As Brazil readies itself for the arrival of its new General Data Protection Act in February 2020, we outline how it differs from GDPR, and what those differences mean for businesses like yours.
It’s a familiar story that’s been told with ever-increasing frequency over the past 18-months: Inspired by the European Union’s success in rolling out the game-changing General Data Protection Regulation (GDPR), one country after another revamps and revises their national privacy laws to better reflect the needs and concerns of today’s data-driven society.
Now, it’s Brazil’s turn, as the country gets set for the imminent arrival of its own General Data Protection Law, known in Portuguese by the acronym LGPD. Yet while other countries have been content to simply adopt the basic principles of GDPR as their own, Brazil has ushered in a few notable changes that business dealing with the personal data of Brazilian data subjects should be aware of.
Today, global data privacy specialists Relentless Privacy and Compliance outline exactly what those changes are, how GDPR and LGPD are different, and what your business may need to do to ensure frictionless compliance with the new Brazilian law.
Before we do that, however, let’s take a look at a few LGPD facts that you’ll find it helpful to know:
Brazil’s General Data Protection Law: What is it, and What do You Need to Know?
Back in August 2018, then-President Michel Temer sanctioned a new data protection law for the country
Like similar laws elsewhere in the world, the new law applies to all businesses and organisations who process or control personal data of people within Brazil, regardless as to where those businesses and organisations are based. So, if you’re a business based within the EU but people in Brazil can access goods or services from you via your website, then you need to be LGPD compliant in order to process the data you need to provide those goods or services.
When does LGPD Come into Force?
If this is the first time you’re hearing about the new law, there’s no need to panic just yet. Despite being sanctioned last summer, the law isn’t due to take effect until February 2020, giving you plenty of time to prepared. That is if you even need to prepare at all. With a number of similarities between GDPR and LGPD, duplicating and expanding on your current data protection efforts may not be necessary. In fact, even what few differences there are may make life a little easier for you if you do carry out processing activities with Brazilian personal data. With that in mind, let’s take a look at how GDPR and LGPD compare, and what this comparison means for your business.
How GDPR and LGPD are Similar
The basic fundamentals of the two are the same.As we’ve already discussed, both are applicable to any business or organisation that processes the data of people within their respective areas (Brazil and the EU), regardless as to where that processing is actually carried out. Likewise, regulations regarding international data transfers are in place in Brazil, and anyone affected by this would do well to follow the best practices and procedures that they use for GDPR.
Other key similarities include:
Data Subject Access Requests
As in the EU, data subjects have the right to request access to their data as well as the right to be forgotten.
Data Protection Officers
Article 37 of GDPR states that your organisation will be required to legally appoint a Data Protection Officer (DPO) if:
- You’re a public authority (except for courts acting in a judicial capacity)
- Your core activities require “large-scale, regular and systematic monitoring of individuals
- Your core activities consist of “large-scale processing of special data categories of data or data relating to criminal convictions and offences.
However, even if you don’t fall into one of the above categories, the Article 29 Data Protection Working Party recommends hiring a DPO anyway as a means of best practice.
Brazil’s stance on the matter is very similar, and your compliance consultant at Relentless can help you determine the best DPO solution for you should you need to appoint one.
Brazil’s position on reporting breaches is similar to GDPR in as much as both state that breaches must be notified, however, this is one area in which the two do differ. We’ll cover those differences below.
How are GDPR and LGPD Different?
One of the major differences between the two with regards to data breaches is that Brazil appears to be much more flexible in terms of how and when breaches must be reported.
Article 33 of GDPR states:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
Brazil is much less specific. LGPD Article 48 states that breach notifications must occur within a reasonable time, to be defined by the national authority.”This becomes all the more vague when you consider that -at time of writing- Brazil doesn’t actually have a designated national authority enforcing LGPD. Attempts to create one were vetoed by Michel Temeron a technicality, though President Temer did insist that agencies similar to the ones proposed would eventually be created. In the interim, breaches can be notified to Ministério Público do Distrito Federal e Territórios (the Public Prosecutor Office of the Federal District) which has a portal for reporting breaches and may carry out civil investigations on them if necessary.
The most talked about the difference between the two concerns the legal bases for processing data.
Under GDPR, your business has six legal bases which are:
- Explicit consent
- Contract performance
- Public task
- Vital interest
- Legal obligation
- Legitimate interest.
For a definition of these bases, see our guide to baseline GDPR compliance.
Under LGPD, the number of legal bases has been expanded to 10. These include.
- Legal obligation
- Implementation of public policies by the public administration (public task)
- Research by public study entities
- Contractual performance
- Exercise of rights in legal proceedings
- Life protection (vital interests)
- Health protection
- Legitimate interest
- Protection to credit.
Though you’ll note a number of similarities between the two, you’ll also see that bases such as protection of credit are exclusive to Brazil. This is particularly pertinent as the country prepares to reform its existing laws around credit scores.
Penalties for Violations
Much as with the timeframe for reporting breaches, Brazil also appears to be a little more lenient when it comes to issuing penalties for non-compliance. In the EU, fines can total up to 4% of global revenue up to 20 million Euros. In Brazil, fines can total up to 2% of revenue from Brazil, up to 50 Million Brazilian dollars.
Not that your business should ever find yourself in a situation that requires you to pay such a fine.
At Relentless Privacy & Compliance, we help you achieve frictionless compliance with LGPD, GDPR and other international laws thanks to our comprehensive global data privacy service. This includes a detailed global gap analysis, helping you identify areas where you can streamline your data protection efforts, saving you time and money in the process.
Find out more about our LGPD Service