Brazil passed the General Data Protection Law in 2018, and it came into effect on February 2020. This article examines the GDPR vs. the LGPD, how it differs, and what business owners globally need to do to prepare.
Brazil’s Lei Geral de Proteção de Dados (or LGPD) brings sorely needed clarification to the Brazilian legal framework. The LGPD attempts to unify the over 40 different statutes that currently govern personal data, both online and offline, by replacing certain regulations and supplementing others. This unification of previously disparate and oftentimes contradictory regulations is only one similarity it shares with the EU’s General Data Protection Regulation, a document from which it clearly takes inspiration.
Another similarity is that the LGPD applies to any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located. So, if your company has any customers or clients in Brazil, you should begin preparing for LGPD compliance. Fortunately, you still have time before the law takes effect. And if you are already GDPR compliant, then you have already done the bulk of the work necessary to comply with the LGPD.
In addition to its extraterritorial application, the LGPD and the GDPR agree on several basics when it comes to data protection.
While the LGPD does not have a single definition for personal data, if you read the entirety of the text, you can see echoes of the GDPR’s definition of personal data. The LGPD states in various places that personal data can mean any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment. While this definition will likely be clarified as Brazil nears implementation of the LGPD, as currently stated, the LGPD takes a broad view of what data qualifies as personal data, even more expansive than the GDPR.
Article 18 is another section of the LGPD that will look familiar to businesses that have dealt with GDPR compliance. It explains the nine fundamental rights that data subjects have, which include:
Apart from this, many naturopathy practitioners cheap viagra from uk recommend ginseng in low sperm count. This is an oral medicine for men buy generic sildenafil only. Although not common, treatments of ED using viagra buy australia Learn More impotence remedies are becoming increasingly popular as drug price increases. Contraindications : Kamagra Oral Jelly is contraindicated in patients taking an alternate drug to treat feebleness or utilizing a nitrate drug for midsection torment or heart issues, including nitroglycerin (Nitrostat, Nitrolingual, Nitro-Dur, Nitro-Bid, Minitran, Deponit, Transderm-Nitro), isosorbide dinitrate (Dilatrate-SR, Isordil) Have very low blood pressure (hypotension) or prices in uk viagra uncontrolled high blood pressure then please consult the doctor before taking Silagra 100mg.
While the GDPR is known for granting its data subjects eight fundamental rights, they are essentially the same rights the LGPD mentions. It seems the LGPD split “The right to information about public and private entities with which the controller has shared data” out of the GDPR’s more general “Right to be informed” to make it more explicit.
Despite their similar goals and the apparent influence the GDPR had on Brazilian lawmakers, there are some key differences to note between the two pieces of legislation.
Both acts require businesses and organizations to hire a Data Protection Officer (DPO). However, while the GDPR outlines when a DPO is required, Article 41 in the LGPD simply says, “The controller shall appoint an officer to be in charge of the processing of data,” which suggests that any organization that processes the data of people in Brazil will need to hire a DPO. This is another area that will likely receive further clarification, but as written, it is one of the few areas where the LGPD is more stringent than the GDPR.
Possibly the most significant difference between the LGPD and the GDPR concerns what qualifies as a legal basis for processing data. The GDPR has six lawful bases for processing, and a data controller must choose one of them as a justification for using a data subject’s information. However, in Article 7, the LGPD lists 10. They are:
Having the protection of credit as a legal basis for the processing of data is indeed a substantial departure from the GDPR.
While both the GDPR and the LGPD require organizations to report data breaches to the local data protection authority, the level of specificity varies widely between the two laws. The GDPR is explicit: an organization must report a data breach within 72 hours of its discovery (although different organizations are already testing that deadline).
The LGPD does not give any firm deadline: Article 48 merely states that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.” Since the national data protection agency has not, as yet, been established, there is no guidance for what constitutes a “reasonable time period.”
A regulation is only as strong as its teeth. That is why the maximum GDPR fines are substantial, requiring organizations that commit grave GDPR violations to pay to up to €20 million or 4% of annual global revenue, whichever is higher.
The fines under the LGPD are much less severe. Article 52 states that the maximum fine for a violation is “2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals” (this works out to roughly €11 million). The LGPD fines are in line with GDPR’s fines for less egregious infractions, but €11 million is not going to concern the world’s largest data processors.
This is not an exhaustive overview of the LGPD, but it should reassure business owners that, in most respects, if you have achieved GDPR compliance, you are already well on your way to complying with the LGPD. Data protection laws are beginning to be considered all around the world, from India to the USA. GDPR.eu will be here to help you keep up with the latest developments and attain compliance.