Lei Geral de Proteção de Dados Pessoais (LGPD Compliance) – What You Need to Know About Brazil’s National Data Privacy Regulation

It can be difficult to keep up with all the data privacy regulations across the globe, and failure to comply can result in heavy fines and other punishments. This growth of global data privacy laws represents major progress for consumer rights and gives organizations who comply a chance to earn trust from their customers.

This brings us to the most recent major data privacy law to go into effect – Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD). Originally the regulation was set to go into effect in August 2020, but due to the COVID-19 pandemic that was set to be pushed back. However, in a bit of a surprise in late August, the Brazilian Senate pushed LGPD into effect for September 18th, 2020.

Modeled after the EU’s GDPR, the primary logistical goal of LGPD is to unify 40 different privacy regulations already in effect in Brazil, resolving various conflicts across the regulations and the industries those regulations encompass. From a data privacy perspective, LGPD aims to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”

So, let’s break down who should be aware of LGPD, how data is protected, what organizations need to do to comply, and how organizations found to be in non-compliance can be punished.

It should be noted that this blog is an introductory guide to LGPD, however, those who must be in compliance should read the full regulation as translated to English here.

Who Must Comply with LGPD?

LGPD has a broad reach, and the rules for who must comply boil down to:

• Legal entities that physically process data in Brazil
• Legal entities that process the data of Brazilian natural persons, regardless of the geographic location of data processing
• Legal entities that process data with the intent to offer goods or service to Brazilian natural persons

LGPD also isn’t limited to organizations of a certain size, like GDPR is. All organizations that meet one of the above are subject to the regulation.

However, there are some exemptions:

• Data processing is carried out by a natural person, solely with the intent to use that data for private, non-commercial use.

• The data being processed is for one of the following purposes:

• National security
  • Academic research
  • Investigation of criminal offenses
  • Public safety
  • Journalistic or artistic expression

It’s also important for organizations to determine if they’re a data controller, a data processor, or both, as that affects which LGPD obligations must be met. Here’s the LGPD’s distinction of “controller” and “processor”, per Article 5:

Controller – Natural person or legal entity of either public or private law in charge of making the decisions regarding the processing of personal data.

Processor – Natural person or legal entity of either public or private law that processes personal data in the name of the controller.

What Data is Protected & What Rights Do Data Subjects Have?

Under LGPD, data is classified into two categories: “personal data” and “sensitive personal data”.

Personal Data – This definition is broad, covering any data regarding an identifiable natural person. However, this definition also applies to multiple pieces of data that can be combined to identify a natural person, so essential any data could end up being “personal data” when paired with other data.

Sensitive Personal Data – Data classified as “sensitive” is subject to stricter processing limitations per Article 11. The official definition is, “personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data when related to a natural person”.

LGPD also defines anonymized data, where a data subject cannot be identified using reasonable technical means, which is excluded from the protections personal data received.

Per Article 18, data subjects protected by LGPD have the right to request any of the following from the data controller:

• Confirmation of the existence of their data being processed
• Access to their data
• Correction of incomplete, inaccurate, or out-of-date data
• Anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with LGPD
• Portability of the data to another service provider or product provider
• Deletion of personal data processed with the consent of the data subject
• Information about public and private entities with which the controller has shared data
• Information about the possibility of denying consent and the consequences of such denial
• Revocation of consent

These rights are very similar to GDPR, with some minor differences regarding the right to be informed of what will happen if an organization refuses to consent to their request.

Legal Basis for Processing & Transferring Data

Under LGPD, the processing of personal data may only occur under certain legal bases. As outlined in Article 7, these bases are:

• With the consent of the data subject
• For compliance with a legal or regulatory obligation
• By the public administration, for the processing and shared use of data necessary for the execution of public policies
• For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
• When necessary for the execution of a contract
• For the regular exercise of rights in the “Brazilian Arbitration Law”
• For the protection of life or physical safety
• To protect the health, exclusively, in a procedure carried out by health professionals, health services, or sanitary authorities
• When necessary to fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties which require personal data protection prevail
• For the protection of credit (e.g. a credit score)

LGPD also outlines specific scenarios in which protected data can be transferred internationally, per Article 33. Most importantly, the country receiving data must have adequate levels of protection.

Additional conditions include user consent, the implementation of a standard contractual clause or global corporate policy, and legal scenarios in which exemptions can be made (e.g. when consent has not been explicitly granted).

Any organization in need of international data transfer mechanisms for data protected by LGPD should carefully consult Article 33 before moving data across national lines.

How Can Organizations Comply?

Organizations already prepared for GDPR and CCPA will be in good shape, as much of LGPD is modeled after GDPR (as is CCPA).

A good starting point is the general principles outlined in Article 6, which assume all processing of personal data will be done in good faith. The principles are purpose, adequacy, necessity, free access, quality of the data, transparency, security, prevention, nondiscrimination, and accountability.

Additionally, organizations should be prepared to handle all user requests regarding the rights granted to data subjects under LGPD. Failure to properly respond to these requests is when penalties and sanctions will be handed down by the Brazilian data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD).

Besides compliance with data subject requests, organizations subject to LGPD must also appoint a Data Protection Officer (DPO). This doesn’t need to be a physical person, although it can be, and can also be a group of people within an organization or even outsourced (to a law firm, for example).

The DPO is responsible for maintaining records of processing, implementing measures to protect personal data, conducting data privacy impact reports, alerting the national authority (i.e. the ANPD) in the event of a breach, among other responsibilities outlined in Article 41.

Organizations should also update their Privacy Policy to include data subject rights under LGPD, information about the organization’s data processing activities, and how data subjects can submit requests regarding their data.

Finally, using cybersecurity software automation is recommended to locate and act on personal data per LGPD requirements and data subject requests. Organizations taking this approach, through privacy by design and default, will find themselves with a much easier path to LGPA compliance.

How Can Organizations Be Punished for Non-Compliance?

Despite coming into effect in September 2020, penalties for non-compliance won’t take effect until August 1, 2021. This gives all organizations subject to LGPD ample time to prepare and avoid potential sanctions.

The LGPD’s Data Protection Authority, the Autoridade Nacional de Proteção de Dados (ANPD), also hasn’t fully come into form yet. Until that happens, formal punishments and sanctions won’t be cast on organizations in non-compliance. Once the ANPD starts issuing sanctions, expect to see fines of up to 2% of an organization’s global revenue for the prior year (up to 50 million BRL, or approximately 9.3 million USD).

Individual data subjects are also granted rights to file civil lawsuits against organizations found to be in violation of LGPD, and this can happen in advance of August 1, 2021 (i.e. now).

How Stealthbits Helps with LGPD Compliance

In order to comply with LGPD requirements, Stealthbits provides a range of capabilities that allow customers to identify, secure, and report on personal data. 

StealthAUDIT, a full-fledged Data Access Governance (DAG) solution, includes: 

Host Discovery: Identify the different platforms within the network that may contain various unstructured and structured data repositories to ensure a comprehensive view of your organization’s privacy data footprint. 

Sensitive Data Discovery: Capabilities that analyze content for patterns or keywords that match built-in or customized criteria related to customer privacy. 

Remediation Actions: Automate all or portions of the tasks you need to perform to demonstrate compliance with LGPD and a myriad of other regulatory standards. 

With StealthAUDIT, you can automatically discover where unstructured and structured data exists across your network, scan those files for sensitive data, classify and tag each sensitive file, automatically clean-up stale files, and much more.

Workflows StealthAUDIT can help with include:

• Understanding access rights, permissions, activity, data sensitivity, ownership, and file metadata across unstructured and structured data sources 
• Implementing a least privilege access model, ensuring access rights and permissions are limited to only what users need 
• Monitoring and securing Active Directory to prevent unauthorized access to data resources and mitigate risks associated with account compromise and privilege escalation 
• Maintaining a full, searchable audit trail of all file access activities, Active Directory changes, account authentications, and more for forensic investigations and auditors

Learn more about how Stealthbits can help protect your organization’s data and Active Directory here.