Got clients in Brazil, or looking to take your company international? Then the LGPD applies to you, and it’s more than just another version of the GDPR. Let’s get into it.
Intro to LGPD
Brazil’s LGPD has been in effect since August 2020. In Portuguese, LGPD stands for “Lei Geral de Proteção de Dados”, which translates to the “Brazilian General Data Protection Law”. Although it does share many similarities with the GDPR, it also comes with a few key differences.
Also, be sure to check out our article What Does LGPD Stand For? to learn more about its general purposes.
Source: Cookie Script
LGPD & GDPR: Similarities
For starters, the LGPD’s definition of personal data is a bit broader than that of its European counterpart, although it does heavily echo the GDPR. The LGPD states in various places that PII (Personally Identifiable Information) includes anything that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment.
Now, that definition won’t feel all that new to anyone used to complying with the GDPR, and the same goes for the LGPD’s section regarding data subject rights. This portion of the regulation directly reflects similarities in the GDPR, including the right to access data, the right to revoke consent, and, among others, the right to confirmation of the existence of the processing.
LGPD & GDPR: Differences
There are, however, several key areas where the GDPR and Brazil’s new LGPD differ. The main cause of differences is the LGPD’s tendency to work with more generalized terms. One example has to do with Data Protection Officers (DPOs). Both regulations require most businesses to hire a DPO, however, only the GDPR clearly states when a DPO is required. By way of contrast, the LGPD loosely says, “The controller shall appoint an officer to be in charge of the processing of data,” with no specific time frame given.
A second variation can be seen in Brazil’s 10 legal bases for processing, compared to the EU’s six. They both cover similar themes with conditions stating consent must be given freely and must be specific. However, one significant addition with the LGPD is its inclusion of protecting one’s credit, i.e., credit score, as a legal basis. (More on the 10 Legal Bases.)
Penalties & Data Breaches
The way it handles data leaks and fines is where the LGPD really sets itself apart from its European counterpart. In the past, the LGPD could even be viewed as being too soft on corporations breaking the rules, only ever having issued a few, largely symbolic fines.
However, the LGPD of today is backed by the ANPD. The Autoridade Nacional de Proteção de Dados is the regulatory authority responsible for overseeing LGPD compliance. And it approaches its work quite differently than the EU, mostly by opting to focus on sanctioning public entities for non-compliance instead of seeking monetary reparations.
As for data breaches, the LGPD is more lenient with its reporting policy. The LGPD states that businesses are required by law to report data breach incidents “within a reasonable time period”, compared the the GDPR’s strict 72-hour window.
This broader perspective certainly helps companies mitigate the damages caused by data breaches, assuming they use the time effectively to make further inquiries into the leak, perform deeper data discovery, and hopefully resolve the solution under less pressure. However, the opposing argument would be that the EU’s stringent 72-hour window is safer for those whose data was leaked.
LGPD Compliance Today
For many, Brazil may seem a world away, but its data security regulations are far-reaching for any online company hoping to do business with its people. There may come a day when its less generalized terms are replaced with specific phrasing and deadlines like with the GDPR. And that rings especially true for anyone looking to avoid being sanctioned by the ANPD.
No matter what the future may hold for the LGPD, PII Tools users can rest easy knowing they’re already scanning and storing user data securely, accurately, and with regulatory compliance in mind. Do what’s best for your international or Brazil-based business by implementing PII Tools data discovery software and always stay on top of LGPD compliance!
Storing data on Brazilian data subjects? Scan and secure it safely with PII Tools!
