What Brazil’s LGPD Means for Global Organizations

Brazil’s comprehensive privacy legislation, Lei Geral de Proteção de Dados Pessoais (LGPD), went into effect in 2020 largely under the radar. The law first passed in 2018 and went into effect in August 2020, despite efforts to delay it due to the COVID-19 pandemic. However, enforcement of the law was delayed to August 2021.

Influenced heavily by the EU’s GDPR, LGPD gives Brazilian citizens a variety of rights, including the right to access, correct, and delete the personal data businesses have collected about them. It also requires organizations to obtain consent and have a lawful basis for processing individuals’ personal data.

Complying with the many requirements laid out in LGPD is critical, as violations can carry a fine as high as 2% of an organization’s sales revenue or up to $50 million reais.

What Organizations Are Subject to LGPD?

Similar to other privacy laws around the world, LGPD applies to any organization that might process data on Brazilian citizens, regardless of where that organization is actually located. But unlike many of these other laws, LGPD sets no minimum requirements for the size or scope of organizations subject to compliance.

In fact, the only organizations exempt from following LGPD guidelines are those that collect data exclusively for one of the following purposes: 

• Journalistic
• Artistic
• Academic
• Public safety
• National defense

How Does LGPD Get Enforced?

Following much debate and a delay by Brazilian President Jair Bolsonaro, LGPD will be enforced by a new, dedicated entity linked to the federal government known as the Brazilian National Data Protection Authority (ANPD). Although LGPD went into effect in August 2020, the ANPD’s enforcement capabilities start August 2021.

The ANPD is primarily responsible for enforcing LGPD by investigating potential violations and issuing fines accordingly. These fines can be up to 2% of sales revenue or $50 million reais, and the ANPD can apply these fines to any organization, regardless of size. The combination of such a high penalty and enforcement by a fully dedicated group make it critical for organizations of all sizes to pay close attention to LGPD guidelines.

Finally, Brazilian citizens can also file suit against violating companies by taking civil action. The first of these lawsuits were filed in September 2020, shortly after LGPD went into effect and nearly a year before the ANPD enforcement mechanism kicked in.

What Data Protection Measures Does LGPD Require? 

LGPD requires companies to adopt “security, technical, and administrative measures to protect personal data” from unauthorized access, unlawful communication, and purposeful or accidental destruction, loss, and alteration. This puts the responsibility of protection on organizations. Although this responsibility is open-ended to start, LGPD does give the ANPD authority to establish minimum technical standards for protection.

All organizations subject to LGPD must also appoint a data protection officer (DPO). The DPO should lead these protection initiatives and be responsible for:

• Managing communications with consumers, including fielding requests, responding to complaints, clarifying policies, and adopting measures accordingly.
• Advising the company on LGPD compliance, for example by recommending measures to adopt to ensure protection of personal data based on best practices and legal requirements.
• Communicating with the ANPD about any incidents and fielding communications about new standards and measures to adopt.
• Performing security-related duties to ensure the organization properly protects its data and adheres to any other complementary rules to LGPD, for example by setting internal security standards, establishing incident response mechanisms, and leading ongoing planning and protection activities.

While the DPO can be a single person, organizations can also choose to make their DPO a committee of people or even outsource this position to an external organization, such as a specialized data protection company or law firm.

What Incident Response Measures Does LGPD Require?

If a security incident occurs that might create risk or damage for consumers, organizations must go into response mode. LGPD outlines clear guidelines for what this incident response should entail.

When a privacy incident or data breach occurs, organizations must issue a notification to the ANPD that includes all of the following information:

• Description of the personal data affected
• Information on the affected users
• Details on the technical and security measures used to protect the data (subject to commercial and industrial secrecy)
• Potential risks as a result of the incident
• Any measures that were or will be adopted to reverse or mitigate the effects of the damage
• *Reasons for a delay in reporting, only if the notice was not communicated immediately

Organizations must issue this notification within a “reasonable timeframe,” although the law does not elaborate more on what exactly this means. This situation has created ambiguity, but the hope is that as the ANPD ramps up it will provide more guidance for organizations on how to interpret this portion of the law.

Once the ANPD receives a notification, it will evaluate the severity of the incident based on potential risk to the consumers involved. The ANPD may instruct the organization to issue a public disclosure to the media and/or adopt certain remediation measures based on that risk analysis.

A Note on the Role of Risk

One important element of LGPD is that the law’s subjective standard for breach notifications is based on risk of harm to consumers. What exactly this means is supposed to be further defined by the ANPD, but we have already received some guidance in this area. 

Specifically, LGPD includes a recommendation that organizations create a data protection impact assessment (DPIA) when the processing of data is based on a legitimate interest or involves sensitive data (defined as data relating to origin, religion, health, or political opinions). The ANPD can ask an organization’s DPO to produce a DPIA at any time in these two instances.

The DPIA should describe how the organization processes any personal data that may put individuals’ civil liberties at risk. It should also detail the measures, safeguards, and risk mitigation mechanisms the organization has adopted.

Additional guidance from third parties recommend organizations also create a DPIA if processing activities include:

• Location tracking
• Behavioral profiling
• Automated decision-making, particularly in cases like credit profiling
• Data on minors 

What Types of Privacy Incidents Require Notification Under LGPD?

LGPD requires organizations to notify the ANPD about a variety of privacy incidents. Importantly, this notification requirement is not limited to data breaches. It also applies to any kind of mishandling of data, such as an organization that mistakenly processes data without consent or that loses the only copy of customer data. Some examples of privacy incidents that require notification under LGPD include:

1) Ransomware

A ransomware attack is when a third party uses malware to steal data and hold it captive in exchange for money. Regardless of whether or not the organization pays that ransom, this is still a serious privacy incident as the data was exposed for a period of time.

2) Accidental Loss

Any lost data records (most likely physical data records) create a privacy incident since this data can then be exposed to any number of people and there’s no way to track what that exposure looks like. Along the same lines, any damage to physical data records, such as cases of floods or fires, can also qualify as a privacy incident if that is the only copy of the data.

3) Drive by Download Attack

A drive by download attack is when a malicious program gets installed on a computer without the user’s consent, which can often happen when that program gets hidden within a legitimate website or application that the user visits. When this occurs, the device becomes vulnerable to a cyberattack, such as an attacker hijacking the computer, spying on the user’s activity, or stealing data. This situation creates serious risk that can compromise data privacy.

How Can Organizations Prepare for LGPD?

Since the responsibility to protect consumers’ personal data sits with the organizations that collect and process it, LGPD suggests introducing a governance program. This governance program should include ways to demonstrate the effectiveness of security measures, which is something organizations may need to prove in the case of an incident. 

Typically, this type of program will fall under the responsibilities of the DPO and might cover: 

• Measures to ensure compliance with LGPD guidelines for collecting and using data
• Safeguards to ensure data privacy and protection
• Mechanisms for internal visibility and overall governance
• Policies for responding to incidents

Importantly, organizations should update these practices regularly based on effectiveness and changes to relevant laws and best practices. The best way for organizations to meet this requirement is to account for three critical phases of incident response:

1) Readiness

First, organizations need a firm incident response plan that they can activate at any time. Having a plan ready will help teams respond quickly (ideally to avoid any vagueness about the “reasonable timeframe” measure) and even reduce the costs associated with an incident. Beyond those benefits, LGPD advises each organization’s DPO to establish incident response mechanisms as a best practice.

Developing this readiness plan should include gaining a deep understanding of requirements based on regulations like LGPD and any customer/partner contracts, establishing incident response plans to adhere to those guidelines, and regularly revisiting those plans as guidelines and contracts change.

2) Response

Next, organizations must be ready to go into response mode immediately by activating that readiness plan when an incident actually occurs. Handling these response activities and communicating with the ANPD are critical for any organization’s DPO in these situations.

Specifically, a quick and confident response should involve identifying what happened (including what data was involved, who was affected, when it happened, and what the potential risks are), notifying the ANPD and any other relevant parties, and evaluating potential recovery opportunities to start fixing the situation.

3) Ongoing Management

Finally, organizations need to revisit incident response plans on a regular basis to ensure everything stays up-to-date with changing regulations, contracts, technologies, and potential threats. Once again, these ongoing planning and protection activities are not only a best practice, but also something that’s recommended for DPOs.

The best way for organizations to approach ongoing management is to create a centralized dashboard. This dashboard should align stakeholders around response plans and protocols, create a single source of truth for all monitoring and reporting, and keep updates to regulations and contracts organized and accessible.

How Does Brazil’s LGPD Compare with the EU’s GDPR?

Given that Brazil was influenced by the EU’s GDPR when developing its own privacy regulations, many similarities exist between LGPD and GDPR, which is helpful to companies when it comes to compliance. But the laws do have several notable differences as well, making it important to understand the nuances of each one.

Similarities Between LGPD and GDPR

• Extra-territorial jurisdiction: Both LGPD and GDPR have extra-territorial jurisdiction, meaning they apply to companies that are based outside of Brazil and the EU, respectively. Any company, regardless of its headquarters or area of operation, must comply with these laws if they process any data on Brazilian or EU citizens.
• Lawful basis for processing personal data: Both LGPD and GDPR require organizations to have a lawful basis for processing personal data. Some examples of a lawful basis that both laws outline include consent by the data subject, compliance with regulations, and contract execution. However, LGPD does go further than GDPR, for example by adding protecting a person’s credit as a lawful basis for processing data.
• Consent required for data collection, which can also be revoked at any time: Both LGPD and GDPR require organizations to obtain consent from consumers for collecting and processing their data. This stands in contrast to other privacy laws, like California’s CCPA, which places opting out of data collection as the default rather than opting in. Additionally, both laws allow consumers to revoke their consent at any time.
• Data protection responsibilities sit with the organization: Both LGPD and GDPR put the responsibility of data protection on the organizations collecting and processing that data. In both cases, organizations must proactively protect the data and maintain a high level of awareness around any privacy incidents, as failure to do so can result in serious fines.
• Clear incident response guidelines: Both LGPD and GDPR outline clear incident response guidelines that companies must follow if an issue does occur with the data they collect or process. These guidelines include specific details about what to include in the notification and both also require organizations to make this notification quickly following the discovery of an incident (although the timelines do vary, as GDPR requires a notification within 72 hours and LGPD has a more ambiguous “reasonable timeframe”).

Differences Between LGPD and GDPR

• Distinctions around personal data: Although LGPD and GDPR both cover “personal data,” each law has different distinctions as to what this means. GDPR defines personal data as “any information related to an identified or identifiable natural person” and includes clear examples of what this entails. LGPD does not specifically define personal data, which could lead to a more expansive definition than GDPR has. Additionally, many have already interpreted Brazil’s law to include data that can be aggregated to identify a person, meaning that even if one data point alone is not identifiable, it still qualifies as personal data if it can be used to identify someone in combination with another data point.
• No minimum size or revenue requirements: GDPR ultimately applies to the overwhelming majority of companies that process data on EU citizens, but it does set minimum size requirements that LGPD does not. Specifically, GDPR applies to all companies with an EU presence or any company that processes data on EU citizens if it has more than 250 employees or if it has less than 250 employees but its data processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. LGPD sets no such minimum requirements for company size or revenue.
• Distinctions around the right to be informed: Both LGPD and GDPR give consumers the “right to be informed,” but LGPD offers more distinctions around what this means. LGPD gives consumers the right to ask organizations how their data is used and with whom it’s shared as well as the right to understand what will happen if they refuse consent for data collection and processing. In contrast, GDPR only gives consumers the right to understand how their data is used and with whom it’s shared.

Taking a Proactive Stance for Privacy Incident Response

Brazil’s LGPD is now fully in effect, but we can expect a lot to change as the ANPD gets working and starts enforcing and interpreting the law. As a result, organizations need to take the time to not only understand what the law outlines, but also to stay up to date on how the ANPD translates the law into practice. Doing so will be critical to ensuring compliance with every nuance of the regulation.

The key to staying up to date with all of this information lies in taking a proactive stance. Proactively following this information and updating internal policies accordingly will help organizations stay protected and jump into incident response mode quickly and confidently if needed. 

The value of this proactive preparation can not be overstated, as that’s exactly what will help organizations mitigate the fallout — in terms of reputation, cost, and more — from any incidents and move into recovery mode as quickly as possible.