Brazil, a country of over 200 million people, has one of the highest internet usage penetration rates in the world. Now, along with Open Banking and PIX, a new set of regulations called LGPD is being rolled out in 2020. All industries in Brazil will be affected to some degree. What is LGPD? Here is some context.
The question on everyone’s mind: LGPD o que é?
The Lei Geral de Proteção de Dados (LGPD) joins the GDPR and CCPA as the flagship data privacy regulations in the world. The LGPD imposes new rules regarding the collection, use, processing, and storage of personal data in electronic and physical form and will affect all industries and sectors of the Brazilian economy to some degree. While GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) have received the most attention in the past few years, the LGPD promises to be just as sweeping and influential, and possibly more beneficial to Brazil.
Among the actions curbed by the LGPD are the collection and use of personal data without consent, by both the private sector and public sector, as well as the use of personal information for practicing unfair discrimination. Along with Open Banking and PIX, LGPD should prove to enhance Brazil’s economic competitiveness. As Deloitte puts it,
Both the Brazilian law and the GDPR require a strategic approach to the handling of personal data, which represents, on the other hand, a great opportunity for companies. Organizations can leverage regulations for obtaining a competitive advantage in the use of such data, with correct planning and the application of good privacy practices.
The Autoridade Nacional de Proteção de Dados (ANPD) will be the agency responsible for helping entities implement the provisions of the LGPD.
Is Nethone LGPD compliant?
Nethone’s status under the LGPD as either a controller or processor of user data will be the same as under the GDPR, with which Nethone has a track record of successful compliance. The LGPD terms have been incorporated into our existing data protection terms. Nethone has also designated an LGPD Data Protection Officer.
When does LGPD go into effect?
“LGPD está em vigor desde 18/09/2020.” LGPD already went into effect on September 18, but fines/penalties for non-compliance will not be implemented until May 2021. Fines for non-compliance are potentially substantial, but not as high as GDPR penalties: the maximum administrative sanctions under the LGPD is 2% of the company’s Brazilian revenue of up to R$50 million (EUR 11.2 million) per infraction. This is compared to 4% of global revenue or up to EUR 20 million under GDPR compliance.
What is “personal data” under the LGPD?
Brazilian law defines personal data as any information related to an identified or identifiable natural person. Anonymized/anonymous data should not be considered personal data, except when the process of anonymization can be reversed by applying modest efforts.
The new law affects companies in all sectors that do business or engage in data processing activity in or with Brazil. Financial, technology, healthcare, insurance, airline, and hotel companies are some of the sectors that will likely have compliance obligations for processing of customer data.
The LGPD applies to any private or public individual or company with personal data processing activities that are carried out in Brazil and personal data is collected in Brazil. The LGPD aspires to be “transborder” and applies to global businesses, headquartered anywhere in the world, that meet these criteria as well, not just to businesses owned by citizens of Brazil. LGPD doesn’t apply to data processing by: a person, who is processing data for personal purposes; for journalistic, artistic, literary or academic purposes; for national security, national defense, public safety, and criminal investigation purposes.
LGPD applies to my company. What should I do next?
Your firm may need to hire or engage a Data Protection Officer. Check in with your legal counsel to determine whether it is necessary (it is not required of all companies) and if so, where you can locate suitable candidates. You can also contact the International Association of Privacy Professionals (IAPP) for references. But there are several categories of compliance tasks that you can start even before your Data Protection Officer is in place. Here is a helpful graphic for visualizing the compliance tasks from O que muda com a nova Lei de Dados Pessoais? Companies are required to complete a diligence process to identify what personal data processing activities, if any, the company is engaged in (including via vendors) that are covered by the LGPD. Yes it’s probably a big job, but the upside is after such a review you will probably also uncover data leveraging/business intelligence opportunities and maybe even security risks. Are there gaps where data processing activities do not satisfy the LGPD’s compliance requirements? If so, then a remediation process must be created to close any identified gaps.
Here is another overview of the LGPD processing principles, which are actually quite similar to those of the GDPR:
- There must be a purpose for processing. This means that any data processing activity must be carried out for legitimate, specific, explicit, and clearly communicated purposes – you must not do any additional processing which is not in line with the communicated original purposes.
- Adequacy. Both the way of processing data, and processed data itself, must be justifiably in line with the purposes of processing
- Purpose limitation. This is similar to the concept of data minimization under the GDPR and simply means you must only process data that is necessary for the fulfillment of your stated purposes of processing.
- Freedom in exercising rights and free access to information. Users must be able to freely exercise their rights under the LGPD and have unencumbered, easy access to any information about the processing of their personal data – free of charge.
- Data integrity/quality. You, the data controller, must ensure the accuracy of the data processed and keep it updated and relevant, in accordance with the purpose for processing it.
- Transparency. Information about your data processing must be clear, accurate and easily available to users. Users must also be able to access information about the third-parties that their data is shared with.
- Security. Both the data controller and any processors (operators) must be sure to have technical and organizational measures in place that protect personal data from unauthorized access, accidental or unlawful destruction, loss, alteration and unauthorized communication or dissemination.
- Prevention. It’s the responsibility of both the data controller and the processor to technical and organizational measures in place to prevent any damage being caused by the processing of personal data;
- Non-discrimination. No data processing should occur for discriminatory purposes.
- Accountability. As the data controller, you must comply with the law and must be able to prove it.
Towards Know Your Users
At Nethone we have successfully analyzed millions of data points for some of the world’s top e-commerce companies while in full compliance with GDPR. Yes, implementing and complying with data privacy protections will require additional effort from many companies in Brazil. But consider this perspective from Nethone CEO Hubert Rachwalski von Rejchwald:
If you need to start with Know Your Customer (KYC), asking your customers for profiling permission brings less friction than forcing them to provide detailed information through, say, a verification form. Secondly, in most cases, effective Know Your User (KYU) can be based on non-PII information (PII = Personally Identifiable Information) or executed using anonymised data. Machine learning models usually do not learn about Mr. Smith or Mrs. Doe. They learn about users with certain features. If they learn that a set of features is likely to imply certain action, they issue relevant recommendations for the system the KYU solution is integrated with.
Lei Geral de Protecao de Dados (LGPD) will certainly require an immense, concerted effort to implement, but the results will certainly be worth it: privacy protections for the people of Brazil, which translate into livelihood protection, and a healthier ecosystem for transacting business in the region. We recommend that you consult your legal counsel to begin the diligence process and (if necessary) LGPD implementation as soon as you can.