Data Privacy Regulations

Get Ready for LGPD: Brazil’s Version of the GDPR

October 20, 2020

Topics: Advanced 8 minute read Cloud Data Sense

Storage, compliance, and security teams across the world are reviewing their data protection practices in response to the forthcoming Lei Geral de Proteção de Dados Pessoais (LGPD), a Brazilian data privacy law similar to the General Data Protection Regulation (GDPR).

The LGPD will be the latest in a string of tighter data protection laws aimed at addressing public concern about the widespread use of their data. The new law has been long in the making. After a lengthy delay, it was finally due to come into force in August this year. But, owing to the impact of the coronavirus pandemic, the Brazilian government has pushed back the effective date yet again to give organizations more time to prepare for the legislation.

But with many enterprises still struggling to comply with other new data privacy regulations, the delay of LGPD is giving companies an opportunity to start making plans now to meet LGPD requirements before they come into effect. In some cases, provisions will be identical to those put in place to meet GDPR’s standards. But in other cases there will be subtle differences.

In this post, we run through the key features of the long-awaited LGPD, Brazil’s approach to such legislation, and how it compares with its European counterpart.

The LGPD in a Nutshell

With LGPD, Brazil sets out to harmonize a multitude of disparate statutes into a unified set of standards. It strengthens the data privacy rights of Brazilian nationals through tighter controls over how companies are allowed to store and process personal data.

It is also designed to promote privacy best practices and help enterprises leverage compliance as an opportunity to drive more revenue. Moreover, it frees up competition by allowing private companies to process personal data for use by the public sector.

Though less extensive than the European regulations, the LGPD aims to achieve much the same privacy objectives. As a result, the two laws are remarkably similar, sharing a common focus on accountability, security, data minimization, purpose limitation, and privacy by design.

LGPD vs. GDPR: A Comparison

Territorial Scope

In relation to the territorial scope of each law, the LGPD and GDPR follow the same basic principle. Namely, they apply to any organization that stores or processes personal data about the citizens in the territorial jurisdiction they cover—regardless of where they're located in the world.

In other words, wherever you're based, if your business offers goods and services to the Brazilian market, you'll need to take steps to comply with the LGPD.

Definition of Personal Data

Whereas the GDPR is very specific about what constitutes personal data, under the LGPD it is far less clearly defined. However, this may change in the future as the law comes into everyday use.

On the other hand, the LGPD mirrors the GDPR by designating certain types of information, such as that concerning an individual's racial or ethnic origin, health or trade union membership, as sensitive personal data, where special rules apply.

Legal Basis for Processing

As with the GDPR, the LGPD sets out a list of lawful grounds for processing personal data. These are broadly similar, such as to meet a legal or contractual obligation or where the individual has given consent for you to process their personal data for a specific purpose.

However, with LGPD, Brazil does explicitly allow a legal basis for personal data use which isn't directly covered by the GDPR: processing someone's personal data for the purpose of protecting their credit score. Nevertheless, in most cases, the GDPR would still interpret this as an appropriate basis for processing—on the grounds that it is in the legitimate interests of the consumer.

Data Security

For both Europe and Brazil, data privacy law entails data security. Under both the LGPD and GDPR, you are required to implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.

The Brazilian governmental body responsible for enforcing data protection, the National Data Protection Authority (ANPD), is tasked with providing more detailed guidance to the minimum technical standards you'll be required to adopt.

The GDPR doesn't directly specify the security measures you should have in place. However, national enforcement agencies, such as the Information Commissioner's Office (ICO) in the UK, each offer a broad guide to meeting your security obligations.

Data Transfer

The LGPD takes the same line as the GDPR by prohibiting the transfer of personal data out of Brazilian territory, except in certain circumstances or to countries that provide a strong regulatory level of data protection.

This could have data residency implications for companies based in the US, which currently follows a patchwork approach of state-by-state data protection regulations rather than a unified nationwide legal framework.

Rights of Citizens

Both laws essentially grant data subjects the same basic rights. For example:

  • Consent: You're only able to process and store data about a Brazilian individual with their consent, which they can revoke at any time.
  • Data Subject Access Requests (DSARs): The LGPD grants Brazilians the same fundamental rights of access, including right to correction and right to erasure, as the GDPR does for EU citizens.

However, under the LGPD, you must respond to a DSAR within 15 days. This may mean you'll need to improve your DSAR response procedures, as it is a significantly shorter period than the one month allowed by the GDPR. Meeting that kind of tight deadline will largely depend on your ability to automate your DSAR reporting.

To meet your privacy requirements according to LGPD, GDPR, or any other data privacy regulation, try NetApp Cloud Compliance

Email Marketing

Whereas the GDPR applies strict rules to email marketing and text messaging, it is an area not directly covered by the LGPD.

However, as with the GDPR, it still makes sense to seek an individual's approval to receive marketing emails and text messages, as this activity is likely to constitute a form of data processing that requires consent.

Consent Notices and Privacy Policies

The LGPD approach to obtaining consent is very much the same as that for the GDPR. According to LGPD, a customer’s consent must be specific, informed, unambiguous, and freely given. In other words, you should be upfront about what exactly an individual is consenting to and give them proactive control over how you use their data.

You should reflect these requirements in the design of your signup forms, online checkouts and cookie consent notices. Although the LGPD makes no direct reference to privacy policies, you should still revisit your policy wording to ensure it meets transparency obligations.

In addition, consent should be granular, with separate consent for different processing activities. What's more, you should maintain records of valid consent. And data subjects should also be able to easily revoke consent at any time.

Data Protection Officer

To comply with the GDPR, you may need to appoint a data protection officer (DPO). However, this only applies to public-sector organizations and private companies that store and process personal data at scale.

By contrast, as things stand under the LGPD, you must appoint a DPO, as it applies to any organization that processes the personal data of Brazilian citizens. However, in practice, this is likely to prove problematic and will inevitably require clarification by the Brazilian enforcement authorities.

The duties of DPO don't necessarily have to be performed by an individual. They may be carried out by an internal team or outsourced to a third-party, such as a specialist DPO service. Note also that the DPO role is separate and unique from that of the chief privacy officer, or CPO.

Reporting a Data Breach

In the event of a breach that could potentially infringe the privacy rights of data subjects, under both the LGPD and GDPR, you must notify both the relevant data protection authority (DPA) and the individuals affected.

The LGPD only states you must do this within a reasonable time period, as defined by the ANPD. The GDPR is more specific, giving you just 72 hours to notify the DPA after you are aware of a breach.

Financial Penalties

Monetary penalties for breaking LGPD rules are relatively modest compared with the GDPR. The maximum fine for a violation is 2% of a company's Brazilian annual revenue and is capped at R$50 million (about €7.84 million or $9.28 million) per offense.

This compares with GDPR fines of up to 4% of global annual revenue or €20 million, whichever is the higher.

LGPD vs. GDPR: Summary of Main Differences

 

LGPD

GDPR

Mandatory DSAR response times

Within 15 days

Generally within a month

DPO

Mandatory

Mandatory for public-sector bodies and companies that process personal data at scale

Breach reporting deadlines

Within a reasonable time period

Within 72 hours

Maximum fines

2% of a company's Brazilian annual revenue, capped at R$50 million

4% of global annual revenue or €20 million, depending on which is higher

A Common Privacy Goal

In a country as large and economically vibrant as Brazil, data protection law was an inevitability. Virtually any company with a global presence will process personal data about Brazilian consumers. The need to comply with the LGPD will soon be a worldwide requirement.

As we’ve seen above, Brazil’s data protection law shares many similarities with the GDPR, as the two laws work towards much the same privacy goal. This can potentially reduce the burden of meeting LGPD requirements. Because, if you're compliant with the GDPR, you've already done most of the groundwork for the LGPD.

To meet your privacy requirements according to LGPD, GDPR, or any other data privacy regulation, try NetApp Cloud Compliance.

Cloud Compliance Free Trial

Senior Marketing and Strategy Manager

-