Brazil Law Compliance

Brazil’s General Data Protection Law (LGPD)

Brazil Law Compliance

Compliance with Brazil’s General Data Protection Law (LGPD)

The Brazilian General Data Protection Law (LGPD) was unanimously approved on July 10, 2018 and will become law in 2020. The LGPD carries many similarities with the EU’s General Data Protection Regulation (GDPR), however, it is leaner in comparison.

The LGPD applies to everyone processing personal data while supplying goods or services to Brazilian residents. Data holders (called data subjects under the GDPR) have nine rights, which are similar to those outlined by the Brazilian law’s EU counterpart. Sanctions under the LGPD can reach fifty million reais (roughly $12.9 million USD) or even total prohibition of processing.

Right of Information

Should a data holder submit a request, the controller must respond with the confirmation of the existence of data processing operations. This must happen either immediately with a simplified format of information. Or, in 15 days by means of a clear and complete declaration that includes the origin of the data; the criteria used for the processing; purpose of processing; form and duration of treatment; identity of the controller; controller contact information; information shared with other entities and the purpose of the sharing; responsibilities of the processors carrying out the processing; and the rights of the data holder with explicit reference to Art. 8 of the LGPD.

How OneTrust Helps

OneTrust Data Subject Rights Management is equipped to handle the data holder request lifecycle in an effective and compliant manner. Create tailorable holder request intake forms, verify holder identity, configure deadlines, assign tasks, leverage multilingual response templates, and communicate securely with holders through an encrypted messaging portal. To demonstrate compliance, maintain records of all holder requests and interactions. With OneTrust, you can also use organizational hierarchies and roles-based access controls to develop region specific workflows and controls specific to the LGPD.

Right of Access

Personal data of the data holder must be stored in a format favoring the exercise of the right of access and only provided on receipt of a “verifiable consumer request.” The data holder determines whether the data will be provided electronically or in paper form. For processing based on contract or consent, a data holder may request a full electronic copy of his or her personal data in a format allowing its processing.

How OneTrust Helps

Using OneTrust Data Inventory & Mapping technology, you can pinpoint where an individual’s personal data resides and how it is used. When a request is received via the Data Subject Rights Management tool, locate where the data that the holder has requested access to by searching through your data inventory.

Consent & Right to Opt Out

Consent must be provided by the data holder in writing or by other means that demonstrates the data holder’s will. Controller is responsible for providing that the consent was obtained in accordance with the requirements of the LGPD. Consent must be specific to particular purposes. General consent is void. Consent can be withdrawn by the data holder at any time. Prior to giving consent, the data holder must be informed about the processing. If the information provided is misleading or non-transparent, the consent is considered void.

How OneTrust Helps

OneTrust Universal Consent & Preference Management enables you to obtain and track consent, as well as allow data holders the right to opt out. With OneTrust, develop granular collection methods to ensure that consent is specific to the purpose for which it was provided. Collect consent through any medium, including online web forms and mobile apps. Build trust and build a preference center tailored to your brand and use case to give data holder’s control over their right to opt out.

Right of Deletion

Under the LGPD, data holders can request that their personal data be deleted after they withdraw consent (legal exceptions exist here). Data holders can also request deletion of data that is unnecessarily collected, excessive, or processed in violation of the provisions of the LGPD.

How OneTrust Helps

OneTrust enables holders to submit requests via the Data Subject Rights webform. Requests are sent to a central queue within OneTrust where admins can verify identity of the holder and take actions on the request. OneTrust Data Inventory & Mapping also makes it easier to identify where a holder’s data exist, thus speeding up the process of data deletion.

Other Obligations – Breach Notification

The controller must notify the national data protection authority about the occurrence of security incidents that may cause hazard or damage relevant to data holders. Time limit will be specified by the national data protection authority. Should an incident of this type be discovered, the minimum notification information includes the categories of personal data affected, the information on the data holders involved, technical measures and safeguards used to protect the data, risks associated with the incident, and measures taken to mitigate the effects of the incident.

How OneTrust Helps

With OneTrust, you can address incidents quickly with templated incident and breach assessments as well as custom breach response workflows. These assessments help you identify the severity and scope of an incident. Additionally, use the OneTrust self-service portal to simplify the incident reporting process.

Other Obligations – Data Mapping & Data Protection Impacts Assessments

Both the controller and operator are obliged to keep records of processing that should contain at least the types of data collected, methods used for collecting the data, information security measures in place. The DPA may instruct the controller to draw up a data protection impact assessment (‘impact report on protection of personal data’ or ‘DPIA’) on the protection of personal data, including sensitive data, concerning its data processing operations.

How OneTrust Helps

OneTrust templated assessments enable your organization to perform DPIAs in response to a DPA request. Assessment Automation speeds up the DPIA process and helps your organization gain a better understanding of what personal data you’ve collected, where it exists, and the security measures in place to protect it.

Other Obligations – Security Measures

Both the controller and the operator must maintain appropriate security measures to ensure the safe processing of data. This means vendors will need to hold each other accountable to meeting the security control requirements of the LGPD.

How OneTrust Helps

With OneTrust Vendor Risk Management, you can assess vendors to verify that appropriate safeguards are in place. Through OneTrust, streamline the vendor risk assessment process and hold vendors accountable with up-to-date documentation.

Why Over 1,500 Customers Choose OneTrust

Most Comprehensive Technology

Most
Comprehensive
Technology

200 Member R&D Team Driving Product Innovation with 16 Patents Awarded

World-Class Research

World-Class
Privacy
Research

Over 100 Certified Privacy Professionals In-house with Continuous Regulatory Research

Expert Global Services

Expert
Global
Services

Multi-lingual, 50 Person Implementation Team, and Large Partner Network to Support Privacy Initiatives

Large Active Uer Community

Large
Active User
Community

Thousands of Members Sharing Best Practices in 40 Global PrivacyConnect Workshops