Businesses must prepare for Brazil’s new GDPR-style data protection law
Brazil is following the European Union’s (EU) good practices and has adopted a series of regulations on data protection. In the summer of 2018, the country introduced its Lei Geral de Protecao de Dados (LGPD). Inspired by the European General Data Protection Regulation (GDPR), the statute regulating the processing of personal data in Brazil finally came into effect last Friday.
The new bill defines what data needs to be protected and how companies have to comply with certain requirements. It has also established a new national data protection authority — Autoridade Nacional de Protecao de Dados (ANPD) — responsible for the supervision, guidance, and enforcement of its administrative sanctions.
“People’s right to anonymity and privacy is a very important topic nowadays. The fact that users and their data in Brazil are now protected by law should be applauded and set as an example to other countries,” says Daniel Markuson, a digital privacy expert at NordVPN.
The new law sets out some basic rights Brazilians have over their personal information. Of those, the three most important are the right to access their own data, the right to anonymise or delete their data, and the right to know what public and private entities can access their data.
New security requirements for companies
The LGPD applies to any entity that processes the personal data of Brazilians, regardless of where that business or organisation is located. The law states that controllers and processors of users’ information must adopt security measures and administrative techniques to guarantee the protection of that data.
One of the requirements is to appoint a Data Protection Officer (DPO). The DPO serves as a link between an organisation and its data subjects, such as consumers and employees, and is in charge of the processing of data. Within a company, the officer will need to oversee the process of LGPD adaptation, monitor the compliance program, and ensure that the company’s internal processes are compliant with the new requirements.
Like the GDPR, the LGPD requires organisations to report data breaches to the local data protection authority. However, the LGPD does not indicate a timeframe within which the security incident must be reported. For now, it has been left open to interpretation, with an article stating that this should be done “in a reasonable time period.”
“In case of fraud or theft of users’ personal information, not only the hackers can be punished and held liable, but also the companies and organisations that handle that information if they don’t comply with the security measures defined by the new legislation,” warns Daniel Markuson.
The fines under the LGPD are much less severe than under the GDPR. Article 52 states that the maximum fine for a violation is “2% of a private legal entity’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (roughly €11 million). In comparison, a company that violated GDPR can be fined up to €20 million (or 4% of annual global turnover).
Brazil has over 140 million internet users, making it the largest internet market in Latin America and the fourth largest in the world. This will inevitably affect many international organisations outside the country, as they will have to comply with the LGPD. “For internet users, this ensures their personal data is now handled in a more transparent way. And as for companies, the new rules provide a competitive advantage and, hopefully, consumers’ confidence,” adds Markuson.
The author is Daniel Markuson, a digital privacy expert at NordVPN