LGPD Compliance


What is LGPD?

LGPD, the General Data Protection Law of Brazil, changes the way personal data is handled and protected in Brazil. Enacted in September 2020, the LGPD puts Brazil alongside global data protection standards like the GDPR and the CCPA. The LGPD mandates strict measures for the collection, use, processing, and storage of personal data, securing personal and sensitive information.

The key aspects of the LGPD include the definition of personal and sensitive data, the roles of data controllers and processors, and the requirement for explicit consent for data processing.

Who must comply to the LGPD (and who is exempt)?

LGPD compliance is not limited to Brazilian companies but extends to any business, regardless of its geographical location, that processes the personal data of individuals in Brazil. This includes organizations that offer goods or services to Brazilian residents or collect and process data within Brazil's territory.

The law applies to both the public and private sectors, covering a broad spectrum of industries from healthcare to e-commerce. It's crucial for businesses to assess their data handling practices and determine if they fall under the scope of the LGPD. Ignoring these obligations can lead to significant legal and reputational consequences.

The LGPD also contains some exemptions for certain individuals/businesses. It does not apply if you:

  • Are an individual and process personal data for private and non-commercial purposes.
  • Process the data for:
    • Journalistic and artistic expression
    • Academics
    • Public security
    • National defense and security
    • Investigation and prosecution of crimes

Consequences of LGPD non-compliance

Non-compliance with LGPD can result in severe penalties, including financial penalties and reputational damage. Penalties range from warnings and fines—up to 2% of the company's revenue in Brazil, with an upper limit of BRL 50 million—to partial or total suspension of business activities related to data processing.

Beyond monetary penalties, noncompliance can also damage a company’s reputation, leading to loss of customer trust and potential legal actions. The implications extend beyond immediate penalties, as businesses may face long-term setbacks in customer relationships and market positioning.

Compliance requirements

To comply with Brazil's LGPD, organizations must adhere to a set of requirements that govern the treatment of personal data. The key requirements include:

  • Consent management: Obtain clear, explicit consent for data collection and processing, making sure individuals are informed about the use of their data.
  • Data rights: Uphold individuals' rights to access, correct, and delete their data, and to object to its processing.
  • Data protection officer (DPO): Appoint a DPO who will be responsible for overseeing data protection strategies and compliance.
  • Data mapping and record keeping: Maintain detailed records of data processing activities to showcase accountability and transparency.
  • Security measures: Establish strong security measures to protect against data breaches and unauthorized entry.

Understanding and implementing these requirements is essential for achieving compliance to Brazil's data protection law and ensuring the ethical handling of personal data.

Roadmap to achieve compliance

The roadmap to achieve LGDP compliance requires you to follow these steps:

1. Understand LGPD requirements:

  • Familiarize yourself with the LGPD's scope, definitions, and key principles.
  • Understand the roles and responsibilities of data controllers and processors.

2. Data mapping and inventory:

  • Conduct an extensive audit of personal data that's collected, stored, and processed.
  • Map out data flows to understand how data is managed across the organization.

3. Gap analysis:

  • Compare current data practices against LGPD requirements.
  • Identify gaps and areas that require enhancement or changes.

4. Develop a compliance plan:

  • Create a detailed action plan to address the identified gaps.
  • Allocate resources and set timelines for implementing changes.

5. Implement a privacy governance framework:

  • Set up internal policies and procedures for data protection.
  • Designate a DPO as described in the LGPD.

6. Consent management and data subject rights:

  • Ensure mechanisms are in place for obtaining and managing consent.
  • Set up processes to respond to data subjects' rights requests.

7. Security measures:

  • Implement appropriate technical and security measures for the organization.
  • Set up a data breach response and notification plan.

8. Training and awareness:

  • Conduct training programs for employees on LGPD compliance.
  • Promote a culture of data protection awareness within the organization.

9. Monitor and review:

  • Regularly audit compliance with the LGPD.
  • Continuously update policies and practices in line with legal changes and best practices.

10. Documentation and record keeping:

  • Maintain detailed records of data processing activities.
  • Document compliance efforts and decisions for accountability.

Best practices: A definite checklist for LGPD compliance

Here are the best practices that have been outlined in the Brazil privacy law's official webpage.

1. Establish comprehensive rules of good practice:

  • Develop rules focusing on organizational conditions, operating regimes, and data processing procedures.
  • Include measures for handling complaints and requests from data subjects.

2. Consider data specifics in rule formation:

  • Account for the nature, scope, purpose, and risks associated with data processing.
  • Balance the risks and benefits arising from data processing.

3. Implement a privacy governance program:

  • Ensure the program reflects commitment to data protection standards.
  • Apply the program to all personal data, regardless of collection methods.
  • Tailor the program to fit the structure, scale, and sensitivity of the data processed.

4. Adopt risk-based policies and safeguards:

  • Conduct systematic assessments of privacy impacts and risks.
  • Establish transparent and participatory relationships with data subjects.

5. Integrate governance into overall structure:

  • Include privacy governance in the general governance framework.
  • Set up internal and external supervision mechanisms.

6. Prepare incident response and remediation plans:

  • Develop plans for addressing data breaches and privacy incidents.

7. Maintain program updates and effectiveness:

  • Regularly update the program based on ongoing monitoring and assessments.
  • Demonstrate the program’s effectiveness, especially when requested by authorities.

8. Ensure public accessibility and regular updates:

  • Publish and periodically update best practices.
  • Aim for recognition and disclosure by national authorities.

9. Align with technical standards:

  • Follow technical standards to facilitate data control by data subjects, as encouraged by the LGPD.

LGPD: Key rules to consider

Understanding and implementing the key rules are crucial to complying with the LGPD, safeguarding personal data, and upholding the rights of individuals. Here are the key rules of LGPD compliance that you should consider.

LGPD requirements Requirement description
Article 6. VII Implement technical and administrative safeguards to shield personal data against unauthorized access and to prevent unlawful scenarios of destruction, loss, alteration, communication, or dissemination.
Article 7. II Personal data processing must be conducted to fulfill a legal or regulatory duty by the controlling entity.
Article 7. VIII Personal data processing is permissible solely for health protection purposes and must be conducted exclusively by healthcare professionals, health services, or health authorities within their procedures.
Article 11 This article's regulations are applicable to the processing of any personal data that uncovers sensitive information and has the potential to harm the data subject, barring any specific legal provisions to the contrary.
Article 14 The handling of personal data about children and adolescents should be executed with their best interests in mind, in accordance with the stipulations of this article and applicable laws.
Article 16 Personal data shall be disposed of following the conclusion of its processing, within the operational and technical limits of the activities.
Article 18 The holder of personal data has the right to obtain their processed data from the controller at any time and upon request.
Article 46 Agents responsible for processing must implement protective, technical, and administrative strategies to safeguard personal data against unauthorized access and any accidental or illegal incidents of destruction, loss, change, communication, or any form of improper or illicit processing.
Article 49 Systems employed in personal data processing should be designed to comply with security measures, best practice standards, governance norms, and the general principles outlined in this law, as well as other regulatory guidelines.

Comply with the LGPD using EventLog Analyzer

EventLog Analyzer helps you to comply with the LGPD by enhancing data protection through efficient log management. Its features include real-time monitoring for data breaches, ensuring a quick response to any unauthorized access, and strengthening data privacy. The tool's comprehensive auditing capabilities aid in identifying and mitigating risks associated with data processing, a key requirement under the LGPD. Additionally, EventLog Analyzer's integrated compliance management aids in maintaining the necessary documentation and logs, streamlining compliance with the LGPD's stringent data governance and privacy standards.