Protection Authority (ANPD) determine if a company is complying with the law. 

The 10 general principles are: 

• Purpose
• Suitability
• Necessity
• Free access
• Quality of the data
• Transparency
• Security
• Prevention
• Non-discrimination 
• Accountability
  

In a similar way to the GDPR, the LGPD puts restrictions on data processing in certain circumstances. A company must be able to show an itemized category of processing as set out in its text. The most popular and simplest category requires the organization to get the consent of the data subject. 

For consent to be valid, the LGPD says that organizations need to spell out the purpose of processing. They must also state the duration of processing, the identity of the data controller, and any issues related to data sharing.

Data Protection Officers and Data Breaches

The LGPD requires organizations to have a Data Protection Officer (DPO). However, this does not have to be an individual person. Companies, committees, or other internal groups can serve as DPOs.

An organization may outsource the position to a third party, such as a specialized company or law firm. This varies slightly from the GDPR. Data breach notification requirements under the LGPD are also remarkably different from the GDPR. 

The LGPD is tougher than its European counterpart when it comes to data breaches. That’s partly because it says that a controller must inform both the ANPD and the individuals involved about security incidents. 

Fines for Data Breaches

Fines for serious breaches under the LGPD are less severe than under the GDPR. The maximum is 2% of an entity’s revenue in Brazil, up to 50 million reals or around €8 million. 

By contrast, the maximum GDPR fines for data violations are far higher for organizations that commit grave GDPR breaches. They are up to €20 million or 4% of annual global revenue, whichever is higher.

LGPD Compliance and the Future for Organizations Operating in Brazil

The world’s digital economy is growing rapidly as is the use of personal data. The LGPD is going to affect all organizations doing business in Brazil. That means companies across the board will have to adapt their data collection practices.

Read more articles here about data compliance issues that might affect you and your business.