Why is the LGPD important for Brazil?

Brazil’s LGPD (Lei Geral de Proteção de Dados, or Brazilian General Data Protection Law) is generally based on GDPR, so Europe provides a pretty good glimpse at what’s to come for Brazil. Since GDPR was implemented on May 25th, 2018, all companies based in Europe or serving European customers have had to reevaluate their data management strategies.

Now citizens can easily inquire about what data companies have on them, request it to be deleted, and must always be informed about any data breaches.

Non-compliance with these laws can bring about massive penalties. Last year, several companies were fined approximately €55 million for failure to comply with the GDPR. Google alone was fined €50 million.

But what does that mean for Brazil? What is considered personal data and how is it supposed to be handled? Here’s a comprehensive breakdown of Brazil’s data protection law.

Personal rights. Individuals whose data is being collected and processed have new rights under LGPD. These include access to their collected personal data, its erasure, and data portability. Data portability means that subjects can have the right to access and transfer their personal information elsewhere. Companies must comply with the requests within 15 days.

Data breach notification. Under the new law, companies now have to notify the National Data Authority about any personal data breaches. Individuals whose data is affected must also be informed. Similarly to GDPR, businesses are now obliged to have a data protection officer to oversee information processing.

Processing data. LGPD lays out ten principles for data processing. These include accountability, non-discrimination, legitimate purpose, transparency, security, accuracy, and more. It also points out circumstances under which data can be processed, with consent being the first.

Brazil’s legal jurisdiction. Just like with GDPR, its Brazilian counterpart claims that LGPD applies to companies based in Brazil or serving Brazilian customers. Even if the company is headquartered overseas, it must comply with the data protection law when it comes to the country’s citizens.

Data mapping. Organizations have to record all data processing activities in a report. Organizations must also do a privacy impact analysis for personal data processing.

Penalties. The punishment for non-compliance can amount up to 2% of the company’s gross revenue in Brazil in the last year or R$ 50 million per violation, which is roughly US$12.9 million.

The law has a few exceptions like national security, research, journalistic, and artistic purposes. LGPD will go into effect in February, 2020.