Before the General Data Protection Regulation (GDPR) went into effect in 2018, the main legislation governing data protection in the EU was the largely outdated Data Protection Directive (DPD) of 1995.
The issue with the Directive is that it was no longer relevant to the way that data is stored, collected, and transferred in today’s digital age. In this, the DPD is not alone. Many regulations and statutes across the EU and U.S. have trouble keeping up with the pace of technological advancement.
The GDPR came into force on May 25, 2018, and was designed to modernize the laws that aim to protect the personal data of individuals. GDPR attempts to update how businesses and public sector organizations can use and monetize their customers’ data while also giving individuals more control over how their data is used.
Any company that stores or processes personal data about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Now Brazil has introduced comparable legislation with similar aims. In this post we’ll take a look at that legislation and what its introduction means for organizations needing to stay compliant.
LGPD: A Quick Background
The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) was passed by the Brazilian National Congress on August 14, 2018, and will go into effect on August 15, 2020.
The LGPD creates a legal framework for companies using personal data in Brazil, regardless of where the data processor is located. Much like GDPR, the LGPD legislation has some far-reaching consequences for data processing activities both in and outside of Brazil.
The LGPD Legislation
The full translated text of the bill can be read here but in essence, the LGPD provides users with certain rights to their data, defines what constitutes personal data as well as creates a legal basis for lawful processing of personal data.
Furthermore, it establishes Brazil’s new national data protection authority, called the ANPD or Autoridade Nacional de Proteção de Dados (National Authority of Data Protection), which is responsible for the supervision and enforcement of all its administrative sanctions. In addition, all organizations will be required to appoint an In-House Data Protection Officer (DPO).
Additionally, the LGPD introduces mandatory data breach notification. This requires every company to immediately notify users whenever their data has been compromised in any way.
To Whom Does LGPD Apply
Article 3 of the LGPD makes it clear that it applies to the following:
- Data processing within Brazil
- Data processing of users who are in Brazil, regardless of where in the world the data processor is located
- Data processing of data collected in Brazil, regardless of where the users are located
Essentially, this means that it’s not just residents and citizens of Brazil who have their personal information protected, but even people whose data has only just been collected or processed in Brazil are covered by LGPD.
LGPD compels organizations to document the processing of personal data from the time of initial collection all the way to termination, as well as provide a description of what is collected, the purpose of its collection and processing, retention time and with whom the data is shared.
Data controllers or processors can be held responsible, either jointly or separately, for data breaches, leaks, or any other form of non-compliance with the LGPD.
To Whom Does LGPD NOT Apply
The LGPD does not apply to the following:
- Data processed by an individual for personal use
- Data used for journalistic, artistic, literary or academic purposes
- Data processed exclusively for national security, national defense, public safety, or criminal investigations
LGPD vs GDPR
Even though LGPD closely resembles GDPR, there are a few critical differences:
For instance, even though both pieces of legislation require organizations to hire a Data Protection Officer (DPO), GDPR specifically outlines when a DPO is required. The LGPD, on the other hand simply contains “The controller shall appoint an officer to be in charge of the processing of data.” The result of this sweeping statement is that all organizations that process data related to people in Brazil need to hire a DPO. This constitutes one of the few instances where the LGPD is more stringent than GDPR.
Another significant difference between LGPD and GDPR is in what each piece of legislation qualifies as a legal basis for processing sensitive data. GDPR outlines six lawful bases for processing personal data and the organization processing the data must choose one as their justification for doing so. The LGPD, on the other hand, lists ten such justifications for companies to choose from.
Another key difference is the data breach notification protocol. While both require that data breaches be reported to the local data protection authority, the timeline of that report varies. GDPR is explicit, organizations must report a data breach within 72 hours of the breach. The LGPD, however, does not give a firm deadline. Instead, it states “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.”
Finally, the maximum fine for a GDPR violation can go up to “€20 million or 4% of annual global revenue, whichever is higher”. The maximum fine for a LGPD violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reais (~$12.8 million USD).”
ITsMine: A Necessary Compliance Ingredient
Companies that operate in Brazil in any capacity, even if only some of their users are located there, need to be worried about maintaining compliance.
Between GDPR, LGPD, CCPA (California Consumer Privacy Act), and all the other data privacy laws out there, staying abreast of them all can be daunting.
With a full DLP solution like ITsMine, compliance with emerging legislation is guaranteed. Using AI, behavior analysis and deception techniques, Beyond DLP™ from ITsMine secures and protects all data whether it is at rest, in motion or in use. It’s a solution built to protect data from the inside out, capable of differentiating between vectors of attack and handling any attempted breach automatically.
With a comprehensive and easy-to-use solution like Beyond DLP™, your consumer data is backed-up and secure and your compliance with global legislation is assured.
To learn more about ITsMine, schedule a demo.