February 10, 2020

LGPD: How Businesses Can Prepare for Brazil’s Data Protection Law

Brazil’s General Data Protection Law (LGPD) owes a lot to the EU’s General Data Protection Regulation (GDPR). 

Brazil’s General Data Protection Law (LGPD) owes a lot to the EU’s General Data Protection Regulation (GDPR). 

However, this does not mean that the LGPD is a carbon copy of the GDPR. Instead, the two laws have several crucial differences that companies that operate in Brazil need to know. 

What is LGPD?

The LGPD came into force on May 3, 2021, but the application of fines and sanctions will only take effect on August 1, 2021. The LGPD establishes new legal guidelines for the collection,  processing, use, and storage of personal information obtained from or related to individuals in Brazil irrespective of the data processor’s location.

Before the adoption of the LGPD, the data protection legal system in Brazil was sector-specific and mainly overseen by the country’s Civil Rights Framework for the Internet, which is commonly referred to as the Internet Act, and the Consumer Protection Code.

Learn more about what LGDP is here.

Take a look at the 2022 LGPD updates.

What is Regulated by the LGPD?

The LGPD controls the gathering and utilization of personal information. In the context of this law, personal information refers to the data that can be linked to an identified or identifiable natural person, which is in either non-digital or digital format. 

A unique aspect of LGPD’s definition of personal information is the fact that it does not provide examples of what constitutes personal data.

Apart from personal information, LGPD also oversees sensitive personal information. Under this law, personal information is described as data connected to a person’s;

  • Ethnicity
  • Religious beliefs 
  • Political views 
  • Union membership
  • Political organization 
  • Health 
  • Sexual preference, 
  • Genetic, or 
  • Biometric profile

However, similar to GDPR, LGPD outlines certain exceptions concerning its application to personal data. 

Primarily, this regulation does NOT apply to anonymous information or data used for the following purposes;

  • Family
  • Artistic
  • Journalistic
  •  Academic 
  • National security
  • B2B exchanges

Who Needs to Comply?

The LGPD applies to controllers and processors of personal information. A controller is a natural or legitimate party that determines how and why to obtain and process personal data. On the other hand, a processor is any entity that handles the data as instructed by the controller.

Similar to both the GDPR and the CCPA, LGPD applies to all sectors. Furthermore, the regulation is also characterized by an extraterritorial application.

Primarily, the scope of the LGPD covers any person, company, public or private, irrespective of where it is located, that;

  • Collects or processes personal information in Brazil
  • Aims to provide commodities or services to Brazilian residents.

How the LGPD will be implemented means that an organization collecting or processing personal information of Brazilians does not to be headquartered in the country for it to be subject to this law.

Similar to the CCPA and LGPD, failure to comply with the LGPD when it comes into effect can lead to severe consequences for a business. 

Essentially, LGPD sanctions can result in;

  • a company being fined up to 2% of the gross turnover raised from Brazil or 50 million reais for every violation.
  • the disclosure of the infringement, i.e. through the National Data Protection Authority’s determination, the LGPD infringement can be broadly disclosed in the media for public knowledge.

How Can Companies Prepare for the LGPD?

Businesses operating in Brazil must streamline their practices to ensure that they comply with the LGPD by August 2021. The preliminary steps towards achieving compliance include;

  • Mapping all activities involving personal data processing inclusive of collection, storage, and sharing procedures. Furthermore, the verification of whether the processing of sensitive personal data is ongoing is crucial.
  • Defining the most relevant legal bases for handling personal information in line with the specific objective. In this context, some of the legal bases for processing personal information under the LGPD include consent, valid interest, contract execution, the fulfillment of legal or statutory requirements, among others.
  • Evaluating whether discrepancies exist between regulatory requirements and the activities of the business and identifying the compliance measures to be implemented
  • Implementing tools that permit consumers to exercise their privileges, which are guaranteed under the LGPD.
  •  Appointing a Data Protection Officer, although there is a chance that the Brazilian national authority may outline exceptions of the need for such an appointment according to the company’s size, nature, and volume of data processing operations. Take a look at our Data Processing Agreement Guide
  • Developing, analyzing, adapting, and reviewing contracts connected to the processing or sharing of personal information, in engagements with consumers, as well as with suppliers and corporate partners.
  • Preparing Data Protection Impact Assessment Reports in instances where data processing is carried out on the basis of legal interest, as well in other circumstances where this strategy is advisable.
  • Developing and evaluating internal policies, incident response plans, and other documents on privacy and protection of personal information
  • Assessing and adopting information security measures and procedures, as well as privacy by design and by default systems
  • Adopting a personal information protection governance program

Identify where to begin, what shortcomings exist in your privacy practices, and create a focused action plan with the help of a data privacy law expert by booking a call with us today.

Check out the latest updates to LGPD here.

Additional Resources:

- Learn more about the LGPD by downloading your free e-book today