Brazil has a rapidly growing internet user base and ranks second in the world for time spent online daily. It is no surprise then that they have their own Data Privacy Regulation. The LGPD (officially the Lei Geral de Proteção de Dados Pessaoais in Portuguese) is a culmination of 120 existing federal legislations and the European Union’s GDPR. It is slated for adoption mid 2020.
Like all of the global privacy laws, it is important to not only understand the regulations, but also to ensure compliance by putting in place the processes and tools you’ll need to service Brazilian businesses, consumers, and users.
The Basics of LGPD
The LGPD applies to any company that resides in Brazil, those that do business with Brazilian companies, and those that service Brazilian citizens. The principles behind this regulation are to put user privacy concerns first so it is not surprising that the focus of this regulation is consent. User's must give explicit consent for their data to be taken, analyzed, and distributed.
Since the LGPD is based on GDPR, it also has the same user rights, allowing users to request their data for access, alterations, or deletion. User's can also opt of direct marketing. Companies are expected to respond to these requests in a timely manner and at no cost to the user making the request.
The rolls of the LGPD match that of GDPR:
Data Subject: the user, or an individual, that can be identified.
Controller: the company responsible for making decisions on what data is collected and how it is used. They are ultimately accountable for the privacy and safety of the data.
Processor: a third party company, or vendor, that processes, transfers, and/or stores the data on behalf of the Controller company (ex payment processors, cloud services, customer relationship managers). For a Controller to be GDPR compliant, all of their Processors must be compliant as well.
The Risks of Non-Compliance
Non-compliance can result in hefty fines. The LGPD makes room for both daily fines or one-time fines totally up to 50 Million Brazilian Reais. Meeting regulation is the law. Publicity around non-compliance will also result in loss of customer trust and loyalty.
If your company is not already compliant with another regulation, you will need to begin by identifying all of the Personal Information that you collect, process, and store. This can include a variety of data from names and birthdates, to usage data, location data, and device serial numbers. Essentially any data that either identifies an individual or discloses personal information about them.
To meet regulation standards, a company must do the following:
- Assign a DPO (Data Privacy Officer) accountable to LGPD (necessary for all Controllers)
- Clearly identify to users what data is being collected, how it is being used, and what third party companies may be processing or storing it
- On request, have the ability to access a user's data
- On request, have the ability to delete all of a user’s data from the system.
- Note: Unlike GDPR that allows 30 days to respond, with LGPD this request has an 'immediate' turn around time
- Have an incident response plan in place
Making it Easier
The biggest steps to getting compliant are categorizing personal data and finding ways to handle data access requests from users.
Start by mapping out all of the data you collect and process. Eliminate any data that is not required for use of your service/product (examples: gender or address). The less data you have, the simpler your handling processes become.
Next look for automation tools for handling user requests and consent. Getting one request is simple but your company could be inundated with multiple requests at the same time. Enzuzo integrates seamlessly into your existing systems allowing you to manage your user’s data. When a user requests access to their information, Enzuzo will discover, collect, and package it for transfer in a way that does not impact your time and resources. Enzuzo can also help you to identify and delete a user’s data from the system.
Get started for free and immediately start managing and organizing data privacy requests.