Ken Geers Kenneth Geers  on Compliance September 9, 2020

LGPD - What to Expect from Brazil’s version of the GDPR

Brazil’s LGPD Privacy Law has brought additional attention to information security and data protection.

Europe and California are no longer alone in their recent concern for data privacy. In South America, Brazil will now enforce the Lei Geral de Proteção de Dados Pessoais (LGPD), which is similar in nature to the European GDPR (General Data Protection Regulation) and California Consumer Privacy Act (CCPA). Given Brazil has a population of over 210 million people, LGPD will have global ramifications.

What is the Brazilian LGPD?

As of August 14, 2020, it is illegal for individuals, businesses, and public institutions to possess or process, online or offline, any Brazilian citizen’s sensitive personal information without his or her consent (with some exceptions, such as for national defense). And the LGPD applies no matter where in the world the data storage or processing takes place.

Thanks to this data protection regulation, Brazilians now have more rights over their personal data, from storage to access, and change to deletion. “Data subjects” have the right to obtain confirmation of data access and processing, as well as the correction of inaccurate data. Firms may process personal data only if they have a documented basis for doing so, such as consent from the data subject, legitimate business concerns, or the execution of a contract.

According to the new data protection regulation, there are heightened obligations for “sensitive” personal data, such as race, ethnicity, religious belief, political opinion, organizational memberships, sexual orientation, and biometrics. Children’s data, commonly used by educational and gaming sites, have additional protections. LGPD also offers more data protection than GDPR for certain types of metadata that could be associated with a person.

In other words, Brazil’s new privacy law represents progress for personal data protection. But what does it mean for companies and small businesses?

What Kinds of Obligations Does the LGPD Enforce on Companies?

LGPD requires data controllers (a business that is gathering the data) and processors (a business that provides a service on behalf of the controller) to take “all possible” security, technical, and administrative steps to protect personal data not only from unauthorized use but also from data theft and breach. And the penalties are steep: an organization may have to pay a fine of up to 2% of its revenues in Brazil for the prior fiscal year, or up to 50 million Brazilian Real (over $9 million USD) per infraction.

Although LGPD administrative penalties are not slated to start until August 1, 2021, data controllers and processors are not free from liability in the interim. Brazilian authorities may already bring claims against violators. Data controllers must report security incidents, within a “reasonable” period of time, to both data subjects and the Brazilian National Data Protection Authority (ANPD).

LGPD Compliance and Beyond

Your organization cannot wait to start addressing these legal changes. Brazil is far from a unique case. Countries around the world are adopting similar measures to protect personal information data, from Nigeria to New Zealand (Privacy Act) and Japan (Act on the Protection of Personal Information). And remember, every institution is required to comply with these laws, whether you are physically located within these countries or merely possess and/or process their citizens’ data.

In other words, it doesn’t matter where you are located. According to recent general data protection laws, if you are involved in storing or processing personal data that originate from these countries, you need to comply with the regulations.

Our company, Very Good Security (VGS), offers a revolutionary way to secure personal information. Rather than investing time and resources into building costly infrastructure to secure the data, VGS intercepts the data as it’s being collected, creates a real-time “alias” (an advance form of token) and enables you to have full operational functionality of the data without having to secure the data yourself. VGS simply removes the burden of data protection from your technical responsibility and legal liability The data is secured in your VGS vault and your systems are only handling the aliases, which eliminates the risks of any data breaches or unintentional leaks..

By working with VGS, you gain best in class security that can reduce your compliance certification tasks by over 90%, and make PCI, SOC2, HIPAA, GDPR, and LGPD compliances fast and easy. Your team can focus on growing your business and profits.

Subscribe to our Blog

Please enter a valid email address.