Last Updated: August 26, 2021
The LGPD is the most impactful data privacy regulation since the GDPR, and due to its extensive reach, it will affect numerous individuals and organizations.
What does the LGPD do?
Brazil’s Lei Geral de Proteção de Dados Pessoais, or LGPD, went into effect on August 16, 2020, but the deadline for enforcement began August 1, 2021.
The LGPD governs the processing of personal data in Brazil and aims to safeguard individuals’ fundamental rights of freedom, privacy, and the free development of personality. To that end, it requires organizations to process personal data in good faith and to follow several well-established principles, such as the purpose, data quality, data security, and accountability principles, and it establishes ten legal bases for lawfully processing personal data. Moreover, the law grants data subjects’ multiple rights with respect to their personal data. Elements of the LGPD may look familiar as it is closely modeled on the GDPR, and the law will have similar extraterritorial effects on organizations outside Brazil.
To supervise, implement, and monitor compliance with the LGPD, Brazil established the Autoridade Nacional de Proteção de Dados (ANPD) as its new data protection authority. The ANPD will:
- Provide guidance and interpretation for LGPD’s provisions and implementation
- Manage complaints about alleged LGPD violations
- Apply sanctions for violations of the LGPD
- Collaborate with other data protection authorities globally
Does the LGPD Apply to My Data Processing?
Article 3 of the LGPD specifies that the regulation applies to:
- Processing of personal data within the territory of Brazil
- Processing of personal data for the purpose of offering or providing goods or services to individuals in Brazil
- Processing of personal data of individuals who are in Brazil, regardless of where in the world the processing entity is located
- Processing of personal data collected in Brazil
The LGPD exempts the following processing activities:
- Processing by a person for strictly private and non-economic purposes
- Processing exclusively for journalistic, artistic, or academic purposes
- Data exclusively for national security, national defense, public safety, criminal investigations or prosecutions
- Processing of data originating from a jurisdiction that provides a level of protection that is similar to the LGPD
What Rights Does the LGPD Provide to Data Subjects?
Articles 18, 19, and 20 of the LGPD allow data subjects to exercise the following rights:
- Confirm the existence of the processing of their data
- Access their data
- Correcting incomplete, inaccurate or out-of-date data
- Anonymize, block or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD
- Data portability of data
- Delete data processed with their consent
- Obtain information about the sharing of their data with other entities (e.g., sub-processors and third parties)
- Obtain information about consent choices and their consequences
- Revoke consent
- Request review of automated decisions that affect their interests
What are the LGPD Requirements?
As mentioned above, Article 7 of the LGPD outlines ten legal bases for the lawful processing of data, which are as follows:
- With the data subject’s consent
- To comply with a legal or regulatory obligation
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments
- To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the data subject’s request
- To carry out studies by research entities, ensuring, whenever possible, the anonymization of personal data
- To exercise rights in judicial, administrative or arbitration procedures
- To protect an individual’s life or physical safety
- To protect the health, in a procedure carried out by health professionals or by health entities
- To fulfill the controller’s or a third party’s legitimate interests
- To protect credit
In addition to processing personal data pursuant to a lawful basis, the LGPD’s purpose principle requires the controller to process for “legitimate, specific and explicit purposes of which the data subject is informed” and not subsequently process data for purposes that are incompatible with the original purpose. Furthermore, data subjects may lodge complaints against controllers with the ANPD.
What Are the Key Focuses on LGPD Compliance?
Compliance with an extensive regulation like the LGPD can feel daunting, but a clear understanding of your data processing activities and transparent processes will help get you program compliant. Below are the key steps to start getting LGPD compliant:
- Establish data mapping policies to categorize and inventory the personal data you process and maintain records of your processing operations.
- Provide clear information on how personal data will be processed prior to collection.
- Establish data breach notification procedures to notify the affected data subjects and the ANPD.
- Appoint a DPO.
- Implement technical and administrative security measures to protect the personal data you hold.
- Respond to data subject requests in a timely manner.
The LGPD is the most comprehensive data privacy regulation to be passed since the GDPR, and its effect will be felt globally. In many ways, the LGPD is a familiar framework, with key similarities to the GDPR, with companies required to have a lawful basis to process personal data. The LGPD aims to protect numerous individuals, and a huge number of organizations will need to update their privacy programs to ensure LGPD compliance.
To learn how CookiePro can help you operationalize your privacy program to comply with LGPD requirements, schedule a live demo with our team today.