LGPD: What the New Brazilian Data Protection Law Looks Like for Global Businesses
Unless you live under a rock, you’ve heard of the new regulations of data usage policies that are trending worldwide. Data security is an ever-present topic and many nations have already implemented significant legislative changes, seeking more clear guidelines for privacy and security.
One of those nations is Brazil. After eight years of debates, a new data protection law was enacted on August 14 in the country by President Michel Temer. The Brazilian General Data Protection Law, or LGPD, will take effect on February 2020, giving businesses 18 months to comply with this new legislation.
Adapting to the new regulation can be a burdensome and sometimes costly task, but it can become even more onerous for those who postpone the adaptation until the last minute, as many businesses did with the GDPR on last May. Companies from all over the world that operated in the European Union or somehow processed data from European citizens had to find a fast way to be in compliance with the GDPR so they wouldn’t suffer the consequences.
So, if you are doing business in Brazil, now is the time to start adapting it to the new Brazilian data protection law.
In this article, I’m going to break down all the biggest changes that come with the LGDP and describe both benefits and challenges for global companies.
What is the LGPD
Just like the GDPR, the Brazilian LGPD will change the way companies operate in the country as it establishes strict rules on processing personal data, both online and offline, in the private and public sectors. The new legislation imposes a higher standard of protection and significant fines for non-compliance.
With the new legislation, Brazil is now amongst the 120 nations that have a specific law concerning personal data protection. The LGPD will fill out some blanks of the existing 40 legal norms that sparsely regulate data usage in the country.
Privacy Rights and Principles
The main principle of the law is transparency. The LGPD details the obligations of both data holders, or controllers, and processors. The first ones are those responsible for collecting the data and deciding its finality, and the second ones can be either a company or person that will process the information following the guidance of the controller.
In this context, the text defines “personal data” as any information relating to an identified or identifiable natural person, and “processing data” as any kind of operation on this data, such as collecting, storing, using or disclosing the information.
With the LGPD, all data processing must be invariably based on the user’s consent, that needs to be obtained through a free, informed and unequivocal manifestation of the user, who must express their agreement with the processing of their personal data for a specific purpose.
Summing up, the law comes then to assure that the data that was provided by any individual will be processed only for the specific finalities that were pre-agreed between them and the data owner/controller at the moment the user gave their consent.
The Brazilian legislation, similarly to the GDPR, brings administrative sanctions. Non-compliance with the requirements could result in fines that go from 2% of gross sales (of the company or a group of companies) to a max of $50 million Brazilian reais per transgression, something around $12 million U.S. dollars.
The only exceptions to the law are those concerning the processing of personal data by a “natural person” for private and non-economic purposes only, besides those carried out exclusively for:
- journalistic, academic or artistic purposes (in this case, consent is not waived)
- public security, national defense, state security or investigation and prosecution of criminal offenses
- data in transit, meaning information that is not destined to processors in Brazil.
Why is the LGPD relevant and how it could help
The government claims that the LGPD comes not only as a way of guaranteeing individuals’ privacy but also to:
- promote the development, fostering the economic and technological development
- ensure free competition and consumer protection through consumer law
- increase trust among the population regarding the collection and usage of personal data
- increase legal certainty
- reduce operational costs caused by systemic incompatibilities of data processing
In which cases is the LGPD applicable?
The law is applicable to any activity that involves the transfer of “personal data” of Brazilian individuals. That includes foreign affiliates that have at least a branch in Brazil or that offer services to the Brazilian market and collects or treats the personal data within Brazil.
Also, the LGPD will be applied to all sectors, whether they are public or private, online or offline.
How does the LGPD affect international merchants
Like other data protection legislation, the LGPD inflicts restrictions when it comes to transferring data internationally. It allows data to be exchanged only with international companies that provide an appropriate level of protection for personal data.
Here are some pertinent assurances to apply at your store and be able to make legal cross-border data transfers:
- standard contractual clauses
- global corporate standards
- seals, certificates or codes authorized by the national data protection authority
In-house to-dos checklist
Data mapping & discovery. Start mapping all personal data processed for your store, as well as their life cycle. Knowing exactly where the information is, how it is stored, who has access, whether the data is shared with third parties in Brazil and what are the existing risks is key before making any processual changes.
Always ask for consent. As we’ve said before, the main principle of the law is transparency. So, whenever data is collected, make sure that your users are well aware of that.
Short storage. Keep the data stored only for the express necessary amount of time. If the data processing is no longer required to achieve the purpose for which it was collected, then exclude it from your servers or tell your processor to do so.
Documentation is your best ally. Document everything you do. From collecting, storing, using and sharing personal data, all must be documented. This documentation should also contain which risk mitigation measures you take, as the LGPD establishes that whenever requested you must present the document to the regulatory authority.
Audit regularly. You will need to grant personal data security in all circumstances and communicate any security incidences to the regulatory authority in charge.
The LGPD will have a great impact as data is involved in every practice of the modern society. For that reason, being in compliance with data regulations in Brazil should not be seen as an extra cost, but as an opportunity. An opportunity of being ahead of your competitors and protecting your company when major data leaks are happening and causing reputational damage to big global companies.