Introduction to the LGPD
Compliance with the LGPD requires organizations to adhere to 65 articles that regulate the collection, processing, disclosures, and erasure of personal data.
The law contains unique definitions of personal data and their authorized uses that count on enforcement by the Brazilian Data Protection Authority (ANPD).
Similar to the GDPR, the LGPD, or Lei Geral de Proteção de Dados, applies to the processing of data by organizations within Brazil, but also to organizations outside Brazil under certain circumstances.
Organizations will also now have a new opportunity to build trust with those data subjects. In addition, they’ll avoid penalties and potential reputational damage caused by poor handling of data.
Overview of the LGPD
Brazil passed its General Personal Data Protection Law (LGPD) in 2018. The legislation establishes and protects the rights and freedoms of individuals and provides increased transparency to covered data subjects. While the LGPD went into effect on September 18, 2020, the enforcement of administrative sanctions was postponed to August 1, 2021, as a result of the COVID-19 pandemic.
While this isn’t Brazil’s only law that governs the use and processing of personal data, the LGPD is the nation’s first comprehensive framework that regulates commercial data activities on this scale.
Many provisions of the LGPD take significant influence from the GDPR. For example, many alignments exist between how they define freely-given consent and how they apply it.
However, the LGPD also differs from the GDPR in other areas. This includes in its legal bases for processing, requirements for data breach notifications, and the wide-ranging extent of its jurisdiction.
The LGPD’s applicable scope is perhaps the most significant change it brings to the privacy landscape.
Thousands of entities that aren’t subject to existing global regulations — such as the GDPR and CCPA — must now answer to the LGPD. This means organizations voluntarily adopting CCPA and/or GDPR principles, or those who haven’t yet begun, have a steep curve to climb to achieve LGPD compliance.
Key LGPD Terminology
Key terminology from the LGPD will be familiar to those who work with the GDPR regularly. However, not all vocabulary is interchangeable between the two texts. Let’s define the essential LGPD terms before exploring their applications.
The following definitions come from the legislation:
- Data Controller – a person or organization that makes decisions about any kind of personal data that’s processed.
- Data Processor – a natural person or legal entity, governed by public or private law, that processes personal data on behalf of a controller.
- Personal Data – any information related to a real person.
- Sensitive Data – personal information that may include racial or ethnic origin, religious belief, political opinion, trade union membership, or religious affiliation. Sensitive data also covers health or sex life data and genetic or biometric data.
- Pseudonymisation – the processing of data in a way that removes direct or indirect associations to an individual — unless otherwise maintained by a controller in a regulated environment.
- Anonymisation – the processing of personal data that uses technical means to remove the possibility of direct or indirect associations to a data subject.
- Data Protection Officer (DPO) – facilitates communication between controllers, data subjects, and the ANPD. This can be an individual, a group, or a company the controller appoints.
Does the LGPD Apply to Your Organization?
To determine if the LGPD applies to your organization, you will have to review the law’s material scope — i.e., whether the LGPD covers your types of processing activities.
Your organization will also need to consider the territorial scope of the LGPD. For this, you’ll need to evaluate whether the location of your customers, data collection activity, and data processing activity fall within the LGPD’s jurisdiction.
Territorial Scope of the LGPD
When data activities involve the personal data of Brazilian citizens and/or people located inside of Brazil, the LGPD’s territorial scope will apply.
The LGPD is relevant to individuals or organizations that process personal data:
- Within Brazil. This includes data collection, processing, and storage inside the nation’s borders.
- Outside of Brazil. This is where the processing operation is carried out in the national territory; the processing activity is aimed at the offering or provision of goods or services, or at the processing of data of individuals located on the national territory; or the personal data being processed was collected in the national territory.
Material Scope of the LGPD
The LGPD applies to personal data processing performed by a natural person, a public entity, or a private organization. Unlike other laws, such as the CCPA and CPRA, the LGPD doesn’t set a size threshold. This means companies of all sizes must comply with the LGPD.
According to Article 4, there are few exceptions to the LGPD’s material scope:
- Processing activities used for private, non-economic activities.
- Journalistic and artistic purposes.
- Covered academic reasons.
- Public safety, national defense, state security, or investigation and prosecution purposes.
- Processing activities of personal data originated outside of Brazil, from countries that provide an adequate level of data protection.
LGPD Data Subject Rights
The LGPD establishes new rights and freedoms for individuals in Brazil. Covered organizations must provide an unobstructed pathway for data subjects to exercise the following rights:
Right to be Informed
According to Article 9, the LGPD provides the right of access to data subjects so they may learn how companies process their personal data. This also applies when a third party obtains personal data from a controller.
Right to Access
Per Article 18, the LGPD gives individuals the right to request a copy of their personal data through any reasonable means. This includes via email, phone, written letter, or through an online portal.
Right to Rectification
Also addressed by Article 18, data subjects have the right for businesses to correct incomplete, inaccurate, or outdated information about them. There are no restrictions on the format or nature of rectification requests made by individuals.
Right to Erasure
Article 18 establishes the right for individuals to request complete erasure of their personal data. Businesses must honor erasure requests so long as they have consent and have verified the data subject’s identity.
Right to Object
Also known as the “right to restriction”. Data subjects may ask companies to block unnecessary or excessive data collection or processing. This is especially true when data practices are non-compliant with the LGPD. Per Article 5, the LGPD defines blocking as “the temporary suspension of any processing operation, by means of retention of the personal data or the database.”
Right to Data Portability
Data subjects have the right to the portability of their data via an express request. This process is subject to commercial and industrial secrecy as regulated by the ANPD.
Right Not to be Subject to Automated Decision-making
Per Article 20, data subjects may request to review decisions made about them exclusively as a result of automation. This particularly applies to any decisions that would define their personal professional, consumer, and credit profiles, as well as personality.
6 Steps to LGPD Compliance
LGPD compliance bears similarities to preceding regulations, but the requirements vary in several key areas. Follow these six steps for LGPD compliance so your organization can get up to speed quickly.
- Appoint a DPO
- Build a Data Map
- Perform a Gap Analysis
- Create a Process for DSAR Management
- Implement a Process for Breach Notification
- Conduct Risk Assessments
Step 1: Appoint a DPO
The first mission-critical step towards LGPD compliance is appointing a Data Protection Officer. While other data protection laws require organizations to appoint a natural person to a DPO role, the LGPD enables companies, committees, third-party specialists, or internal working groups to carry out the responsibilities. Under the LGPD, the DPO doesn’t have to reside in Brazil.
Step 2: Build a Data Map
Data mapping is a critical activity to understand data flows, including collection points, data purposes, sharing policies, and retention applications. This enables privacy teams to develop and refine internal processes that pursue LGPD compliance.
Third-party processors must also play a role in your organization’s data mapping efforts. This enables data controllers to select and create agreements with processors that minimize their risk exposure.
Pursuing LGPD compliance is an ongoing practice.
The ANPD will require organizations to hold up-to-date, accurate documentation of data flows at all times. Data mapping supported with automated workflows helps teams develop and maintain current information on IT systems, data transfers, and relevant third-party activities.
Step 3: Perform a Gap Analysis
Once equipped with a comprehensive data map, improving your LGPD compliance will come down to understanding and addressing where current processes come up short.
Performing an effective gap analysis will help you gain these insights.
An audit of current and planned data uses should start with corporate policies and end with specific processing activities. You’ll need to identify the approaches, activities, and assets that require revisions or elimination to observe the requirements and rights set forth by the LGPD.
Step 4: Create a Process for DSAR Management
The LGPD establishes the rights of data subjects to data access, rectification, portability, erasure, blocking, as well as the right to be informed. Organizations need to establish a process to manage an influx of DSARs.
The LGPD indicates two deadlines for complying with a data subject access request. The deadline depends on the nature of the request.
According to the text, a data controller must provide the data to a subject “immediately” (in a simplified format) in many cases. In some cases, the controller must respond within 15 days of a request and provide a detailed report about the data’s origin, the processing criteria, and its purposes.
The legislation leaves no breathing room at this time for high volumes of requests, exposing data controllers to possible penalties if they’re unable to operationalize DSARs quickly.
Working with a portal that automates DSAR processing will streamline the efforts to facilitate LGPD compliance by managing DSAR intake and resolution from a centralized platform.
Step 5: Implement a Process for Breach Notification
The LGPD lists robust data breach notification requirements.
According to the legislation, organizations must promptly notify the ANPD and impacted data subjects of incidents. In severe cases, there may be an additional requirement to provide a public disclosure via the media if deemed necessary by the ANPD.
At this time, the LGPD lacks clarity surrounding the severity threshold for data incidents that require breached organizations to notify data subjects. The text asks organizations to consider the presence of risk or damage to individuals and entities related when calculating their decision.
It would be prudent for security teams to prepare for the more stringent data breach notification requirements issued by the LGPD. By implementing a system to handle scaled, compliant data breach notifications to required parties, organizations will be well on their way to LGPD compliance.
Step 6: Conduct Risk Assessments
Organizations need to complete their due diligence before engaging with a vendor that might expose them to the risks of non-compliance with the LGPD.
Before a data controller enters into a contract with a data processor, conducting a risk assessment will enable an informed decision. This is no small effort. It requires privacy teams to assess personal data use, access, and storage to determine whether the processor may subject the controller to data incident or breach risks.
Choosing your third-party relationships carefully will pay off in the long run.
Organizations may want to create specific roles and responsibilities concerning data protection in their third-party agreements to mitigate some of these risks. This is particularly applicable to high-risk processing activities, such as those containing sensitive data.
Ongoing LGPD Compliance
If your organization is familiar with global privacy regulations, you already know LGPD compliance requires continuous effort. For organizations just joining the world of personal data regulation, it’s worth noting that complying with privacy laws is not a one-and-done task.
Consider the following three practices to help your team keep up with the ongoing pursuit of LGPD compliance:
- Research: This guide is only the beginning of your journey to LGPD compliance. Encouraging research and continuous learning will help build the necessary expertise across your team, among decision-makers, and company-wide to enhance data privacy outcomes.
- Keeping up-to-date with developments: Be first to know about regulatory developments and monitor new regulatory authority guidance issued by the ANPD. This practice will help you stay on top of your internal policies and processes, as they will likely need to evolve over time.
- Training: LGPD doesn’t just affect privacy teams. Training sessions for all employees are a great way to ensure everyone understands the impacts of day-to-day decision-making regarding data privacy policies.
LGPD Solutions by OneTrust
OneTrust provides organizations with the tools they need to pursue LGPD compliance. Our solutions enable you to develop and operationalize your LGPD compliance program across different business functions.
The OneTrust platform supports privacy, compliance, and marketing teams by enabling them to:
- Fulfill and expedite DSARs through an automated portal.
- Streamline data discovery & classification to build an evergreen data map.
- Access an extensive, up-to-date source for LGPD research and guidance.
- Get the support you need to implement LGPD requirements from our local, certified professionals.
Learn how OneTrust can help you launch your LGPD compliance program. Request a demo today!
Further resources for LGPD compliance:
- OneTrust DataGuidance: Brazil LGPD Portal
- OneTrust Guide: Requirements of LGPD Consent & Privacy-Focused Design
- OneTrust DataGuidance Report: Operationalizing the LGPD
- OneTrust Webinar: LGPD is Here: What You Need to Know
- OneTrust DataGuidance Report: Comparing Privacy Laws: GDPR v. LGPD