On August 15, 2018, Brazil published its most comprehensive and far reaching data protection regulation in the country, known as the Brazilian General Data Protection Law or Lei Geral de Proteção de Dados (LGPD). The Brazilian privacy law maintains many similarities with the EU General Data Protection Act (GDPR). And similar to the GDPR, the LGPD has extraterritorial scope that extends to organizations that collect, use and store personal data in Brazil or about Brazilian data subjects.
The effective date of the LGPD was initially delayed by the president; however, the decision to delay was ultimately not approved by the Brazilian Senate. As a result, the LGPD is set to become effective on September 16, 2020. This sudden shift in effective date means that organizations that had planned to comply with the LGPD in 2021 will now need to accelerate their efforts.
What is happening with Brazil LGPD?
We live in demanding and fast-changing times. This truism applies to the lawmaking process as well, especially when we look at the recent developments in Brazil. Due to COVID-19, the implementation date of LGPD has changed several times. Initially it was scheduled for August 2020, but then changed to May 2021 and then again to December 2020, before settling on September 2020. This most recent change happened quickly and unexpectedly, which creates new challenges for all organizations who process personal data in Brazil or companies that target Brazzilian data subject rights.
Enforcing the law
A recent governmental decree created the data protection authority, the ANPD (Autoridade Nacional de Proteção de Dados), which will be responsible for imposing sanctions for LGPD violations. While the official enforcement date of the Brazilian privacy law is scheduled for August 1, 2021, it should be noted that private legal action is permitted against violators as soon as the LGPD becomes law.
Understanding personal data under the LGPD
But how does the LGPD define personal data? Personal data and other data concepts are broadly defined under the LGPD as
- Personal data: any information related to an identified or identifiable natural person
- Sensitive personal data: any personal data concerning:
- Racial or ethnic origin
- Religious belief
- Political opinion
- Trade union
- Religious, philosophical or political organization membership
- Health or sex life
- Genetic or biometric data
- Anonymized data: data related to a data subject who cannot be identified, except if the data can be reversed by applying reasonable efforts or if the data is used for behavioral profiling. Anonymized data is not considered personal data.
Complying with the LGPD
Now you know how the law is enforced and what kinds of data the law covers, but how do you comply with LGPD?
Similar to the GDPR, the Brazilian privacy law imposes a breadth of requirements upon organizations seeking to comply with the law. Organizations that have implemented a framework to support GDPR will find that similar steps can be taken for the LGDP including, but not limited to:
- Understanding of what types of personal data is collected and used by the organization
- Recording data processing activities and maintaining a legal basis for the collection and use of personal data
- Fulfilling data subject rights within a reasonable timeframe
- Conducting assessments to understand the risks associated with personal data processing activities
- Implementing safeguards to protect against unauthorized access, use and sharing of personal data
Support LGPD compliance with Collibra Data Privacy
As a Data Intelligence company, Collibra helps global organizations manage the complexities of data and achieve compliance through the changing regulatory landscape. Global organizations doing business in Brazil or processing personal data of Brazilians can rely on Collibra for:
- PI discovery and classification to uncover personal data and sensitive personal data as regulated by the LGPD
- Process registers to document personal data processing activities, capture relevant business and legal context, and identify entities, including third parties, involved in data processing
- Individual rights management to fulfill requests from Brazilian data subjects
- Privacy impact assessments to conduct Data Protection Impact Assessments (DPIA) and Legitimate Interest Assessment (LIA)
- Embedded privacy by design principles to control the access, use and sharing of personal data
With Collibra Data Privacy, organizations can quickly adapt their privacy practices to align with the new requirements and timelines imposed by the Brazilian privacy law. By providing a data intelligent foundation, Collibra enables organizations to address global regulations.