The Brazilian Data Protection Act – known as the Lei Geral de Proteção de Dados Pessoais (LGPD) – will come into effect in August 2020. The LGPD is designed to regulate the collection, use, processing and storage of personal data in Brazil.
The new regulation acknowledges the rising global threat of cyber attacks and indicates a new wave of regulations that require certain cybersecurity measures to be put in place so breaches are less likely to occur. The LGPD, along with other foreign data protection rules, such as the EU’s GDPR, signals a shift from regulating breach disclosure to a greater emphasis on regulating the implementation of appropriate security controls and technical safeguards.
LGPD non-compliance can lead to fines up to 2% of a business’s Brazilian revenue (or a maximum of R$50 million per infraction). However, the law (Article 52) allows organizations to mitigate damages by presenting evidence to support their best practices and risk mitigation strategies. It’s important for your organization to review the regulation in full – but here is general guidance and four high-level highlights you should know about to help with your organization’s risk mitigation strategy.
Highlights of the LGPD
1. Companies are subject to extraterritorial liability rights
The LGPD is applicable to any processing activity regardless of where the organization collecting the data is located, provided that:
- The processing operation occurs in Brazil;
- The purpose of processing is related to individuals located in Brazil;
- Or the personal data was collected in Brazil
Due to the extraterritorial reach of the LGPD, multinational organizations could be subject to both Brazilian and other foreign data protection rules at the same time. However, the LGPD follows many of the same tenets of similar data privacy laws, like GDPR, which may facilitate compliance across regulations.
2. Companies must disclose information on how data will be processed
Similar to other privacy laws, the LGPD focuses on informed consent from data subjects and transparency when obtaining data. The law outlines nine data subject rights including, but not limited to, consent, deletion, refusal, and revocation of consent. According to Article 38, all companies must prepare an impact report for data subjects and regulators that includes:
- Data types collected;
- Methodology for collection;
- And security controls, safeguards, and mechanisms for mitigating risk
3. Companies are required to use technology controls for risk mitigation
A number of technological controls are mentioned in the regulation. For example, Article 46 explicitly states that “processing agents shall adopt security, technical and administrative measures able to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.”
Article 51 states, “The national authority shall encourage the adoption of technical standards that facilitate data subjects’ control of their personal data.”
In addition to this requirement, companies must ensure that the “measures” are complied with throughout the information lifecycle – from conception to execution.
4. Companies are required to outline policies for good governance
According to Article 50, companies, “may formulate rules for good practice and governance that set forth conditions of organization, a regime of operation, procedures, including for complaints and petitions from data subjects, security norms, technical standards, specific obligations for the various parties involved in the processing.”
In essence, companies should adapt internal policies to ensure they can process data subject requests in accordance with the law. Additionally, companies should ensure any third-parties comply with these policies and best practices.
Want to learn more about compliance with the LGPD?
There is less than a year until the LGPD will take effect and bring many changes to personal data processing. Addressing every element of this new regulation is a daunting task for many organizations, but there are ways to make it easier. SecurityScorecard’s platform continuously monitors an organization’s data environment as well as its ecosystem, providing businesses insight into the risks that are threatening them. With this insight, organizations are enabled to take the necessary steps towards compliance with the LGPD. SecurityScorecard eliminates compliance reporting headaches and minimizes the risk of compliance findings and penalties.