Brazil’s LGPD Goes Into Effect: What Companies Need to Know
For privacy officers who have had their hands full this summer with the July 1 enforcement of the California Consumer Privacy Act (CCPA), followed by the sudden invalidation of Privacy Shield a few weeks later, the Brazilian General Data Protection Law (Lei Geral de Protecao de Dados or LGPD) going into effect comes as a third surprise.
Despite Brazil President Jair Bolsonaro’s executive order to delay LGPD’s effective date to the end of the year — and the National Congress’ approval of the postponement — the Brazilian Senate ultimately overturned the delay, bringing the law into effect on September 10.
How to Achieve LGPD Compliance
The LGPD presents a number of practical challenges for compliance. The first is the need for deeper discovery. Traditional approaches to data discovery do not consistently identify personal data and sensitive data for processing purposes.
An expanded definition of personal data under LGPD requires that companies be able to automatically link and classify data — and understand how identifiers are related to each other based on measures like proximity.
In addition, the law’s new data rights create a deeper need for businesses to understand data in context so they can appropriately process it, facilitate the rectification and erasure requirements, and have the ability to create policies that are in tandem with the strict set of legal bases for processing the data.
New retention requirements under LGPD create the need to set internal data retention policies that companies can take immediate action on — including data collected via an online service — while also being able to identify duplicate and redundant data, which extends into the data governance space.
With BigID, companies can get ahead of these challenges by:
- Knowing their data: Combine the identification of personal data and the classification of sensitive data.
- Understanding whose data it is: Contextualize data with identity profiling and data indexing that covers personal data and sensitive data.
- Tagging and labeling data for legal purposes: Ensure that data is being processed in accordance with defined legal bases of the law.
- Minimizing duplicate or sensitive data: Enable data minimization with duplicate identification and apply retention rules based on a disclosed purpose.
- Managing data risk: Discover, classify, and map user credentials to apply controls for breach risk reduction.
- Automating data access rights fulfillment: Automate manual fulfillment of individual data access and deletion requests.
- Reporting on whose data they have: Enable correction workflows and validate whether sensitive data is being captured.
- Detecting out-of-policy, cross-border data transfers: Track data access, usage, and transfer violations across the organization for immediate action.
The Differences Between LGPD and GDPR
Similar to how the EU’s General Data Protection Regulation (GDPR) safeguards the data of EU residents, LGPD applies data protection obligations to any company — public or private, operating online and offline — that processes the personal data of Brazilian residents, regardless of where the company is located.
Personal Data and Sensitive Personal Data
The laws use similar terminology to refer to data “controllers” and “processors,” and are nearly identical in how they define personal data as “information related to an identified or identifiable natural person.”
In other words, personal data under both GDPR and LGPD includes data that directly identifies an individual or that makes an individual identifiable. Anonymized data does not expressly fall under GDPR or LGPD’s scope.
While the LGPD also includes a similar definition of “sensitive personal data,” as GDPR, the Brazilian law sets a more stringent set of requirements and reduces the number of legal bases available for any processing of this type of data.
Legal Grounds for the Processing of Personal Data
The GDPR sets forth six lawful bases for processing non-sensitive personal data — and LGPD upholds all of those, plus adds four more, effectively expanding the conditions under which processing can be authorized.
LGPD legal bases also stipulated by GDPR include:
- data owners’ consent
- to comply with a legal obligation
- to enforce regulations or public policies under law
- to protect someone’s life or health
- if necessary for the performance of a contract
- to serve legitimate interests of the controller or third parties
New lawful bases stipulated by LGPD include:
- for research purposes, provided data is anonymized
- for credit protection
- for health care purposes by health care professionals and entities
- to enforce rights in judicial or administrative proceedings
Timeframes for Data Retention
Similar to the GDPR, companies can only retain personal data as long as one of these legal bases that allow its processing is in effect.
If a company operates in Brazil and offers online services, it needs to comply with the data retention obligations set forth in the Internet Act. This means that companies must keep Internet application access records — including a user’s IP address — stored for a six-month period in a secure environment.
LGPD Data Subject Rights
LGPD provides a number of rights for data subjects with regard to their personal data. Data controllers are legally responsible for ensuring subjects the ability to exercise those rights, and data processors can also receive a request from data subjects to guarantee the exercise of their rights.
Data subject rights over their personal data include the right to:
- confirm the existence of personal data being processed
- access the personal data
- rectify incomplete, inaccurate, or outdated data
- delete unnecessary, excessive, or non-compliant personal data
- expressly request that data be portable to another service or provider
- erase any personal data processed under the data subject’s consent
- be informed about third parties with whom data is shared
- be informed about the possibility to refuse consent — and the consequences of that refusal
- withdraw consent
- request a review of automated decision making
In the EU under GDPR, companies must respond to data subject access requests (DSARs) within one month, with some allowances for more complicated requests, but the LGPD’s time frame is half of that at 15 days. LGPD also requires immediate response to other data subject requests, apart from access.
The law also includes restrictions on cross-border data transfers to third countries that ensure an adequate level of protection. As of right now, there is no clarity as to which countries that includes or which appropriate safeguards — like Standard Contractual Clauses or Binding Corporate rules — companies can rely on.
The assumption is that since the LGPD is largely inspired by the GDPR, it is likely that countries from the European Union will be considered adequate.
LGPD Enforcement Date and Agency, ANPD
Though the LGPD’s provisions addressing penalties will not be enforced until August 1, 2021, Brazilians are entitled to seek remedies if they find that they have been damaged by a violation of the law. Similar to the US, Brazil is considered to be a litigious society — between plaintiff attorneys and over 900 prosecutors, we will likely see many civil actions filed on behalf of private litigants and the public.
President Bolsonaro has already approved a regulatory structure and framework for establishing a Brazilian Data Protection Authority (the “ANPD”), which is tasked with overseeing personal data protection measures, developing relevant guidelines, and investigating and enforcing the law.
Data Protection Officers
The role of data protection officers (DPOs) under GDPR is more stringent than under LGPD. While GDPR specifies certain conditions under which organizations must appoint a DPO, LGPD contains no such specification, stipulating more broadly that “the controller shall appoint an officer to be in charge of the processing of data.”
This suggests that while organizations subject to LGPD are required to appoint a DPO, their various roles and relative independence from the privacy office is unclear. The hope is that clarification may follow as the ANPD develops more guidelines and controls, this remains to be seen.
Penalties for LGPD Violation
LGPD carries with it heavy enforcement penalties in addition to civil liability, such as fines up to 2% of the company’s gross income in Brazil in its previous fiscal year, the temporary suspension of the company’s ability to use personal data, partial or total suspension of the database, and suspension of business activities.
Consequently, any organization processing the personal data of Brazilian residents should ensure they are in compliance with LGPD and pay close attention to any guidance issued from regulators in the coming months.
See how BigID can help you ensure your organization’s compliance with LGPD so you can, as the Brazilian saying goes, fique tranquilo.