LGPD and GDPR: Similarities and Differences
The General Data Protection Law (LGPD) is Brazil’s first comprehensive data protection law and is designed to enhance the privacy and...
The General Data Protection Law (LGPD) is Brazil’s first comprehensive data protection law and is designed to enhance the privacy and protection of personal data of individuals in Brazil. The LGPD heavily resembles the EU General Data Protection Regulation (GDPR).
After a long period of uncertainty regarding LGPD’s implementation, the Federal Senate of Brazil issued an amendment that accelerated the LGPD’s effective date, setting an immediate effective date upon enactment of the amendment on August 27, 2020. On September 17, 2020, the Brazilian president approved the bill, resulting in the LGPD taking effect on September 18, 2020.
LGPD and GDPR Similarities and Differences
Both the LGPD and GDPR apply to any individual or business that processes personal data within their respective jurisdictions, regardless of where this processing is conducted.
Both the GDPR and the LGPD define personal data similarly—that is, information related or relating to an identified or identifiable natural person. They also both set enhanced protections for sensitive personal data, which they similarly define. Neither law applies to anonymous data.
Processing and Privacy Principles
Organizations subject to the GDPR will also see similarities with the LGPD’s processing principles. The GDPR sets forth six processing principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. The LGPD, however, specifies ten principles: purpose; suitability; necessity; free access; data quality; transparency; security; prevention; nondiscrimination; and accountability. Thus, organizations subject to the LGPD will have to ensure their processing comports with the newly established principles insofar as they do not fall under the GDPR’s.
Legal Bases for Processing
Both the GDPR and the LGPD require controllers to establish a legal basis to process personal data. Both laws provide similar bases, but each contains some variations. Indeed, the GDPR sets forth six lawful bases, while the LGPD allows ten lawful bases.
Controller and Process Relationships
The GDPR sets forth more stringent requirements for the controller-processor relationship. It requires that a contract with specific provisions or other legal govern the relationship between the controller and the processor. However, the LGPD only requires that the processor perform the processing pursuant to the controller’s instructions and that the controller verifies the processor’s compliance.
Data Subject Rights
Organizations familiar with the GDPR will recognize the data subject rights under the LGPD. Both laws grant individuals similar rights in regard to their personal data. Under each law, for instance, data subjects have the right to erasure/deletion, to be informed, to access, to revoke consent, to correct inaccurate or out-of-date data, to non-discrimination, and to data portability, among others. The laws do contain differences. For example, the GDPR is more prescriptive, the LGPD gives individuals the right to anonymize data in certain circumstances, and, while the LGPD gives data subjects the right to review automated decision-making, it does not grant them the right to human review of such decisions.
International Transfers of Personal Data
Both the GDPR and the LGPD place restrictions on the transfer of personal data to third countries or international organizations, allowing such transfers only according to specific grounds. For instance, each law recognizes the concept of third country data protection adequacy, as well as global corporate rules / binding corporate rules, standard contractual clauses, and certificates/codes of conduct. However, Brazil’s Data Protection Authority (ANPD) still must make the adequacy decisions and set forth rules for the other lawful transfer mechanisms.
Data Processing Records
Both the GDPR and the LGPD require organizations to maintain records of their processing activities. However, the GDPR specifies in greater detail the information subject to record-keeping.
Data Protection Impact Assessments
Both the GDPR and the LGPD require controllers to conduct data protection impact assessments to evaluate the risk of certain processing activities. However, the GDPR details when it requires such assessments, as well as the aspects that the assessments must cover. The LGPD, on the other hand, simply states that the ANPD may decide when a controller must conduct such an assessment and lacks details on the assessment criteria.
Enforcement – Monetary Penalties, Sanctions, etc.
Noncompliance with or violations of either the GDPR or the LGPD will subject controllers and processors to potential fines, sanctions, or civil lawsuits. The specific penalties or sanctions under each law differ. Under the GDPR, for example, depending on the type of violation, the penalty may be up to either: 2% of the organization’s global annual turnover or €10 million, whichever is higher; or 4% of global annual turnover or €20 million, whichever is higher. With respect to the LGPD, depending on the type of violation, the ANPD may issue a fine of up to 2% of an organization’s revenues in Brazil (for the prior financial year, excluding taxes), up to a total maximum of BRL 50,000,000 per infraction.
Website Compliance Best Practices for LGPD
Here are best practices to make sure your website is LGPD compliant:
- Scan your website to understand tracking technologies, including cookies, pixels, and tags, to advertise, collect statistics, and perform marketing campaigns.
- Consent must be informed, explicit, freely given, specific and data subjects have the right to withdraw and written in plain language that it’s clearly visible. Configure a cookie banner that follows these requirements.
- Additionally, in your cookie banner, clearly identify each party for which the cookie consent is being granted. It isn’t enough to state the category name, such as analytics, but should include the identity of the organization, e.g. Google, which processes the data.
- Your customers may contact your company/organization to exercise their rights under the LGPD (rights of access, rectification, erasure, portability, etc.). Your company should provide a means for data subject requests to be made electronically.
- Keep records of consent to ensure compliance
How CookiePro Helps
Despite the similarities between the GDPR and the LGPD, compliance with the GDPR does not guarantee LGPD compliance. Given that LGPD compliance implementation is right around the corner, organizations processing the personal data of individuals in Brazil or processing personal data in Brazil should immediately consider reviewing their current data processes and structure to identify and address any LGPD compliance gaps.
CookiePro helps organizations of all sizes simplify time to LGPD compliance with a purpose-built suite of technology solutions. Leverage CookiePro to do the following:
- Scan websites and mobile apps to discover and auto-categorize trackers with the CookiepediaTM database of over 20 million pre-categorized tracking technologies
- Maintain a central consent database across web, mobile, online and offline consent collection points and pass consent data to email marketing tools, CRMs, and other downstream systems
- Easily configure and embed user-facing preference centers across your websites, mobile apps, and other customer portals