How to Comply with Brazil's Lei Geral de Proteção de Dados (LGPD)

Posted on January 14, 2021
011421-ga-brazil-gdpr-blog-850x330

What is Brazil’s LGPD?

LGPD stands for Lei Geral de Proteção de Dados (General Data Protection Law), which is a law streamlining what was previously 40 separate statutes protecting personal data in Brazil. Academic research and legislation around personal data and privacy has been an active priority in Brazil, culminating in the overarching idea that the protection of personal data is a human right. The LGPD puts that idea into law by providing a comprehensive framework regulating data collection and usage.

The LGPD was established to protect people’s privacy through rigid personal data requirements. It expands on the previous 40 statutes because it stresses personal data protection must occur in all arenas; the previous laws each applied to disparate areas such as the health system, specific industries, or business uses. With the LGPD, nearly all personal data falls under the same umbrella.

Who Does the LGPD Apply To?

The LGPD applies to businesses of any size, unlike the GDPR or CCPA, for example, and organizations are only exempt if they fall into one of several categories, including public safety, national defense, or journalism.

The LGPD applies in two wide-ranging scenarios:

  • If personal data is either processed or collected within Brazil
  • If personal data is processed for the purpose of offering goods or services to people in Brazil

This means that the LGPD applies to any organization, regardless of where it is located, if either of the two scenarios above apply.

LGPD’s Effective Dates

Parliament passed the LGPD into law in August of 2018 and it was scheduled to come into effect February 2020. However, the law went into effect at the end of August 2020 after two alterations.

More about the LGPD

Take a look at our previous article on the LGPD for more information on:

  • Key LGPD concepts and terms
  • When personal data processing is allowed under the LGPD
  • What rights a data subject has
  • What fines and penalties are associated with the LGPD
  • And more!

Read the Deep Dive: What is the LGPD? Meet Brazil’s New Powerful Data Protection Law

How is Brazil’s LGPD Similar to the GDPR?

Often referred to as “Brazil’s version of the GDPR,” the LGPD uses similar definitions for personal data and data subject rights. The LGPD states that personal data is any information that, alone or combined with other data, could identify a specific person. The LGPD also has a broader requirement for obtaining consent to process children’s personal data.

Like the GDPR’s eight rights of data subjects, the LGPD enumerates nine rights that mimic those specified by the GDPR. The additional right provided by the LGPD is the right to request the anonymization of data. The GDPR addresses this as more of a loophole – if a data subject requests that their data be deleted, the organization can anonymize it instead, as anonymized data is not considered personal data by either the GDPR or LGPD.

Similarities

  1. Both laws require that organizations provide proof of user consent for sharing personal information.
  2. Both laws protect persons within the geographic area, even if they’re of a different nationality or their data was collected while they were only temporarily in either the EU or Brazil.
  3. Data transfers to other countries are allowed under both laws as long as the receiving country provides “an adequate level of protection.”

Differences

  1. Personal data is defined precisely by the GDPR, whereas the LGPD’s definition is broad, including any information about a person or that could identify a person.
  2. Data breaches must be disclosed quickly under each law, but the GDPR requires disclosure within 72 hours, and the LGPD merely requires disclosure “in a reasonable time period.”
  3. The GDPR requires companies to have a DPO (data protection officer) on staff if data processing is a key function of the organization. The LGPD on the other hand requires that every organization appoint a DPO.
  4. Fines can be higher under the GDPR, at 4 percent of global annual revenue or 20 million euros, whichever is greater. The LGDP maximum fine is 2 percent of the organization’s annual revenue in Brazil.

Overall, the GDPR and LGPD draw from the same ideals of personal data protection and rights to privacy. Discover more about the similarities and differences from the IAPP’s comparison of the GDPR and LGPD.

Compliance with LGPD

Protecting the personal data your organization processes to become or stay compliant with the LGPD doesn’t have to be difficult. With both organizational policies and the right controls in place, you can fully enforce and ensure compliance for your organization.

The silver lining? If you’re already following a data privacy law for either your region or industry, you’re likely on the right path to LGPD compliance.

Related Reading: How to Help Ensure Compliance with Data Privacy Laws

A secure file transfer software solution can help meet the essentials of data privacy protection laws – safeguards, audit trails, storage, and limited user access – within one centralized tool. Most file transfer software solutions make use of encryption technologies for files being transferred and at rest, file transfer monitoring, detailed audit logs and reporting, granular user permissions, and flexible options for sending files securely.

With secure file transfer solution GoAnywhere MFT, you can secure, automate, and audit your file transfers in ways that align with key LGPD principals.

Related Products
GoAnywhere MFT
Related Solutions
Compliance GDPR
Related Content