Introducing LGPD, the Brazilian version of GDPR

The more communication infrastructures and information technology develop, the easier, simple and the more immediate is data transmission. Everyone is sending and receiving all kind of information, and through various means and devices. Everyone is connected.

But it means that data is out there, to be collected, and therefore, in need to be protected from misused and/or unauthorized use. Global Data Protection Regulation (GDPR) and PCI DSS are mechanisms, among other, with the force of law aim to protect information and to deter data breach.

However, and even though we’re a global society, each country has its own domestic legal framework, and it’s necessary to make it compliance with international rules. This is the case of LGPD, the Brazilian version of General Data Protection Regulation (GDPL).

Understanding LGPD: the basics of the Brazilian regulation

Lei Geral de Proteção de Dados (LGPD) was designed to unify the over 40 different statutes that ruled personal data, both online and offline, and that were oftentimes contradictory. LGPD is the Brazilian version of GDPR, and its purpose is to structure a single, solid legal framework that protects equally, within the country and across borders, the personal data of every individual in Brazil.

Why is LGPD so important?

The Lei Geral de Proteção de Dados (LGPD) makes a significant contribution to the right to privacy in three main areas:

  1. Establish one single legal framework for everyone, valid throughout the country;
  2. Regulates personal data processing and applies to any operation carried out, offline and online, regardless the country where both data and processing agents are localized, with the purpose to offer goods or services;
  3. Defines concepts and links them to a range of roles, their rights and responsibilities, tasks and procedures, monitoring and fines.

Topping that is, of course, to what the definition of personal data, sensitive data, and anonymized data apply to:

  • Personal data applies to the information regarding an identified or identifiable natural person
  • Sensitive data applies to personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person
  • Anonymizes data applies to data related to a data subject who cannot be identified, considering the use of reasonable and available technical means at the time of the processing

Key topics on a note

  • One single framework for everyone, valid throughout the country
  • The aim is to protect the individual’s right to privacy by regulating and monitoring the market interests
  • A clear concept of  what is personal data
  • The individual’s consent is indispensable for any action involving personal data
  • The law applies to individuals located in Brazil, but its scope is extraterritorial
  • Transparency

How LGPD affects the market and global businesses

As the LGPD’s core object is personal data processing (includes its use and transfer), it targets mainly the controller, its interests and their economic activities – meaning, whatever company collects, holds and manages the database.

All national and international companies that provide for goods and services in Brazil, and that process personal data of Brazilian consumers are in the scope of LGPD and, therefore, must be in compliance with it. Not only them, but also their business partners, such as BoaCompra/PagSeguro, providers for finance technology and local payment experts.

What’s in it for merchants?

Although the Law seem to have a quite heavy hand on the companies’ responsibilities, the fact is that merchants will have access to a set of tools that will enhance their business: global corporate standards, standard contractual clauses, seals and certificates issued by Autoridade Nacional de Proteção de Dados (ANPD), the Brazilian entity responsible for monitoring the compliance with the LGDP.

To achieve that, and to do business in Brazil, companies must apply the following procedures:

  • Due Diligence on personal data
  • Data processing audit
  • Consent management and anonymization
  • Holder order management
  • Impact report
  • Data Security
  • Data processing governance
  • Communication Plan on Security Incident
  • Validation of data processing closure
  • Certification
  • Appoint a Data Protection Officer
  • Conflict Prevention

Impacting global society

With this in mind, expectations are that the Lei Geral de Proteção de Dados (LGDP) is a guarantee not only of individuals’ privacy, but also of an egalitarian economy:

  • economic and technological development
  • balance between free competition and consumer protection
  • increasing consumer’s trust