The Brazilian Data Protection Act (Lei Geral de Proteção de Dados, or LGPD) will come into force Feb. 16, 2020, and is an omnibus law that establishes detailed rules for the collection, use, processing and storage of personal data in Brazil, affecting all economic sectors, private and public entities, whether the processing of personal data occurs in the digital and physical environment. Unlike the General Data Protection Regulation of the European Union, which updated the rules established by the Directive 95/46/EC, the LGPD had no predecessor comprehensive law in Brazil. For that reason, the number of new requirements to comply with has significantly increased in Brazil, and the LGPD may require organizations to allocate significant time, personnel and budgeting on the matter to become compliant.
A national data protection authority is still to be formed to oversee the enforcement of the LGPD, and additional guidelines are expected to be issued by such new authority. Noncompliance with the LGPD may result in the application of, among others penalties, fines up to 2 percent of the organization’s economic group gross revenues in Brazil in the previous year, or R$ 50,000,000.00 (fifty million Brazilian Reais), per violation.
The steps for compliance of this article do not intend be exhaustive, but only provide a general guidance for adequacy to the LGPD. The order of steps is merely illustrative and depending on how organization’s activities are organized, it may be necessary to use different compliance approaches.
Before looking into the requirements of the LGPD, the first step is assessing how, why and what categories of personal data is processed within your organization in order to have a clear understanding of the information lifecycle (e.g., collection, processing, storage and erasure operations).
As a second step, it is important to understand whether your organization actually is subject to the LGDP or not. The LGPD is intended to regulate the use of personal data, defined as any “information related to an identified or identifiable natural person” (the natural person, hereinafter referred as the “data subject”). It is applicable to any processing activity, regardless of where the organization collecting the data is located, provided that (a) the processing operation is carried out in Brazil; (b) the data has been collected in Brazil; and (c) it relates to individuals located in Brazil and/or to the offer or supply of goods or services in Brazil.
Due to the extraterritorial reach of the LGPD, it is expected that a significant number of multinational organizations will be subject to both Brazilian and foreign data protection rules at the same time. While there are various similarities, for instance, between the LGPD and the GDPR, which may facilitate the implementation of a uniform data protection compliance program, organizations still have to pay attention to the particulars of each legislation so as not to inadvertently violate such differing data protection regimes.
Based on the different circumstances in which personal data is processed, the third step is defining and documenting the legal grounds for processing such personal data in each particular circumstance. The LGPD provides for 10 different legal grounds to process information, including the consent of the data subject; to comply with a legal or regulatory obligation; when necessary for the performance of a contract; and when necessary to meet the legitimate interest of the data controller or third parties.
The legal grounds for processing may vary among the different relationships established, and there might be different legal grounds to justify, for example, the processing of employees’ data and clients’ data. The LGPD also provides for certain differences on the legal grounds for processing personal data and sensitive data, which include, among others, health and biometric information. When relying on consent as a legal basis for processing, a fourth step is obtaining and recording the necessary consents.
Independently of the legal grounds for processing personal data, easily accessible, clear and adequate information shall be provided to the data subject about how his/her information will be processed. Thus, a fifth step is reviewing and further detailing the privacy policies and privacy notices to disclose the necessary information on how information will be processed.
The LGPD provide for specific data processing principles. In a fairly brief and non-exhaustive manner, such principles establish:
- A duty of transparency.
- That unnecessary or inaccurate data should not be collected/stored.
- A limitation of purpose to use data.
- An obligation to keep data secure.
- That organizations must be able to demonstrate compliance with the LGPD.
- Accordingly, the sixth step is reviewing the information lifecycle and defining the gaps and remedies for adequacy to the principles set forth in the LGPD.
Stricter requirements for international data transfers are set forth in the LGPD, and such transfers will only be permitted, among other circumstances:
- To countries with an adequate level of protection;
- Through the use of standard contractual clauses, global corporate rules, seals, certificates and codes of conduct approved by national data protection authority.
- With the consent of the data subject.
Defining and documenting the legal grounds for transferring data out of the country and obtaining the necessary authorizations from the national data protection authority and/or consent of the data subject, where applicable, is the seventh step towards compliance with the LGPD.
With the enactment of LGPD, new rights for data subjects will be introduced in the Brazilian data protection system, including the right to obtain information regarding the processing of data; the right to access, to rectify and delete data; the right to revoke the consent; the right to data portability to another supplier of goods and services; and the right to obtain the review of automated decisions.
The eighth step is adapting the channels of communication and internal policies and practices to process the data subject’s requests based in such rights.
The ninth step is appointing a data protection officer to both handle data subject’s request and represent the organization before the data protection authority.
Similar to the definition of controllers and processors of the GDPR, the LGPD provides for a definition of controllers and operators. The controller is responsible for defining how personal data will be processed, and is subject to a more comprehensive list of requirements to comply with.
The 10th step for compliance is reviewing the agreements whereby data is shared by controllers with operators, and establish each organization’s obligations and responsibilities.
Organizations will be required to adopt technical and organizational measures to protect personal data, and a privacy by design approach.
The 11th step is reviewing the information lifecycle, policies and procedures, and implementing, where necessary, appropriate technical and organizational measures to protect information.
Finally, but not least, data incidents that may result in relevant risk or harm to individuals must be notified. The 12th step is reviewing and deploying appropriate data incident policies and procedures to comply with notification requirements.
As briefly detailed in article, the LGPD requirements are comprehensive. Thus, by implementing the guidelines above, your organization may be a few steps closer to become compliant with the new legislation.
photo credit: Eduardo Amorim via photopin