Inspired by the European Union’s General Data Protection Regulation (GDPR), Brazil’s (Lei Geral de Proteção de Dados or LGPD) regulates how companies collect, store, handle, and share personal data.
Who the LGPD impacts
The LGPD aims to protect the privacy and fundamental rights of individuals whose personal data is collected and/or processed in Brazil. As a result, the LGPD—like the GDPR—will have extraterritorial effects. Thus, organizations in Brazil, and anywhere else in the world, that process the personal data of individuals located in Brazil will have to comply with the LGPD.
LGPD and GDPR similarities & differences
Territorial Scope
Both the LGPD and GDPR apply to any individual or business that processes personal data within their respective jurisdictions, regardless of where this processing is conducted.
Personal Data
Both the GDPR and the LGPD define personal data similarly—that is, information related or relating to an identified or identifiable natural person. They also both set enhanced protections for sensitive personal data, which they similarly define. Neither law applies to anonymous data.
Processing and Privacy Principles
Organizations subject to the GDPR will also see similarities with the LGPD’s processing principles. The GDPR sets forth six processing principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. The LGPD, however, specifies ten principles: purpose; suitability; necessity; free access; data quality; transparency; security; prevention; nondiscrimination; and accountability. Thus, organizations subject to the LGPD will have to ensure their processing comports with the newly established principles insofar as they do not fall under the GDPR’s.
Legal Bases for Processing
Both the GDPR and the LGPD require controllers to establish a legal basis to process personal data. Both laws provide similar bases, but each contains some variations. Indeed, the GDPR sets forth six lawful bases, while the LGPD allows ten lawful bases.
Controller and Process Relationships
The GDPR sets forth more stringent requirements for the controller-processor relationship. It requires that a contract with specific provisions or other legal govern the relationship between the controller and the processor. However, the LGPD only requires that the processor perform the processing pursuant to the controller’s instructions and that the controller verifies the processor’s compliance.
Data Subject Rights
Organizations familiar with the GDPR will recognize the data subject rights under the LGPD. Both laws grant individuals similar rights in regard to their personal data. Under each law, for instance, data subjects have the right to erasure/deletion, to be informed, to access, to revoke consent, to correct inaccurate or out-of-date data, to non-discrimination, and to data portability, among others. The laws do contain differences. For example, the GDPR is more prescriptive, the LGPD gives individuals the right to anonymize data in certain circumstances, and, while the LGPD gives data subjects the right to review automated decision-making, it does not grant them the right to human review of such decisions.
International Transfers of Personal Data
Both the GDPR and the LGPD place restrictions on the transfer of personal data to third countries or international organizations, allowing such transfers only according to specific grounds. For instance, each law recognizes the concept of third country data protection adequacy, as well as global corporate rules / binding corporate rules, standard contractual clauses, and certificates/codes of conduct. However, Brazil’s Data Protection Authority (ANPD) still must make the adequacy decisions and set forth rules for the other lawful transfer mechanisms.
Data Processing Records
Both the GDPR and the LGPD require organizations to maintain records of their processing activities. However, the GDPR specifies in greater detail the information subject to record-keeping.
Data Protection Impact Assessments
Both the GDPR and the LGPD require controllers to conduct data protection impact assessments to evaluate the risk of certain processing activities. However, the GDPR details when it requires such assessments, as well as the aspects that the assessments must cover. The LGPD, on the other hand, simply states that the ANPD may decide when a controller must conduct such an assessment and lacks details on the assessment criteria.
Data Protection Officer Appointment
Both the GPDR and the LGPD require the appointment of data protection officers (DPOs). While the GDPR requires both controllers and processors to appoint DPOs, the LGPD only requires controllers to do so. However, the GDPR contains exceptions for when DPOs are not necessary.
Data Security and Data Breaches
Both the GDPR and the LGPD require controllers and processors to implement appropriate security measures to safeguard personal data. The GDPR is more prescriptive in this regard, while the ANPD has the authority to issue guidance on specific security measures to adopt. In the event of a data breach, both the GDPR and the LGPD require controllers to notify the supervisory authority, as well as affected data subjects, in certain circumstances. However, the GDPR requires a controller to report a data breach within 72 hours of its discovery and allows no notification if the breach does not reach a certain threshold of severity. The LGPD only requires reporting within a reasonable time period, and the ANPD has the authority to establish guidelines or rules about this time period.
Enforcement – Monetary Penalties, Sanctions, etc.
Noncompliance with or violations of either the GDPR or the LGPD will subject controllers and processors to potential fines, sanctions, or civil lawsuits. The specific penalties or sanctions under each law differ. Under the GDPR, for example, depending on the type of violation, the penalty may be up to either: 2% of the organization’s global annual turnover or €10 million, whichever is higher; or 4% of global annual turnover or €20 million, whichever is higher. With respect to the LGPD, depending on the type of violation, the ANPD may issue a fine of up to 2% of an organization’s revenues in Brazil (for the prior financial year, excluding taxes), up to a total maximum of BRL 50,000,000 per infraction.
Final thoughts
Despite the similarities between the GDPR and the LGPD, compliance with the GDPR does not guarantee LGPD compliance. Given that LGPD compliance implementation is right around the corner, organizations processing the personal data of individuals in Brazil or processing personal data in Brazil should immediately consider reviewing their current data processes and structure to identify and address any LGPD compliance gaps.
OneTrust’s LGPD Solutions are backed by AI robotic information and regulatory research. Request a demo to build, adapt, and mature your LGPD program.
