Inspired by the GDPR, many nations have begun introducing stricter and more comprehensive data privacy regulations. One such nation is Brazil, which implemented the Lei Geral de Proteção de Dados (LGPD), translating to General Data Protection Law, in August 2020.
The law has been in effect for a year now and since August 21, 2021, penalties for non-compliance can be enforced on organizations. It is high time for organizations that collect, use, and disclose the personal information of Brazilian residents to understand what the LGPD demands and how they can be compliant.
Understanding the Brazilian LGPD
The Brazilian General Data Protection Law is Brazil’s version of the GDPR. It is a comprehensive data protection regulation aimed at improving data privacy and protecting the sensitive personal information of Brazilians. Similar to data privacy laws in other parts of the world, the LGPD also allows organizations to only collect and process personal data that is necessary for the legitimate and clearly identified purposes stated by the organization.
There are several similarities between the LGPD and the GDPR including their definitions of personal data and their data subject rights. Article 19 of the Brazilian LGPD defines nine fundamental rights for individuals, very close to the eight rights outlined in the GDPR. These are –
- Right to confirm the existence of the processing of their data
- Right to access their data
- Right to correct inaccurate, incomplete, or outdated data
- Right to block, delete or anonymize unnecessary/ excessive data or any data that is not in compliance with the LGPD
- Right to port data to another service or product provider, through an express request
- Right to delete personal data processed with the consent of the data subject
- Right to information on data sharing with public and private entities by the controller
- Right to information about the possibility and consequences of denying consent
- Right to revoke consent
How can your business be compliant with the LGPD?
Appoint a person to be accountable for compliance with data privacy laws
The first step that an organization needs to take is to have a representative when it comes to data privacy compliance. There are several people handling the data you collect and process, but there has to be one person who is accountable for ensuring compliance and can guide employees on data security policies. They can also be the intermediary between the company, the data subjects, and the regulatory authorities.
Clearly define the data flow within the company
The next step is to understand how your organization collects, uses, and shares the personal information of consumers. Study the process and try to identify insufficiencies or gaps that may lead to non-compliance. Identify what personal information you require for the purpose of business and make sure to collect and process only the data that is necessary.
Focus on transparency and clarity
A primary requirement of compliance with the LGPD, or any other data privacy law for that matter, is transparency. You must make sure that consumers know how, why, and when you are collecting their personal information. Data subject’s consent is a must when collecting personal data for any purpose.
Under the LGPD, you are even required to clearly state which technologies you use to process the data, the purpose of collecting the data, and the time for which the data will be retained.
Respond to consumer requests promptly
The LGPD gives consumers the right to change or delete their data held by a controller at any time. To ensure compliance, ensure that you respond to any correction or deletion requests promptly. Make sure that your company’s Data Protection Officer’s contact information is readily available for consumers to raise such requests when needed.
Report a data breach on time
In case of a data breach, organizations are obliged to report the incident to regulatory authorities as well as the data subjects. The notification must include all the information such as the kind of data compromised, the risks involved, and the measures being taken to mitigate the risks. This can take time and many organisations are now deploying automated compliance platforms to achieve this.
Compliance with Brazil’s far-reaching data protection laws under the LGPD may not be easy but it is essential. A lot is riding on it for businesses, including reputation. To make sure your business does not have to suffer any financial or reputational losses, implementing these solutions and appointing global privacy experts could be your first step.