The global trend of enacting stricter data privacy laws continues to grow as Brazil’s General Data Protection Law (referred to as the “LGPD”) has recently gone into effect. Many countries have been revamping their old laws and passing new data privacy laws to address consumer information issues. Since data is multiplying by the day, private consumer information is at a greater risk for compromise than it ever has been before. To protect private information like social security numbers and financial data, many governing bodies are passing more consumer-focused laws that implement standards and directives that organizations need to follow to protect sensitive data. These laws also address what to do in the event of a data breach and penalties for violations.
Understanding Brazil’s New Privacy Law
The LGPD was passed on Aug. 14, 2018 and became effective in August 2020. The effective date was earlier than expected since there was an initial request to delay until next May, which was denied. Although the law is currently effective, there are still things to work out. For example, Brazil is supposed to create an administrative agency to enforce sanctions and create regulations to help with the law’s interpretation. However, this agency has not yet been created, which leaves enforcement and deciphering the intents behind the law’s text up in the air. While there can be no administrative sanctions until Aug. 1, 2021, individuals and prosecutors can file private, civil actions for any losses resulting from LGPD violations.
Currently, it is important for organizations to determine if the law applies to them. Organization may be subject to the LGPD if an organization processes personal data that is in Brazil, collected in Brazil including data for the purpose of offering or providing goods and services to consumers located in Brazil. Like the European Union’s General Data Protection Regulation (GDPR), this law can reach many organizations located outside of Brazil. To process personal data, an organization needs a valid reason, like individual consent or a contractual basis. There are also several other valid reasons enumerated in the law.
If an organization legally processes personal data, it is essential to understand the rights that individuals have under the new law. When it comes to consumer rights, this is one area where the LGPD offers more for the consumer than the GDPR. In addition to rights like accessing and deleting personal information, under the LGPD, individuals can also access information about anyone who has been given their information from the organization. Individuals also have the right to request whether an organization stores certain data. In regard to data transfers outside of Brazil, this is allowed if the other country has privacy laws in place, offering adequate protection over the personal data. What constitutes ‘adequate protection’ has not yet been defined and once the agency overseeing LGPD enforcement is created, hopefully it will provide additional guidance in this area.
Being Proactive About LGPD Compliance
If an organization does fall under the LGPD’s purview, they should implement the following practices in order to reach compliance:
- Be aware of the key tenets of the law and make any necessary internal changes. Organizations must update all policies and procedures to reflect compliance with the law. This could include implementing stricter security protocols or updating information governance plans to ensure data preservation. Keeping up with any changes to the law or interpretive regulations is key to continued compliance.
- Create a system for responding to consumer data requests. Implementing data mapping systems, keeping a comprehensive log of data processing, and updating auto-classification technology are crucial information governance changes that will make data easier to manage, locate, and retrieve in the event of a request under the LGPD.
- In order to achieve universal compliance, organizations subject to several privacy laws must understand all of the similarities and differences. For example, while similar to the GDPR, the LGPD has several distinct differences. Thus far, the GDPR is the strictest data privacy law in the world and Brazil’s rules appear more lenient. For example, while both laws require some organizations to appoint data protection officers, the GDPR provides requirements that the appointed individual needs to fulfill before taking over this role. Brazil’s privacy law does not any offer requirements or insight about who can fill this role within an organization.
- Appoint a data protection officer if the LGPD requires a certain organization to have one. After the administrative body starts creating regulations, there should be more insight about who can be a data protection officer and what their role should look like.
- Prepare for potential administrative sanctions, which the governing agency can issue daily and will be based on up to two percent of the organization’s revenue. While it is unknown when Brazil will create the administrative body responsible for these sanctions, it is important to be proactive and anticipate what could happen in the future if an organization fails to reach compliance.
These are just a few important ways that organizations can prevent future LGPD compliance violations. Strengthening information governance practices and security protocols will not only aid compliance under all data privacy laws currently in effect, but also will improve the way an organization conducts their overall business. When it comes to data privacy laws, it is crucial to understand which laws apply and how to reach compliance with all of them. As the LGPD enters the court systems and eventually administrative enforcement, how compliance should look for this law will become even clearer.