As technology grows, every company strives to keep up with each data compliance update, especially in their home country. But what happens when you’ve got clients in Brazil, or want to take your company international? Is Brazil’s new LGPD simply another version of GDPR, or is it something more?
Introducing the LGPD
Only coming into effect as of September 2020, Brazil’s LGPD is already making waves. In Portuguese, LGPD stands for “Lei Geral de Proteção de Dados”, which translates to the “Brazilian General Data Protection Law”. In other words, it’s more or less Brazil’s version of the EU’s GDPR, something we’re all a bit familiar with. The two regulations actually share a number of similarities, with a few key differences as well.
For instance, although LGPD’s definition of personal data is a bit broader than that of its European counterpart, the LGPD seems to heavily echo GDPR. The LGPD states in various places that PII (Personally Identifiable Information) includes anything that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment.
Now, that definition won’t feel all that new to anyone used to complying with the GDPR, and the same goes for the LGPD’s section regarding data subject rights. This portion of the regulation directly reflects similarities in the GDPR, including the right to access data, the right to revoke consent, and, among others, the right to confirmation of the existence of the processing.
There are, however, several key areas where the GDPR and Brazil’s new LGPD differ. The main cause of differences is the LGPD’s tendency to work with more generalized terms. One example has to do with Data Protection Officers (DPOs). Both regulations require most businesses to hire a DPO, however, only the GDPR clearly states when a DPO is required. By way of contrast, the LGPD loosely says, “The controller shall appoint an officer to be in charge of the processing of data,” with no specific time frame given.
A second variation can be seen in Brazil’s ten lawful bases for processing, compared to the EU’s six. They both cover similar themes with conditions stating consent must be given freely and must be specific. However, one significant addition with the LGPD is its inclusion of protecting one’s credit, i.e., credit score, as a legal basis. This is definitely a point companies need to keep in mind when working with Brazil-based clients.
The Advantages of the LGPD
After this light introduction, international business owners might feel like as long as they’re compliant with the GDPR, they’ve pretty much got their bases covered when it comes to the LGPD. In reality, we have yet to discuss some of the LGPD’s greatest advantages.
The first would be regarding the GDPR’s strict policy on reporting data breaches. The regulation clearly declares businesses are required by law to report a data breach within 72 hours of its discovery. The LGPD, again, uses more generalized wordage when it comes to breach incidents, stating reports need to be made “within a reasonable time period”. Given that this governance isn’t as demanding as the EU’s, business owners could use this broader window to make further inquires regarding their data breach, make more detailed discoveries, and potentially limit their damages.
The most significant advantage, however, comes in the form of fines. Many of us are familiar with the GDPR’s hard-hitting fine for severe violations of €20 million or 4% of the company’s annual revenue, whichever is higher.
Brazil’s alternative comes in with a massive cut, only requiring its worst offenders to pay 2% of their income for that fiscal year or up to a maximum fine of about €11 million (or precisely 50 million Brazilian reals). For large, international data processors, the risk of paying heavy penalties has dropped dramatically in Brazil.
Auditing with PII Tools
Even if the fines are smaller in Brazil, no company wants to be responsible for a breach of their data. No matter the size of the fine paid, breach incidents cause mistrust amongst any business’s customers.
That’s where PII Tools comes in. PII Tools is a thorough auditing solution used by professional auditors to discover any sensitive data in your files that you might not be aware of. By performing PII discovery from emails to the cloud, PII Tools helps you comply with both the GDPR and LGPD, avoid regulatory penalties, and improve your internal process to protect PII and mitigate risk.
Even though the LGPD has only been in place for about six months, you’re still required to comply with its regulations for any Brazilian clients’ data you store. We’ve discussed many of the GDPR and LGPD’s similarities today. Still, to ensure you’re in line with all their minute details and fine print, PII Tools helps your DPO to discover any personal or sensitive data that lives outside its designated location.
LGPD Compliance Today
For many, Brazil may seem a world away, but its data security regulations are far-reaching for any online company hoping to do business with its people. Changes are also expected to be made to the LGPD; we can expect more specific phrasing and less generalized terms in the near future. For any international business, securing a PII auditing tool capable of discovering PII necessary for LGPD compliance is simply a must-have.
Doing Business in Brazil? Try Our Free Demo and Remain LGPD-compliant Today!