April 20, 2022
Your Keys to Success: LGPD Requirements
5 Min Read
A Lei Geral de Proteção de Dados (LGPD) is Brazil’s General Data Protection Law that requires all personal data processing to have a legitimate, specific, explicit, and clearly stated purpose. The LGPD is similar to the EU General Data Protection Regulation (GDPR) and requires organizations that process personal data to implement safeguards for protecting personal data. The LGPD also grants certain data privacy rights to data subjects in Brazil, among other things.
Consent and Lawful Bases for Processing
Compliance with the LGPD’s requirements, especially regarding the consent of the data subject, comes down to how effectively you can provide transparency to data subjects. Article 8 of the LGPD defines what this looks like in execution by broadly stating that consent can be given in “writing, or other means.” However, you ought to approach consent practices with consumer awareness as your priority.
According to the LGPD, consent is one of the legal bases for data processing. To gain consent, the data subject must agree to the processing of personal data for the express purposes you lay out for them.
If there are any changes to data processing activities, you must inform data subjects immediately and give them the chance to revoke their consent.
Privacy by Default aligns with the spirit of the legislation. Don’t offer consent forms with pre-selected boxes — this doesn’t follow the LGPD’s requirements for users to provide free and informed consent.
Data Subject Access Requests and Breach Notifications
The LGPD establishes strict obligations for data controllers regarding data subject rights requests and data breach notifications — but doesn’t require data processors to facilitate them.
Compliant organizations will need to provide timely response times to data subject requests. The legislation establishes two potential approaches, and selecting between them will depend on the contents and nature of the request:
- Immediately, with a pared-down version of the requested data file.
- Within 15 days, with a complete data file.
For breach notifications, the LGPD requires data controllers to notify the Autoridade Nacional de Proteção de Dados (the ANPD) – Brazil’s Data Protection Authority – and the data subjects if the incident may cause risk or relevant damage to affected parties. The suggested notification timeframe is within two working days. If the notification arrives after two working days, the report must explain the delay.
The ANPD offered some examples to help illustrate when a controller has a legal obligation to issue a breach notification:
- When processing activities involve sensitive data – such as racial or ethnic origin, religious belief, and biometric data – or personal data from vulnerable data subjects, such as children.
- If an incident may result in material or moral damage, such as discrimination against the data subject, reputational damage, financial fraud, or identity theft.
When data controllers notify the ANPD, they must include:
- A description of the personal data involved with the incident.
- Who the affected users are in relation to the organization.
- The organization’s policies and procedures for privacy and data security.
- An incident risk assessment.
- Actions in progress and/or completed to protect data subjects from further damage, lessen the damages, or recuperate.
According to the LGPD, completing a data map for the entire organization will support your compliance requirements.
It will be critical to become aware of all data flows occurring company-wide, who manages them, and what processes they follow. Through this exercise, privacy teams can identify LGPD compliance gaps and develop strategies to resolve them.
You should be able to identify two types of gaps existing in your organization today:
- General gaps, which are strategic level adjustments on a governance and policy level.
- Specific gaps, which come down to non-compliant practices in individual workflows or operations.
Managing Vendor Risk
The LGPD establishes joint liability for the shared use of personal data between data owners and data processors.
The LGPD requires some sectors to execute contracts with third-party vendors to govern data usage, especially when handling sensitive personal data. But the regulation doesn’t ask all organizations to hold contracts with third-party vendors.
If your sector doesn’t fall under those identified by the LGPD, it’s still worth considering this approach. A contract will help to clarify the responsibilities and obligations of each partner. It would be wise to conduct third-party risk assessments to help you determine if creating contracts will best support your path to LGPD compliance.
Your Next Steps
The best way to stay up-to-date with LGPD compliance is to access the OneTrust DataGuidance portal dedicated to Brazil’s LGPD, which is kept updated with the latest guidance from the national data protection authority.
The next step is to ensure your compliance program meets all the requirements of the LGPD. We recommend using automation to simplify the process and increase accuracy and efficiency. OneTrust helps organizations accelerate time to LGPD compliance and adhere to its legal obligations with a range of solutions including data mapping automation, consent management, and DSAR automation.
OneTrust DataGuidance is a global regulatory research platform designed to help you build and maintain a compliance program that meets all current data guidance, including LGPD. Sign up for a free trial to see how it works.
Join us at our annual conference and discover best practices to build trust within your company.