From GDPR to LGPD: Lei Geral de Proteção de Dados Compliance

Brazil’s General Data Protection Law may take effect as early as August 16, 2020, leaving little time for companies to prepare. While the LGPD is similar to the EU’s GDPR and California’s CCPA, in many respects, there are vital differences brands need to consider to remain compliant for all users. 

If you have achieved GDPR compliance, you are already well on your way to complying with the LGPD. Data protection laws are beginning to be considered all around the world, from India to the USA. GDPR.eu will be here to help you keep up with the latest developments and maintain compliance.

Let’s take a closer look at LGPD, its similarities and distinctions to GDPR, and what brands need to remain compliant.

What Is the LGPD? 

Like the EU’s GDPR, LGPD defines how organizations should manage collecting, handling, storing, and sharing Brazilian citizens’ data.  At a high level, the law regulates the collection and use of personal data without consent by both the private sector and public authorities, as well as the use of personal information for discrimination. It covers all companies that involve data handling in Brazil. 

The fines are similar to the GDPR. LGPD penalties for a violation can be up to 2 percent of an entity’s income in Brazil.  Based on the specific incident, violators are subject to:

• Warnings
• Fines 
• Embargoes
• Suspensions
• Partial or Total Bans

Does Lei Geral de Proteção de Dados Apply to my Business? 

LGPD applies to users located in Brazil. Companies who process the personal data of Brazilian users must follow the tenets outlined in the LGPD.  Organizations and websites, even those operating outside of Brazil, who handle the personal data of individuals who reside in Brazil, must follow them.  

When Does LGPD Take Effect?

There is controversy surrounding when the Brazilian government will implement LGPD. While LGPD passed in 2018, political discussion and global events like COVID-19 have played a hand in delaying the law’s execution. Initially set to begin in February 2020, the law was pushed back and is still not confirmed.  As of right now, Brazil’s government has until August 26th, 2020, to decide whether the LGPD will be implemented on August 16, 2020, or delayed until May 3, 2021. 

How Similar is Lei Geral de Proteção de Dados to the EU’s General Data Protection Regulation? 

The LGPD utilizes the same definition for personal data as the GDPR. This similarity is significant, considering that many brands have taken compliance measures for years, such as adapting the privacy policy for the GDPR. Because the LGPD uses similar definitions and language, updating privacy policy documents shouldn’t require a considerable level of effort. Additionally, much like GDPR, the Lei Geral de Proteção de Dados has measures surrounding security incidents, including data breach and data breach notification requirements.  

On the other hand, there are a few key areas where GDPR and LGPD differ. While both the GDPR and LGPD require an organization to appoint a Data Protection Officer, the language around this requirement is not clear in Brazil’s data protection law.

Clarifications such as this one will be apparent as the implementation of the law draws near. Additionally, the LGPD also extends the rights granted to data subjects (Data Subject Access Rights). GDPR has eight fundamental data subject rights, while LGPD includes additional measures.  

For reference, the data subject rights include:

1. Individuals can access their data.
2. Individuals can confirm the processing of their data.
3. Individuals can rectify incomplete, outdated, or false data.
4. They can delete excessive or necessary information.
5. Individuals can hand over their data to other processors if requested.
6. Individuals can delete their data.
7. Individuals have the right to know when and if their data becomes accessible to a third-party or subprocessor. 
8. Individuals should be made aware about being able to deny consent and any consequences of denying consent.
9. Individuals can cancel or revoke consent.

One of the most significant differences between the LGPD and the GDPR concerns what qualifies as a legal basis for processing data. The GDPR has six lawful bases for processing, and a data controller must choose one of them as a justification for using a data subject’s information. 

However, LGPD lists 10. These fall in line with GDPR, but the most significant departure is the lawful use of personal data to protect a consumer’s credit. The GDPR does not have this clause.   

Addressing Your LGPD Website Compliance Gaps

As we enter August 2020, addressing LGPD compliance gaps is crucial.  Whether the law takes effect in one month, or one year, brands need to prepare for compliance. If your company has customers or clients in Brazil, you should begin preparing for LGPD compliance and addressing gaps. 

There is a good chance you are already GDPR-compliant; therefore, you have already done the bulk of the work necessary to comply with the LGPD. Just follow these steps to get started:

1. Determine if your consumer database or website contains Brazilian user data. 
2. Examine current GDPR or CCPA compliance and determine critical gaps before LGPD takes full effect.
3. Re-examine your privacy policy, cookie consent, do-not-sell links, and other data privacy management tools to ensure they are flexible for LGPD.  
4. Consult your legal team to ensure actions moving forward comply with LGPD.

Get Started

If you haven’t addressed data compliance or privacy laws, now is the time. Review the requirements of prominent policies such as the EU's General Data Protection Regulation or the California Consumer Privacy Act, and work with your legal team to establish appropriate language and procedures that are required. The team at Third and Grove is here to help with resources for compliance, and we can make website modifications for data privacy.  Schedule a consultation to review your options now!