Posted on Dec 12, 2019
The Brazilian Data Protection Act - known as the Lei Geral de Proteção de Dados Pessoais (LGPD) - will come into effect in August 2020. The LGPD is designed to regulate the collection, use, processing and storage of personal data in Brazil.
The new regulation acknowledges the rising global threat of cyber attacks and indicates a new wave of regulations that require certain cybersecurity measures to be put in place so breaches are less likely to occur. The LGPD, along with other foreign data protection rules, such as the EU’s GDPR, signals a shift from regulating breach disclosure to a greater emphasis on regulating the implementation of appropriate security controls and technical safeguards.
LGPD non-compliance can lead to fines up to 2% of a business’s Brazilian revenue (or a maximum of R$50 million per infraction). However, the law (Article 52) allows organizations to mitigate damages by presenting evidence to support their best practices and risk mitigation strategies. It’s important for your organization to review the regulation in full - but here is general guidance and four high-level highlights you should know about to help with your organization’s risk mitigation strategy.
The LGPD is applicable to any processing activity regardless of where the organization collecting the data is located, provided that:
Due to the extraterritorial reach of the LGPD, multinational organizations could be subject to both Brazilian and other foreign data protection rules at the same time. However, the LGPD follows many of the same tenets of similar data privacy laws, like GDPR, which may facilitate compliance across regulations.
Similar to other privacy laws, the LGPD focuses on informed consent from data subjects and transparency when obtaining data. The law outlines nine data subject rights including, but not limited to, consent, deletion, refusal, and revocation of consent. According to Article 38, all companies must prepare an impact report for data subjects and regulators that includes:
A number of technological controls are mentioned in the regulation. For example, Article 46 explicitly states that “processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.”
Article 51 states, “The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.”
In addition to this requirement, companies must ensure that the “measures” are complied with throughout the information lifecycle - from conception to execution.
According to Article 50, companies, “may formulate rules for good practice and governance that set forth conditions of organization, a regime of operation, procedures, including for complaints and petitions from data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing.”
In essence, companies should adapt internal policies to ensure they can process data subject requests in accordance with the law. Additionally, companies should ensure any third-parties comply with these policies and best practices.
There is less than a year until the LGPD will take effect and bring many changes to personal data processing. Addressing every element of this new regulation is a daunting task for many organizations, but there are ways to make it easier. SecurityScorecard’s platform continuously monitors an organization’s data environment as well as its ecosystem, providing businesses insight into the risks that are threatening them. With this insight, organizations are enabled to take the necessary steps towards compliance with the LGPD. SecurityScorecard eliminates compliance reporting headaches and minimizes the risk of compliance findings and penalties.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.