Over the past few years, we’ve seen data privacy regulations increasing in number and severity, with high costs of noncompliance. Legislation like the GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act) has required organizations around the world to reevaluate their data management practices. Now, Brazil’s new data privacy law, the LGPD (Lei Geral de Proteção de Dados Pessoais), is affecting businesses worldwide.
Are you prepared for LGPD compliance? We look at what the LGPD is, which companies it applies to, and what you can do to comply.
What is Brazil’s LGPD?
The LGPD is Brazil’s new data privacy law, which protects the personal and sensitive data of Brazilian residents. The LGPD was passed in August 14, 2018, and recently went into effect on September 18, 2020 after much debate. The enforcement date (when penalties for infractions of the new data privacy law will start to be applied) is currently set for August 1, 2021.
The LGPD delineates the following data subjects’ rights:
- Confirmation of the existence of the processing;
- Access to the data;
- Correction of incomplete, inaccurate or out-of-date data;
- Anonymization, blocking or deletion of unnecessary or excessive data or data that is not processed in compliance with the LGPD;
- Portability of the data to another service or product provider, by means of an express request;
- Deletion of personal data processed with the consent of the data subject;
- Information about public and private entities with which the controller has shared data;
- Information about the possibility of denying consent and the consequences of such denial;
- Revocation of consent
Does the LGPD Apply to You?
Similar to the GDPR, the LGPD applies extraterritorially to companies that may not even be located in Brazil. The LGPD applies to any entity that processes personal data in Brazil, processes personal data that was collected in Brazil, or processes personal data to offer or provide goods or services in Brazil. Employers who hire or interview Brazilian residents or who engage third-party service providers in Brazil should prepare for compliance with the LGPD.
LGPD Noncompliance Fines and Penalties
Under the LGPD, fines can reach up to 2% of the Brazil-sourced income of the entity for the prior fiscal year, limited to R$ 50 million per violation (roughly equivalent to $11 million), with the additional possibility of daily fines for noncompliance to incentivize timely corrective action. Penalties will be administered by the national data protection authority, Autoridade Nacional de Proteção de Dados, including the fines mentioned above. Additional penalties include:
- Public disclosure of the violation (after investigation and confirmation of the infraction)
- Deletion of the personal data involved in the violation
- Partial suspension of the database functions (pending investigation and correction of the infraction)
- Partial or total prohibition of activities related to the collection and use of personal data
While these penalties are less severe than the GDPR’s, noncompliance with the LGPD can still be costly and damage a business’ reputation. Getting LGPD compliance under control now, rather than waiting until it’s too late, is key.
Dates and Deadlines
The effective date for the legislation has continued to be a moving target, however. Originally, Brazil’s new data privacy law was set to take effect on August 16, 2020, then May 2021, then December 31, 2020, before finally setting an immediate date of enactment of August 27, 2020.
According to Article 62 of the Brazilian Federal Constitution, the LGPD Conversion Bill then needed to be sanctioned by the President, which occurred in this case on September 18, 2020.
Similar to the CCPA, the effective date is not the same as the enforcement date however. At least for now, it seems that administrative sanctions for violations of the LGPD will not go into effect until August 1, 2021.
Tackling LGPD Compliance
An English translation of the current version of the full text of the law can be found here. Steps toward LGPD compliance include:
- Employing a data protection officer;
- Reporting data breaches to the national authority and data subject;
- Following the requirements stipulated within the law for the processing of data that is considered personal, sensitive, or belonging to minors and outlines, respectively, as well as noting when the processing of data should be terminated.
How Aparavi Can Help
With so much uncertainty regarding the effective date of the LGPD, and continuous changes to the data privacy landscape, it is important to have a solution that can adapt at the drop of a hat.
Aparavi is THE data intelligence and automation platform. With Aparavi’s SaaS product, your data privacy compliance policies will update automatically to account for any changes in legislation, and new policies will be added automatically, available to be “clicked on” as soon as the law goes into effect.
With 140+ pre-defined classification policies like CCPA or LGPD, Aparavi helps simplify your company’s data privacy compliance process and find the information you need, when you need it, wherever it is located (on premises, cloud, edge or endpoint).
Aparavi makes it easy to find personal or sensitive data by indexing all of your storage locations so they are searchable from a single point of entry. From there, you can easily locate the information you need to respond to DSAR (data subject access rights) requests.
In addition, you can use Aparavi’s data mapping and classification platform to automate your data retention and data governance policies by classification policy—whether you decide to archive, move or delete the information. Contact Aparavi today to learn how we can help your organization comply with Brazil’s LGPD and other data privacy legislation.