What do I need to know about the LGPD Brazil general data protection law?

What is Brazil LGPD?

Modeled closely after the EU’s GDPR, Brazil is the latest country to pass personal privacy legislation called the Lei Geral de Proteção de Dados (LGPD) or the General Data Protection Law in 2018.

The LGPD establishes guidelines on how companies can collect, store, handle, and share the personal data of Brazilians. Businesses and organizations in Brazil and internationally need to have the informed consent of their patrons regarding how their data will be used. LGPD also protects against the use of personal information in unlawful and unfair discrimination.

When does the Brazil LGPD law go into effect?

Brazil’s privacy law will become effective on January 1, 2021.

LGPD compliance violation sanctions have been postponed until August 1, 2021.

How does Brazil LGPD work?

Companies and organizations are required to have a Data Protection Officer (DPO), which can be an existing employee in your organization. The DPO ensures compliance, fields data requests, questions, and concerns from consumers, and works with the Brazilian Autoridade Nacional de Proteção de Dados (ANPD) or National Data Protection Authority on any breaches. Your DPO can be an existing employee (usually in Legal or IT), or you can hire a third party to monitor your compliance for you. For more details, check out the Brazil LGPD law guide.

LGPD vs EU GDPR

How is Brazil’s LGPD different than the EU’s GDPR?

• Who do these laws apply to? GDPR is applied to natural persons regardless of their residence or nationality; LGPD does not specify.
• Data Protection Officers: LGPD’s broad guideline states any organization that processes the data of Brazilian residents will need a DPO. Conversely, GDPR has specific requirements for when a DPO is needed.
• Is there a legal basis for data processing? In both laws, a data controller must have a legal justification for processing a data subject’s information. While GDPR has six criteria, LGPD has ten.

Zonos recommends…

• Do not wait until the last minute to get compliant with the LGPD. It could be a costly mistake. Learn more about becoming compliant with LGPD.
• Appoint a Data Protection Officer to monitor data processing and security, and clearly publish their name and contact information on your website.
• Always ask for consent. Be clear and transparent with how and why customer data is being processed, and make it easy to opt-in or out.
• Only store data as long as is needed to process a transaction, and no longer.
• Be sure to document your entire processing pipeline: how are you collecting, storing, using, and sharing personal data? You could be called upon to present that documentation, so better to have it prepared.
• Schedule regular audits. Data leaks are enormously costly in resources and reputation.

Read Zonos’ more in-depth look at compliance and specifics around the Brazil LGPD law.