AlohaX System

Contact us

What is LGPD Learn about Brazil’s new Data Protection Law

what is LGPD

Whether you live in Brazil or do business in Brazil, you’ve probably heard about the country’s new Data Protection Law, the Lei Geral de Proteção de Dados Pessoais (General Law for the Protection of Personal Data), or LGPD for short.

Brazil is the largest technology hub in Latin America and has the eighth largest economy in the world by GDP. A thorough understanding of the LGPD regulations is essential for doing business there.

What is LGPD?

The LGPD is Brazil’s new General Law on the Protection of Personal Data (details of its full scope are provided below). The Brazilian Parliament approved the LGPD as Law No. 13,709 in August 2018. Since then, the law has been amended twice and came into effect on August 15, 2020.

The LGPD is not Brazil’s first data protection law. Brazil is a very active country in academic research and legislation on data protection. Even before the LGPD was signed, there were already some 40 laws and regulations related to data protection in the country.

Concepts and terms of the LGPD regulations

Before explaining the rules and impact of LGPD, we will introduce some concepts and terms related to this law.

Personal data : This is data “about” a person. It is data stored on a computer (or on paper) that is explicitly labeled as referring to a person or that, with a limited amount of work, can be identified as referring to a particular person. Some examples are: names, dates of birth, bank account numbers, data about what a person did last Thursday between 2 and 3 p.m., their genetic data, information about their union membership, etc.

Data subject or interested party : The “data subject or interested party” is the person about whom personal data is “processed.” For example, if I am a bank and I have your bank account number in my banking system, then you are the data subject. We are all data subjects.

Data protection : Protection of personal data against misuse.

Data collection : Any form of obtaining personal data, for example: asking a person for personal data on a web form, tracking their online behavior, measuring their body temperature, etc.

Processing : The processing of personal data means collecting, storing or distributing that data, or performing analysis on it.

Controller : A controller is any person or organization that collects personal data. For example, if I am a bank and you have an account with us, I naturally have data about you, such as your bank account number. That makes me a data controller.

Processor : A processor is any person or organization to whom the controller has entrusted the processing of personal data. For example, if I am a bank and I store your account number in the cloud, then the cloud service provider is a data processor.

Processing agents : This is the term that the LGPD regulations apply to the combination of controller and processor. In the example above, my bank and the cloud service provider I use are both processing agents.

Purpose of LGPD

“Data protection” is a somewhat confusing term. Data protection is actually the protection of individuals . The goal is to protect people’s privacy by protecting their data. The LGPD provides (or requires) this type of protection and imposes duties and limitations on data processors to enforce it.

What is new about the LGPD compared to previous Brazilian laws and regulations, some of which it complements, is its broad scope. The LGPD was modeled after the European Union’s General Data Protection Regulation (GDPR), which in turn is based on United Nations conventions. The central idea of ​​both the LGPD and the GDPR is that the protection of personal data is a human right. This means that data protection is not limited to specific areas.

Brazil’s previous data protection legislation had been “sectoral”; that is, it applied to personal areas such as the healthcare system, the financial industry, and so on. The LGPD is somewhat different: it mandates data protection in every aspect of life and affects almost all areas of business and administration.

When does LGPD apply?

LGPD applies in any of the following scenarios:

  1. When the processing of personal data: a) is carried out in Brazil and b) the purpose of the processing is to offer or provide goods or services.
  2. When personal data of individuals who were in Brazil when such information was collected is processed.

Most notably, and again in line with the GDPR approach, the LGPD defines a right to data protection regardless of the country where the data is processed. If, for example, my bank collects data about you while you live in or are visiting São Paulo, the LGPD applies to my bank’s processing, regardless of whether the bank is registered or physically processes your data in São Paulo, San Francisco (California), or Saarbrücken (Germany).

Data processing activities in several areas, such as national defense, law enforcement, journalism, and statistics, are excluded or partially excluded from the LGPD. Furthermore, data processed for purely private purposes is not covered by the law.

When is the processing of personal data permitted?

The processing of personal data is prohibited by default. It is only permitted if there is a legitimate reason. The LGPD specifies a list of legitimate reasons in Article 7. The most important reasons are:

  • The data subject gave their consent for the processing of the data. Consent must be informed, unambiguous, and voluntary.
  • The processing is necessary for the application of a contract that the data subject established (essentially, a kind of indirect consent).
  • The controller has a legal obligation to process the data.
  • For the exercise of law enforcement.
  • To protect a person’s life or physical safety.
  • For credit protection matters.

The list contained in LGPD is complete, meaning that if the only reason for processing personal data is that “it will benefit our results”, bad luck, it is not allowed.

What are the rights of the data subject?

The data subject may require the following from the controller:

  1. Confirmation of the existence of processing of personal data (always about the data subject himself, of course).
  2. Access to the personal data of the data subject.
  3. Correction of incomplete, inaccurate, or outdated data.
  4. Anonymization, blocking or deletion of unnecessary or excessive data, or illegally processed data.
  5. Data portability to another service or product provider (for example, data portability when switching from one health insurance company to another).
  6. Deletion of personal data processed with the consent of the data subject.
  7. Information about any organization with which the controller has shared the data (including processors).
  8. Information on the possibility of refusing consent and the consequences of such refusal.
  9. Revocation of consent.

Please note that the data controller is the party the data subject should contact, not the processor. The controller is the point of contact to which the data subject should direct any of the above requests.

Institutions with competence over the LGPD regulations

At the federal level, Brazil has created a national data protection agency, the Autoridade Nacional de Proteção de Dados (ANPD) . This agency can require organizations to provide information about the processing of personal data, impose sanctions, and is generally responsible for ensuring compliance with the LGPD (General Data Protection Law).

At the organizational level, each controller must appoint a Data Protection Officer (DPO). The DPO’s role is to ensure that the organization they work for implements the LGPD regulations. They are also responsible for managing data subject rights requests received by the organization and serve as its point of contact with the ANPD (Spanish Data Protection Agency).

Responsibilities of processing agents

Data processors are obligated to “ adopt technical and administrative security measures capable of protecting personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, disclosure or any other improper or unlawful processing” (Article 46). In other words, they must make a reasonable effort to protect personal data. Controllers also have an obligation to ensure that processors are aware of this responsibility (for example, by including it in contracts with the processor).

Data processors are also obligated to maintain the minimum necessary data processing in cases where there are legitimate grounds. They must not collect or retain data that is not necessary for, for example, fulfilling their contract with the data subject. Data that is no longer needed must be deleted or rendered unusable.

If a security breach occurs, controllers are obligated to inform both the authorities and the data subjects. This information must be provided within a “reasonable time” after the breach is discovered. The LGPD does not define what constitutes a “reasonable” time; it is expected that the ANPD, which at the time of writing was still being established, will provide a definition.

Controllers are required to provide the ANPD with the following, upon request and with the appropriate documentation:

  • Their personal data processing activities
  • The risks associated with the activities
  • The measures (organizational and technical) adopted to reduce the risks

LGPD Sanctions

If an organization violates the LGPD (Brazilian Data Protection Law), the ANPD (Brazilian Data Protection Authority) has a series of disciplinary measures it can apply to the offending organization. Most importantly, the ANPD can impose a fine of up to two percent of the total revenue of the offending organization (or its group) in Brazil, for a maximum of 50 million Brazilian reais (approximately US$11 million). If a company suffers multiple security breaches, this amount will be charged for each breach.

Furthermore, if a data processor breaches data protection law and, in doing so, causes harm to data subjects or any other person, the data processor may be held liable for damages in court (Articles 42 to 45). This section of the LGPD appears to be influenced by US law, where tort law has long been applied as a substitute for a general data protection law.

Role of technology in LGPD

There is no single technology that allows organizations to “push a button” to instantly comply with the LGPD. Implementing a fundamental paradigm like the LGPD is a multi-step process. It requires organizations to rethink how they conduct their day-to-day operations. Only then can they decide how to use technologies to achieve their objectives.

In short, these are the basic steps necessary for an organization to comply with the LGPD:

  1. Understanding the objectives of LGPD.
  2. Based on the objectives of the LGPD, as well as existing processes and data organization, adjust the definition of the processes so that they tend to protect personal data
  3. Based on the design of the new processes, implement measures to reinforce the new processes.

In the third step, cybersecurity solutions, compliance reports, automation, data backups, etc., play an important role. For example, a bank might:

  1. Understand that access to your customers’ account data must be limited.
  2. Define which people and processes should have access to personal data and which should not.
  3. Use encryption as a technology to enforce intended access.

In more complex organizations, those three steps would in turn be divided into smaller steps, with actions such as a discovery process and data protection impact assessments.

What is the future of LGPD?

The LGPD will surely revolutionize how companies do business in Brazil and with Brazilians. Furthermore, as Gilberto Gil said, “Brazil has been, is, and will be in vogue.” Other Latin American countries are expected to adopt similar legislation in the coming years.

Now that you understand the basics of the LGPD regulations, you can start considering what steps your organization needs to take to comply with this law. Stay tuned for future articles that will delve deeper into what the LGPD means for IT teams.

Read About GDPR

Also Read CCPA

Categories:

Latest Posts

Categories

Tags

Agentic AI alohameans AMP page Animation Software apps Arm launches augmented reality devices best developer CCPA CE Marking Cloud hosting DevOps tools domains DPDP DPPA Edge AI e mail Finops Hello world host website how to create website how to develop website Hybrid Apps IEC 81001 ISO 9001 in Kampala Uganda ISO 22301 ISO 50001 ISO certificates LGPD li fi low code Monetization Tools multimodal AI oslo norway Physics Quantum Computing Rank on Google Schema Markup softwar software software company London Uganda ISO UNBS What is Edge AI? What is multimodal AI