Checklist for the LGPD compliance
What is LGPD?
LGPD (Law No. 13.709 of 14 August 2018 or Lei Geral de Proteção de Dados) is Brazil’s General Data Protection Law enacted by the National Data Protection Authority (ANPD). The LGPD took effect in September 2020.
The LGPD is also known as “Brazil’s GDPR”. The reason is that it is closely modeled after the European GDPR. Both laws are comprehensive regarding personal, material and territorial scope. In addition, they have lots of similarities. Thus, if you’re already GDPR compliant, you are mostly within the provisions of the LGPD, but not completely!
This is due to some significant differences between the LGPD and the GDPR, some of which we will figure out in this article.
If you’re a worldwide service or your product is well known all around the world, you have to consider whether LGPD provisions are applicable for your specific case.
To whom shall it apply?
The LGPD applies to
- data processing within the territory of Brazil;
- data processing of individuals who are within the territory of Brazil, regardless of where in the world the data processor is located;
- data processing of data collected in Brazil.
Thus, not only Brazilian citizens are protected by LGPD, but also any person whose data was collected or processed in the territory of Brazil.
The LGPD applies irrespective of the location of an entity’s headquarters, or the location of the data being processed.
There are some exceptions when the LGPD does not apply. Hence, if the processing falls under any of the below-listed exceptions, the LGPD will not apply:
- a natural person performs the processing of the personal data for exclusively private and non-economic purposes;
- the personal data is processed exclusively for one of the following purposes:
- journalistic and artistic;
- academic research;
- public safety;
- national defense;
- state security;
- investigation and prosecution of criminal offenses;
- the personal data is originated from outside Brazil.
The LGPD compliance is not a one-step procedure. To become compliant, you have to make efforts to take into account all the obligatory legislative provisions. For the easier management of this quite tough process, we have prepared a checklist for the LGPD compliance.
Checklist for the LGPD compliance:
Under the LGPD, the legal bases for the processing of personal data are:
- obtaining of consent from the data subject;
- fulfillment of legal or regulatory obligation by the controller;
- by the public administration, for the processing and shared use of data necessary for the execution of public policies provided for in laws and regulations or supported by contracts, agreements or similar instruments;
- carrying out studies by research body, ensuring, whenever possible, anonymization of personal data;
- when necessary for the performance of a contract or preliminary procedures related to the contract to which the data subject is party, at the request of the data subject;
- for the regular exercise of rights in judicial, administrative or arbitral proceedings;
- for the protection of the life or physical safety of the data subject or third party;
- for the protection of health, exclusively, in a procedure performed by health professionals, health services or health authority;
- when necessary to meet the legitimate interests of the controller or third party, except in case the fundamental rights and freedoms of the data subject that require the protection of personal data prevail;
- for credit protection, including the provisions of the relevant legislation.
So, before processing, you have to be sure that one of the aforementioned legal bases applies to your situation.
The LGPD prescribes quite a wide range of legal bases, but let’s focus on one of the most common, which is consent, provided by the data subject.
First of all, such consent shall be provided by the data holder in writing or by other means demonstrating the data subject’s manifestation of will.
Moreover, consent shall be included in a clause highlighted among other contractual clauses if such consent is given in writing. It is the controller who bears the burden of proving that consent was obtained following the provisions of the LGPD.
Consent for the personal data processing shall be provided for specified purposes. That means that you have to obtain consent for every different processing operation, while generic authorizations for the processing of personal data shall be void.
The LGPD prescribes data subject’s right to revoke its consent at any time. Therefore, you have to establish a free and facilitated procedure to revoke consent.
According to the LGPD, both controllers and processors must keep records of personal data processing operations, especially when based on legitimate interest. However, the LGPD does not detail the information that processors need to record.
Nevertheless, if you process data protected under the LGPD, you have to comply with the record processing obligation.
- the specific purpose of the processing;
- the type of processing and the duration of such processing;
- The identity and contact details of the data controller;
- information about persons with whom the data may be shared with;
- data subject’s rights and how they can be exercised.
Data Protection Impact Assessment (DPIA)
Unlike the GDPR, the LGPD does not explicitly establish when DPIA is required. Although, the supervisory authority can request the controller to perform and provide DPIA when processing is based on his/her legitimate interest, observed commercial and industrial secrecy. So, ANPD may require the controller to draw up a report on the impact of the protection of personal data, including sensitive data, regarding its data processing operations.
DPIA documentation shall contain at minimum the following:
- a description of the types of data collected;
- the methodology used for the collection and assurance of information security; and
- the controller’s analysis of measures, safeguards and risk mitigation mechanisms adopted.
The LGPD obliges processing agents to adopt security, technical and administrative measures able to protect personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing. At the same time, ANPD reserved the right to provide minimum security standards. Unlike the LGPD, the GDPR provides a precise list of security measures that the controller and processor may implement.
The LGPD encourages extensive adoption of security good practices by controllers and processors and obliges to create and maintain privacy governance program. The program, among other things, shall demonstrate the controller’s commitment to adopt internal processes and policies, establish appropriate policies and safeguards based on a systematic privacy risk assessment process and create an incident response plan.
Moreover, it is better to ensure, whenever possible, the anonymization of sensitive personal data. Anonymization means the use of reasonable and available technical means at the time of the processing, through which data loss the possibility of direct or indirect association with an individual.
Privacy by design vs privacy by default
Privacy by design refers to the means installed in the product initially, technically, and which aim to increase the level of protection of personal data, such as pseudo-anonymization of data or creation of some features in the security system of the product.
At the same time, privacy by default means compliance with the necessary technical and organizational measures. For example, to process only personal data necessary for each specific purpose of processing by default.
Data Protection Officer
Under the LGPD, the controller shall appoint a data protection officer (DPO) to be in charge of processing personal data. At the same time, the LGPD does not address requirements for such DPO.
It is the main responsibility of the DPO to ensure compliance with the LGPD for the data controller, who appointed such DPO.
In order to to do that, duties of DPO shall include the following:
- to accept complaints and communications from the holders, provide clarifications and adopt measures;
- to receive communications from the national authority and adopt measures;
- to advise the entity’s employees and contractors regarding the practices to be taken concerning the protection of personal data; and
- to perform the other duties determined by the controller or established in complementary rules.
Interaction with authorities
The LGPD, among other, prescribes that ANPD may provide standards and techniques to be used in processes of anonymization, as well as carry out security checks; may request the controller to provide DPIA.
Moreover, the controller shall communicate to ANPD security incidents that may lead to significant risk or damage to data subjects within a reasonable time period. The LGPD does not prescribe more precise time limits, while the GDPR establishes a timeframe to notify the competent national authority without undue delay and not later than 72 hours after having become aware of data breach.
International transfer under the LGPD means a transfer of personal data to a foreign country or to an international entity of which the country is a member. Thus, the controller may provide any data transfer to third countries or international organisations only on specific grounds.
The LGPD treats the international transfer of personal data by assessing whether the foreign country has adequate data protection laws. That is one of the grounds for the transfer of the data overseas, explicitly provided by the LGPD.
Another legal ground based on which cross-border data transfer is allowed when the controller offers and proves guarantees of compliance with the principles, rights of the data holder and the data protection regime provided under the LGPD. This may be ensured by one of the following means:
- specific contractual clauses for a given transfer;
- standard contractual clauses;
- global corporate standards;
- regularly issued stamps, certificates and codes of conduct;
Nevertheless, the abovementioned legal grounds are not the only justifying the international transfer. The LGPD as well provides the following legal grounds:
- when the transfer is necessary for international legal cooperation between public intelligence, investigation and prosecution bodies, in accordance with the instruments of international law;
- when the transfer is necessary to protect the life or physical safety of the holder or third party;
- when the national authority authorizes the transfer;
- when the transfer results in a commitment made in an international cooperation agreement;
- when the transfer is necessary for the execution of public policy or legal attribution of the public service;
- when the holder has given his specific and prominent consent to the transfer, with prior information on the international character of the operation, clearly distinguishing it from other purposes; or
- when the transfer is necessary for compliance with a legal or regulatory obligation by the controller.
It is worth noting that, unlike the GDPR, the controller’s legitimate interest is not considered a legitimate basis under the LGPD.
To sum up, the LGPD differs from the GDPR. Therefore, the GDPR compliance does not exempt companies from conforming to the LGPD.
The LGPD requires a proactive approach from companies and individuals to whom it applies. In order to meet LGPD requirements, you have to collect and process personal data only upon provided data subject’s consent or another legal basis, as well as take all reasonable measures to ensure data security and comply with all other LGPD provisions.