It can be difficult to keep up with all the data privacy regulations across the globe, and failure to comply can result in heavy fines and other punishments. This growth of global data privacy laws represents major progress for consumer rights and gives organizations who comply a chance to earn trust from their customers.
This brings us to the most recent major data privacy law to go into effect – Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD). Originally the regulation was set to go into effect in August 2020, but due to the COVID-19 pandemic that was set to be pushed back. However, in a bit of a surprise in late August, the Brazilian Senate pushed LGPD into effect for September 18th, 2020.
Modeled after the EU’s GDPR, the primary logistical goal of LGPD is to unify 40 different privacy regulations already in effect in Brazil, resolving various conflicts across the regulations and the industries those regulations encompass. From a data privacy perspective, LGPD aims to protect “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”
So, let’s break down who should be aware of LGPD, how data is protected, what organizations need to do to comply, and how organizations found to be in non-compliance can be punished.
It should be noted that this blog is an introductory guide to LGPD, however, those who must be in compliance should read the full regulation as translated to English here.
LGPD has a broad reach, and the rules for who must comply boil down to:
LGPD also isn’t limited to organizations of a certain size, like GDPR is. All organizations that meet one of the above are subject to the regulation.
However, there are some exemptions:
It’s also important for organizations to determine if they’re a data controller, a data processor, or both, as that affects which LGPD obligations must be met. Here’s the LGPD’s distinction of “controller” and “processor”, per Article 5:
Controller – Natural person or legal entity of either public or private law in charge of making the decisions regarding the processing of personal data.
Processor – Natural person or legal entity of either public or private law that processes personal data in the name of the controller.
Under LGPD, data is classified into two categories: “personal data” and “sensitive personal data”.
Personal Data – This definition is broad, covering any data regarding an identifiable natural person. However, this definition also applies to multiple pieces of data that can be combined to identify a natural person, so essential any data could end up being “personal data” when paired with other data.
Sensitive Personal Data – Data classified as “sensitive” is subject to stricter processing limitations per Article 11. The official definition is, “personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data when related to a natural person”.
LGPD also defines anonymized data, where a data subject cannot be identified using reasonable technical means, which is excluded from the protections personal data received.
Per Article 18, data subjects protected by LGPD have the right to request any of the following from the data controller:
These rights are very similar to GDPR, with some minor differences regarding the right to be informed of what will happen if an organization refuses to consent to their request.
Under LGPD, the processing of personal data may only occur under certain legal bases. As outlined in Article 7, these bases are:
LGPD also outlines specific scenarios in which protected data can be transferred internationally, per Article 33. Most importantly, the country receiving data must have adequate levels of protection.
Additional conditions include user consent, the implementation of a standard contractual clause or global corporate policy, and legal scenarios in which exemptions can be made (e.g. when consent has not been explicitly granted).
Any organization in need of international data transfer mechanisms for data protected by LGPD should carefully consult Article 33 before moving data across national lines.
Organizations already prepared for GDPR and CCPA will be in good shape, as much of LGPD is modeled after GDPR (as is CCPA).
A good starting point is the general principles outlined in Article 6, which assume all processing of personal data will be done in good faith. The principles are purpose, adequacy, necessity, free access, quality of the data, transparency, security, prevention, nondiscrimination, and accountability.
Additionally, organizations should be prepared to handle all user requests regarding the rights granted to data subjects under LGPD. Failure to properly respond to these requests is when penalties and sanctions will be handed down by the Brazilian data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD).
Besides compliance with data subject requests, organizations subject to LGPD must also appoint a Data Protection Officer (DPO). This doesn’t need to be a physical person, although it can be, and can also be a group of people within an organization or even outsourced (to a law firm, for example).
The DPO is responsible for maintaining records of processing, implementing measures to protect personal data, conducting data privacy impact reports, alerting the national authority (i.e. the ANPD) in the event of a breach, among other responsibilities outlined in Article 41.
Finally, using cybersecurity software automation is recommended to locate and act on personal data per LGPD requirements and data subject requests. Organizations taking this approach, through privacy by design and default, will find themselves with a much easier path to LGPA compliance.
Despite coming into effect in September 2020, penalties for non-compliance won’t take effect until August 1, 2021. This gives all organizations subject to LGPD ample time to prepare and avoid potential sanctions.
The LGPD’s Data Protection Authority, the Autoridade Nacional de Proteção de Dados (ANPD), also hasn’t fully come into form yet. Until that happens, formal punishments and sanctions won’t be cast on organizations in non-compliance. Once the ANPD starts issuing sanctions, expect to see fines of up to 2% of an organization’s global revenue for the prior year (up to 50 million BRL, or approximately 9.3 million USD).
Individual data subjects are also granted rights to file civil lawsuits against organizations found to be in violation of LGPD, and this can happen in advance of August 1, 2021 (i.e. now).
In order to comply with LGPD requirements, Stealthbits provides a range of capabilities that allow customers to identify, secure, and report on personal data.
StealthAUDIT, a full-fledged Data Access Governance (DAG) solution, includes:
Host Discovery: Identify the different platforms within the network that may contain various unstructured and structured data repositories to ensure a comprehensive view of your organization’s privacy data footprint.
Sensitive Data Discovery: Capabilities that analyze content for patterns or keywords that match built-in or customized criteria related to customer privacy.
Remediation Actions: Automate all or portions of the tasks you need to perform to demonstrate compliance with LGPD and a myriad of other regulatory standards.
With StealthAUDIT, you can automatically discover where unstructured and structured data exists across your network, scan those files for sensitive data, classify and tag each sensitive file, automatically clean-up stale files, and much more.
Workflows StealthAUDIT can help with include:
Learn more about how Stealthbits can help protect your organization’s data and Active Directory here.
Start a Free Stealthbits Trial!
No risk. No obligation.