August 15th is nearly here, and that means compliance with Brazil’s LGPD!
August 25 Update: Brazil is postponing LGPD enforcement until December 2021.
August 26 Update: Brazil's Senate passed a law making LGPD effective immediately, pending a signature from the President.
September 17 Update: LGPD was approved by the President and came into effect on September 18, 2020.
What Is LGPD?
Personal and sensitive data about each one of us abounds. Most of that data is necessary and helpful for our lives and livelihoods, such as medical records or credit ratings. However, when our personal data is captured, used, and stored without our permission, or misused, sold, or even stolen, it becomes a huge liability to everybody involved. Fortunately, regulations exist in many national jurisdictions to limit what people and organizations can do with our personal, sensitive data.
The European Union issued GDPR in 2016 to control the indiscriminate use of personal data, with enforcement rules and penalties meant to promote compliance with the regulations. Not long after, other nations followed suit, including Brazil. In the summer of 2018, Brazil passed a comprehensive set of legislation meant to control the use of peoples’ private data, known as the Brazil General Law for Data Protection, or LGPD. However, LGPD did not immediately take effect—the regulations were given a multi-year period before enforcement to allow people and businesses to prepare for compliance with every aspect of the regulations. That time was fast approaching when LGPD would officially take effect and become enforceable by law: August 15, 2020.
Well, as you know things change quickly, and because of the worldwide pandemic, Brazil’s government had postponed the effective date of enforcement until 2021. However, in late August the Senate of Brazil overturned that decision by passing a bill making the LGPD effective immediately, pending a signature from the President.
What Does LGPD Mandate?
LGPD applies to any legal entity anywhere in the world, as long as that entity collects or processes personal data in Brazil, or if it uses that data to represent and sell goods and services within Brazil to its citizens. Note that the company or organization does not have to be legally based in Brazil for the regulations to apply—it merely needs to be doing one of these activities within Brazil’s borders and jurisdiction.
Just as with GDPR, its European counterpart, LGPD clearly defines the conditions under which organizations may process personal data and how they carry out those data-processing activities. In some situations, people have to give their consent to data collection about them, but in others that consent is not required. Such situations include executing contracts and financial transactions, legal activities, various forms of official research, and certain health and well-being situations. So please realize that the individual’s consent depends on the context for data collection and processing.
These regulations also stipulate the creation of an enforcement body to oversee compliance with LGPD once they take effect this August. A Brazilian regulatory authority, the ANPD, is charged with caretaking the regulations and enforcing them. Violating LGPD will be met with fines and other penalties against the offending person or organization. Of course, one of the most severe repercussions for non-compliance will be the reputational damage that could result—no organization wants this kind of negative publicity and a hit to the brand!
What Rights Do Individuals Retain?
LGPD gives individuals a variety of rights in situations where their data is being collected and processed. As with GDPR, individuals have the ability to access their personal data and amend or correct it (and sometimes remove it), all while being assured that the minimum amount of personal data is being collected and processed along the way. The LGPD goes further, though, and gives the person access to information about 3rd party entities who acquire that data and the ability to ascertain whether an organization has personal data about them or not.
Now, LGPD does allows data to be transferred from Brazil to another country, but only as long as adequate, equivalent data protection rules apply. The data needs to be secured outside the borders in the same manner as it is within Brazil’s jurisdiction. Outside of this, data may not be transferred out of the country except for legal reasons with consent or with transactional activities.
How To Maintain Compliance with LGPD?
LGPD regulations provide guidance on governance and compliance with these new privacy regulations. Somebody must oversee an organization’s data processing and be held liable for processing and data retention. The need for solid record-keeping applies to all data-processing activities. Any product or service working with personal data needs to have data privacy factored into it. Security measures and processes must be enacted to preserve the data privacy of individuals. And in the instance that a data breach occurs, the organization must be forthcoming and transparent with Brazilian regulators, working to mitigate the situation as quickly as possible.
Nobody and no organization should take LGPD lightly. You need to understand how data privacy affects your current organizational processes and procedures, and you also need to determine how to be compliant as soon as possible. comforte is a company dedicated to helping you secure your growth and maintain compliance with LGPD. We can help you understand how LGPD applies to your business and how tokenization and other security technologies can help you maintain compliance and avoid regulatory scrutiny (and worse).