What is Brazil’s LGPD and what does it mean?

In line with the ever-evolving global data protection landscape, the Brazilian Federal Senate has introduced a new law to align their national data protection legislation with the higher standard set by Europe’s General Data Protection Regulation (GDPR). The Lei Geral de Proteção de Dados (LGPD) regulation comes into effect on the 15th August 2020 and sets out exactly how organizations and individuals are permitted to collect and use personal data in Brazil. Companies have until this date to make sure they are compliant.

The definition of personal data refers to any data that can explicitly identify a person and any information from which identity can be inferred and needs to be protected to prevent serious crimes, such as identity fraud.

Under the pre-LGPD data protection regime in Brazil, companies could collect and use personal data made available both online and offline for marketing, profiling and big data analytics – among other things. However, the LGPD ensures that people must be informed when their data is being collected and exactly what it will be used for. In addition, it gives individuals the right to request that their data be corrected, deleted or provided to them in an easily readable format and organizations must demonstrate that they have internal policies and procedures in place to respond to all these requests.

Unlike before this legislation, companies must also delete any data after it is no longer needed for the original purpose for which it was collected unless individuals have expressly permitted otherwise.

The LGPD also requires additional security measures to be in place for processing sensitive personal data, which is defined as data that can subject an individual to discriminatory practices or improperly expose financial, sexual, health or other information. This includes any data relating to an individual’s racial or ethnic origin, religious beliefs, political opinion and affiliation to unions, health, sex life or genetic and biometric data.

The new legislation constraints apply to any individual or organization that: collects personal data in Brazil, involves personal data collected in Brazil or that supplies goods and services in Brazil. The Brazilian data protection regulation protects the data of all individuals in Brazil, no matter where the data collector is located, meaning any company that serves the Brazilian market, whether they have offices in the country or not, is subject to the LGPD.

Organizations that fall under the scope of the LGPD are obligated to adopt measures to protect personal data from unauthorized access and accidental or illegal destruction and loss. These include measures such as, appointing a Data Protection Officer who is responsible for receiving complaints, implementing an information security program, and developing an incident response and remediation plan. Additionally, if they encounter a data breach that leaves peoples’ personal data exposed the Brazilian Data Protection Authority (ANPD) must be notified and, if ordered by the ANPD, the company must also notify the people whose data has been affected.

Organizations that fail to comply with the LGPD could face serious repercussions including fines of $12 million, or up to two per cent of the company’s total revenue in Brazil for the previous year, whichever is greater.

If you would like to know more about data protection check out our previous posts: