Passed by the National Congress of Brazil on Aug 14, 2018, the Brazilian General Data Protection Law, or LGPD (“Lei Geral de Proteção de Dados”), is set to take effect in August 2020. The LGPD grants data subjects a bevy of privileges, including access to their data, deletion of this data, data anonymization, and the disclosure of any third parties who may have their personally identifiable information (PII). For small and medium-sized businesses, the potential LGPD fines can be devastating; in fact, violations can be as high as 2% of annual revenue — up to 50 million Brazilian reais (roughly USD $30 million) per infraction. If your organization is currently working to address this new legislation, the following points can help you in your endeavor.
Assess whether your organization needs to be compliant
Before you assign a data protection officer (DPO), be sure to receive advice from lawyers to better understand the law. Determine whether your company is a controller, a processor, or both, as this will dictate what your liability looks like. If you do not collect, store, or sell data subjects’ PII, odds are you don’t even need to worry about the LGPD.
Also, certain data collection is exempt. As an example, anonymous data generally doesn’t apply to the LGPD. As long as anonymized data is not reversible or used for behavioral profiling, this data doesn’t fall under the LGPD’s purview. Additionally, data used for academic or artistic purposes, data used for criminal investigations or public safety issues, and data not being used for business purposes all fall outside the scope of the LGPD.
Also, per the LGPD, there are different deadlines and procedures for start-up companies and small businesses. The Autoridade Nacional de Proteção de Dados (ANDP), the government entity responsible for enforcing data protection laws, is ultimately responsible for determining which companies are required to adhere to the LGPD and appoint a DPO.
Much like the GDPR, the LGPD requires any company that processes personal data of Brazilian customers to comply with the law. So, even if your headquarters are in another country, you very well may have to adhere to LGPD regulations.
If you do have to comply with LGPD, locate where the data is stored
Whether your personal data is stored in databases, file servers, Word documents, or Excel sheets, it’s important to separate this data from non-confidential information. By isolating personal data, you can set up special security configurations and provide an extra layer of security.
Also, by isolating this sensitive data, you’ll focus more on the data flow, making it easier to answer the following questions: “What data is being collected?”, “Where is it coming from?”, “How long is it being stored?”, and “What processes are being performed upon it?” Be sure to back up this data as well, so you can access it quickly in the event of an incident.
One person in every department should be responsible for their department’s sensitive PII
If your company is indeed a data controller or processor, you should appoint a DPO (“encarregado”) to conduct a data protection impact assessment (DPIA). Be on the lookout for large-scale data processing, as well as data on vulnerable subjects, and any data that is of a personal nature. You should consider assigning one employee in every department to work closely with the DPO as the DPO performs a DPIA, as this can prevent a great deal of headaches down the road.
Also, according to the LGPD, the DPO can be located outside of Brazil. In fact, the DPO doesn’t even have to be an individual person per se; it could technically be a third-party group or committee. However, SMBs shouldn’t have to break the bank as they work to comply with the LGPD. In all likelihood, you won’t need to hire a third-party consultancy to fulfill your DPO responsibilities.
Issues unique to the LGPD
As a final caveat, there are still a few outstanding issues in regard to the LGPD roll out. Although it was originally supposed to take effect in February 2020, the LGPD has been pushed back until August 2020. We may see another delay in the coming months. Additionally, as of December 2019, the government entity responsible for enforcing the LGPD has not been formally created. And lastly, as the law stands now, it requires DPOs to provide evidence of a data breach “within a reasonable time frame,” which is a rather vague clause.
Disclosure: This article was originally published in IT Forum 365.