June 16, 2022
What is Brazil’s LGPD?
Brazil’s new data privacy law, the LGPD, is the newest member of the four-letter personal data protection law club, joining members such as the GDPR in Europe and the CCPA in California. Because it went into effect in late 2020 during the height of the COVID-19 pandemic, it has flown somewhat under the radar relative to other national and international data privacy laws.
If your company hasn’t yet gotten into compliance with this new law, and you do business in Brazil, you could run afoul of the laws and end up with both legal and civil penalties. Here is what you need to know and what you need to do to keep your company safe.
What is the LGPD?
The LGPD is Brazil’s data privacy law, and is designed to keep personal data safe and limit how companies can use that data without the explicit consent of the user who produced the data. The law is known as the General Personal Data Protection Law in English, but its acronym is derived from its Portuguese name: Lei Geral de Proteção de Dados Pessoais.
The LGPD is one of the oldest data privacy laws. While it only came into effect in 2020, it was first introduced in 2012, making it roughly four years older than the GDPR. Prior to the passage of the law, Brazil had about 40 different laws pertaining to personal data protection; this law expands upon companies’ obligations and simplifies the legal code by reducing the number of statutes that companies must comply with.
When will the LGPD be enforced?
There is some lingering confusion about the start date for the LGPD because there were several alternate proposed enforcement dates. The Brazilian National Congress, the lower house of its bicameral legislature, first passed the law on August 14, 2018. The Senate passed the law on September 16, 2020. After some disagreement with the President’s office about when it was to go into effect, it was signed into law on September 18, with its enforcement backdated to August 16, 2020.
If your company wasn’t ready when the law went into effect, it had until August 2021 to get into compliance before the sanctions portion of the law’s penalties went into effect. The other two penalties, fines and civil lawsuits, have been in place since the law’s initial passage. Violation of the law can lead to penalties of up to BRL$50 million, which is about €8 million or US$9 million.
How do companies gain compliance with LGPD?
The good news for most companies is that if you’re in compliance with the GDPR or CCPA, you won’t need to change much of your process for the LGPD. This law applies to the data rights of Brazilian residents and data that is processed in Brazil. The LPGD requires that companies allow data subjects, the users who originally produced the data to:
- Confirm that their personal data is being processed, access that data, and correct incomplete, incorrect, or outdated personal data.
- Anonymize, block, or delete any unnecessary, excessive, or non-compliant personal data.
- Request that a data controller transfer their personal data to another service or product provider.
- Delete their personal data.
- Request information on the ways in which their personal data has been shared.
- Request information about their rights to not give consent to process their personal data.
- Withdraw consent to process their personal data.
For companies that are already in compliance with GDPR, this list likely feels very familiar. However, there are a few major differences that companies should ensure they monitor.
- The LGPD treats data used to formulate behavioral profiles where a natural person can be identified as personal data. This restriction could apply to anonymized data in some cases, something not covered in the GDPR.
- The LGPD takes a subjective stance on anonymized data. In addition to factoring in the cost, time, and available technology, the LGPD also considers the company’s “use of its own resources” when determining if the anonymization efforts were “reasonable.”
- The LGPD requires data processing information to be delivered in a “simple, clear, and accessible way,” including using audio-visual resources. The GDPR doesn’t require the use of audio-visual resources.
- The minimum age for consent is 13. If a user is under that age, a service must acqure a parent’s consent before processing data. Under the GDPR, the minimum age is 16, with the option for member states to lower it to no lower than 13.
What are the LGPD’s data privacy implications?
For companies doing business in Brazil that in turn generates personal data, complying with the LGPD should be a top priority. The greater your business’s exposure to that market, the greater the penalties if you fail to meet the law’s requirements. The good news for most companies is that by building systems to support other data privacy laws, you’re likely already covering most of your bases when it comes to the LGPD.
However, this law takes a different approach to anonymization than many other comparable laws. That means you have to be extra careful in this area when dealing with Brazilian personal data. The first step towards high-quality anonymization is identifying all personal data so that you can ensure it is correctly handled. iDiscover by Mage was designed from the ground up to make data discovery seamless. It can identify more than 70 sensitive data types right out of the box and uses AI and Natural Language Processing to find sensitive data in unstructured datasets. That way, you can be confident that you’re identifying all sensitive data.
Once you’re ready to secure that data, Mage’s iMask includes both static and dynamic masking tools, allowing you to anonymize data based on role and location without negatively impacting your system’s performance.
The LGPD has a subjective component when it comes to evaluating anonymization processes. The best way to keep your company in compliance is to demonstrate that you’re using top-of-the-line tools to protect your users’ data. Schedule a demo today to see how Mage provides the best solution for data discovery and anonymization. We’ll show you exactly how we can help you obtain and maintain compliance with the LGPD and data protection laws worldwide.