YAPR – Yet Another Privacy Regulation – An LGPD Primer
Data is what makes the world go ‘round today.
This is evident from the lengths to which companies are willing to go, to capture, analyze, and share your data. But as companies snap up any personally identifying information (PII) they can, public awareness regarding the consequences has grown. And in fact, according to Pew Research, 81% of people feel they don’t have enough control over their data.
Laws such as GDPR and CCPA have come to put the brakes on data misuse. While the EU’s GDPR came into force in 2018, CCPA is just about to become the law of the land, starting in July, 2020. But already the implications are huge—personal data collection is no longer a free-for-all and companies better start protecting the data they hold—or else.
What is LGPD – Lei Geral de Proteção de Dados?
Now Brazil, a country of 200 million people, which is also one of the most Internet-connected places in the world, is following suit, with Lei Geral de Proteção de Dados, or LGPD. Passed in Aug 2018, LGPD was originally set to start in August 2020 but has been pushed off until May 2021, due to COVID-19 complications.
LGPD, modeled after GDPR, gives data subjects nine rights over their personal data and establishes the Autoridade Nacional de Proteção de Dados (ANPD), which is the legal governing body, tasked with overseeing and enforcing LGPD. Currently, the country has over 40 independent privacy regulations in effect and this new regulation is aimed at unifying them into one holistic framework.
Who Does LGPD Apply to?
LGPD applies to any company, anywhere, if it collects or processes data on Brazilian citizens or if it sells within Brazil. It also applies to anyone whose data was collected while they were in Brazil, even if they don’t live there. What this means is that if you’ve got a business that serves any of the above—or will potentially serve any of the above—you need to be prepared to meet these new regulations, even if you’ve never stepped foot into the country. And just as with GDPR, a business cannot opt-out of servicing Brazilian customers to avoid the regulations.
But there are some caveats to this “applies-to-everybody-everywhere” rule, which don’t exist within the framework of GDPR. Excluded from LGPD is data that is collected for: personal uses; journalistic, academic, or artistic purposes; and national security, defense, criminal investigations, and public safety needs.
What Rights are Granted to Data Subjects?
The rights granted to data subjects are stated in Article 18 of the act and are as follows:
- Confirm the existence of data treatment
- Access data
- Correct missing, wrong, or old data
- Anonymize, redact, or delete unneeded or superfluous data or data that’s not being handled in accordance with the LGPD
- Data portability
- Remove/delete data
- Find out about other parties with whom the controller has shared the data
- Get information regarding the ability to deny consent and the consequences therein
- Revoke consent
What Are the Fines for Non-Compliance?
Organizations failing to comply with LGPD will be fined up to 2% of revenue or R$50 million real (approximately $11 million USD). While this is less than fines for non-compliance under GDPR, small businesses are not exempt from these fines as they are in the EU’s set of regulations.
Other Important Differences Between LGPD and GDPR
That’s not the only difference between the two sets of regulations though. Here are some more differences:
Under GDPR, companies have to report breaches within 72 hours. Under Article 48 of LGPD, it says that companies must report breaches “in a reasonable time period”.
Under GDPR, the act stipulates when organizations need to hire a Data Protection Officer (DPO). Under LGPD, the act merely says, “The controller shall appoint an officer to be in charge of the processing of data,” which makes it seem that all companies must all appoint a DPO. This will likely be clarified when the law takes effect but for now, organizations need to be prepared for this potential outcome.
Under GDPR, there are six legal justifications for collecting data. LGPD grants ten legal justifications for data collection, which means that under this act, there are more lawful bases on which organizations can collect data.
How can Organizations Achieve Compliance?
The good news is that if you’re already GDPR compliant, you’re well on your way to becoming LGPD compliant. But just in case you need some help, here some tips to help you get there:
- Appoint a DPO: Until the law gets some much-needed clarification, assume you’ll need a DPO to take charge of the program.
- Collect only what you need: This is even more key to LGPD than GDPR, as the Brazilian law explicitly restricts the collection of sensitive information such as genetics, ethnic origin, race, religion, and political associations.
- Discover all your data: The basis of any solid data governance programs is knowing about everything you’ve got. This means all types of PII, even the PII you don’t know about, including data in motion and at rest, structured and unstructured data, and known and unknown data.
- Make sure third parties are compliant: If you want to stay on the right side of LGPD, you need to ensure even your third party suppliers are compliant—if they experience a leak or breach, your organization may wind up liable.
Achieving LGPD Compliance – What’s in it for You
In the countdown to GDPR, many organizations were convinced that achieving compliance would be impossible. Now, two years later, we have all seen that with the right tools, complying with privacy regulations isn’t impossible, and moreover, it can help your organization in more ways than simply avoiding nasty fines. Becoming compliant with LGPD, GDPR, and CCPA (and all the other up-and-coming regulations, too!) allows you to reduce your organizational cyber risk through better data governance and it will help you build more trusting relationships with customers, knowing you have their best interests in mind. So don’t fear LGPD; be ready and prepared when it comes into effect.