What is Brazil’s LGPD?
The LGPD (Lei Geral de Proteção de Dados), which stands for General Data Protection Law, is a privacy regulation enacted in Brazil. It actively governs the processing of personal data, aiming to protect the rights of individuals and ensure the proper handling of their information.
The LGPD establishes clear guidelines for organizations and individuals that collect, use, store, or process personal data within Brazil. It requires them to obtain explicit consent from individuals before collecting their data and mandates transparent practices regarding data processing.
Who must comply?
Brazil’s LGPD (Lei Geral de Proteção de Dados) applies to various entities and individuals involved in the processing of personal data. The law establishes a broad scope, and the following parties are generally required to comply with the LGPD:
- Controllers: Any natural or legal person, public or private, who determines the purposes and means of processing personal data falls under the category of controllers. Controllers have the primary responsibility for ensuring compliance with the LGPD.
- Processors: Processors are individuals or organizations that process personal data on behalf of the controller. They are required to process the data in accordance with the controller’s instructions and implement necessary security measures.
- Data Subjects: Individuals whose personal data is being processed are granted privacy rights under the LGPD. They have the right to exercise control over their data and ensure its lawful and transparent processing.
- Data Protection Officers (DPOs): Organizations that meet certain criteria, such as processing large-scale data or sensitive personal information, are required to appoint a Data Protection Officer. The DPO is responsible for overseeing data protection activities and ensuring compliance with the LGPD.
- National Data Protection Authority (ANPD): The ANPD is the regulatory authority responsible for overseeing and enforcing the LGPD. It provides guidelines, promotes awareness, and imposes sanctions for non-compliance with the law.
- Service Providers: Third-party service providers that process personal data on behalf of organizations (controllers) are also required to comply with the LGPD. They must adhere to the same privacy and security standards as the controllers.
The LGPD applies to both domestic and foreign entities that process personal data of individuals located in Brazil, as long as the data processing activities are related to offering goods or services to individuals in Brazil or involve the processing of data collected in Brazil.
Overall, the LGPD aims to establish a comprehensive framework for the protection of personal data, and its compliance requirements extend to various entities involved in data processing activities.
The cost of violation
LGPD imposes strict obligations on organizations and individuals handling personal data, and violations can result in penalties and legal consequences. The National Data Protection Authority (ANPD) in Brazil is responsible for overseeing compliance with the LGPD and investigating potential violations.
The LGPD establishes various sanctions that can be imposed on organizations or individuals found to be in violation. Potential penalties include:
- Warnings: The National Data Protection Authority (ANPD) may issue warnings to entities that have committed minor violations or as an initial measure to encourage compliance. Warnings serve as an opportunity for the violator to rectify their actions and comply with the LGPD.
- Fines: The LGPD empowers the ANPD to impose fines on violators. The maximum fine that can be imposed is 2% of the violator’s annual revenue in Brazil, limited to a total of 50 million Brazilian Reais (BRL). The specific amount of the fine depends on several factors, such as the nature and extent of the violation, the size of the organization, and its financial capacity.
- Suspension of Data Processing: In serious cases of non-compliance, the ANPD can order the temporary suspension of the processing of personal data by the violator. This measure is intended to halt data processing activities until the violation is rectified and compliance is ensured.
- Prohibition of Data Processing: The ANPD has the authority to prohibit the violator from processing personal data altogether. This penalty can be imposed if the violation is severe and poses significant risks to individuals’ privacy rights.
- Public Disclosure of Violations: The ANPD can publicly disclose the violation and the identity of the violator after due process. This measure aims to raise awareness and discourage non-compliance with the LGPD by exposing the violator’s actions.
It’s important to note that the ANPD has the discretion to determine the appropriate penalty based on the circumstances of each case. The severity of the violation, the entity’s cooperation with authorities, and efforts to rectify the non-compliance may be taken into account when determining the penalties.
Know your privacy rights
Under Brazil’s LGPD (Lei Geral de Proteção de Dados), individuals are granted several privacy rights to protect their personal data. Here are the key privacy rights established by the LGPD:
- Right to Information: Individuals have the right to receive clear, transparent, and easily understandable information about the purposes and methods of data processing.
- Right to Access: Individuals can request access to their personal data held by organizations and receive detailed information about how their data is being processed.
- Right to Rectification: Individuals have the right to request the correction of inaccurate or outdated personal data.
- Right to Deletion: Individuals can request the deletion of their personal data when it is no longer necessary for the purposes it was collected, when the consent is revoked, or when the data processing is unlawful.
- Right to Portability: Individuals can request their personal data in a structured, commonly used, and machine-readable format, allowing them to transmit it to another organization.
- Right to Restriction of Processing: Individuals can request the temporary suspension of the processing of their personal data in certain circumstances, such as when the accuracy of the data is contested.
- Right to Object: Individuals have the right to object to the processing of their personal data, particularly in cases of direct marketing or processing based on legitimate interests.
- Right to Consent: Individuals must give explicit and informed consent before their personal data is collected and processed. They have the right to withdraw their consent at any time.
- Right to Data Portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller when technically feasible.
- Right to Protection: Individuals have the right to have their personal data processed securely and protected against unauthorized access, loss, or disclosure.
- Right to Anonymization, Blocking, or Elimination: Individuals have the right to request the anonymization, blocking, or deletion of unnecessary or excessive data.
- Right to Complaint: Individuals can file complaints with the National Data Protection Authority or other competent authorities if they believe their privacy rights under the LGPD have been violated.
These privacy rights aim to empower individuals and give them control over their personal data, promoting transparency, accountability, and the protection of privacy in data processing activities.
Best practices to achieve compliance
Businesses can take proactive measures to reduce the risk of violating Brazil’s LGPD (Lei Geral de Proteção de Dados) regulation and ensure compliance with the law. Here are some key steps they can take:
- Understand the LGPD Requirements: Businesses should thoroughly familiarize themselves with the provisions and requirements of the LGPD. This includes understanding the definition of personal data, consent requirements, lawful bases for processing, data subject rights, and obligations regarding data security and breach notification.
- Conduct a Data Audit: Perform a comprehensive data audit to identify and document the personal data your organization collects, processes, and stores. This includes understanding the purpose of data collection, the legal basis for processing, data retention periods, and any third parties with whom the data is shared.
- Update Privacy Policies and Notices: Review and update your privacy policies, notices, and consent mechanisms to align with the LGPD’s requirements. Ensure that they are transparent, concise, and accessible to data subjects, providing clear information on how their personal data is collected, used, and protected.
- Implement Data Subject Rights Processes: Establish processes and procedures to effectively address data subject rights, such as requests for access, rectification, deletion, and data portability. Develop mechanisms to verify data subject identities and respond to these requests within the timeframes specified by the LGPD.
- Obtain Proper Consent: Ensure that you have obtained valid and explicit consent from data subjects before processing their personal data. Implement mechanisms to record and manage consent, allowing individuals to withdraw their consent if desired.
- Implement Security Measures: Establish appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure. Implement encryption, access controls, regular data backups, and other security measures based on the sensitivity of the data being processed.
- Train Employees: Conduct regular training sessions to educate employees about their responsibilities under the LGPD, including data handling practices, security protocols, and how to handle data subject requests. Promote a culture of privacy and data protection throughout the organization.
- Conduct Vendor Due Diligence: Review and update contracts with third-party vendors and service providers to ensure they comply with the LGPD’s requirements. Implement measures to ensure that data transfers to third parties are carried out securely and lawfully.
- Establish Data Protection Impact Assessment (DPIA) Processes: Identify high-risk data processing activities and perform Data Protection Impact Assessments (DPIAs) to evaluate and mitigate privacy risks. Implement necessary safeguards to address the risks identified.
- Establish an Incident Response Plan: Develop an incident response plan to effectively address data breaches or incidents involving personal data. This includes timely detection, containment, investigation, and notification of data breaches to the appropriate authorities and affected data subjects.
BigID’s Approach to Brazil’s LGPD Compliance
BigID is a data intelligence platform for privacy, security, and governance that assists businesses in complying with Brazil’s LGPD (Lei Geral de Proteção de Dados) regulation. BigID can help in the following ways:
- Data Discovery and Inventory: BigID’s Privacy Suite discovers and maps personal data across all your organizations systems and data repositories. It automatically scans and identifies personal data, creating a comprehensive inventory of data assets. Enabling greater understanding of what personal data you have and where it is located— a crucial component for LGPD compliance.
- Data Subject Rights Management: BigID’s Data Deletion App streamlines the management of data subject rights, such as access, rectification, deletion, and data portability requests. It helps automate the process of handling these requests, ensuring timely and compliant responses.
- Consent Management: BigID’s Consent Governance App captures, manages, and tracks data subject consent. Enabling your organization to obtain and document explicit consent for data processing activities, maintaining an auditable record of consent. This supports LGPD’s requirement for valid and informed consent.
- Data Minimization and Retention: BigID’s Data Retention App applies data minimization principles by identifying and categorizing unnecessary or excessive personal data. It assists in defining appropriate data retention periods and implementing policies to manage data retention and disposal. This aligns with LGPD’s provisions on data minimization and retention.
- Privacy Risk Assessment: The PIA Automation App offers privacy risk assessment capabilities to evaluate and manage privacy risks associated with personal data processing activities. It helps identify high-risk data processing practices, enabling organizations to implement necessary safeguards and mitigate risks. This aligns with LGPD’s requirement for conducting Data Protection Impact Assessments (DPIAs).
- Data Breach Readiness and Response: BigID’s Breached Data Investigation App assists organizations in data breach readiness and response. It helps detect and investigate data breaches, facilitating prompt incident response and notification to relevant authorities and affected data subjects. This capability supports LGPD’s requirements for timely breach detection and notification.
- Automated Data Protection Controls: BigID provides automated data protection controls to enforce data access controls, data encryption, and other security measures. It helps organizations implement technical and organizational safeguards to protect personal data, which is crucial for LGPD compliance.
- Reporting and Analytics: BigID offers comprehensive reporting and analytics capabilities, providing organizations with insights into their data privacy posture. It helps generate compliance reports, monitor privacy metrics, and track key performance indicators related to LGPD compliance.
Get a free 1:1 demo to learn more about how BigID can help your organization achieve compliance with LGPD and all your privacy initiatives.