Achieve LGPD compliance in Brazil effectively and efficiently

The Lei Geral de Proteção de Dados (LGPD) is the Brazilian General Data Protection Law. It is a statutory law that governs data protection and privacy in the Federative Republic of Brazil. The LGPD aims to unify various Brazilian laws related to the processing of personal data and is designed to protect fundamental rights such as freedom, privacy, and the free development of an individual’s personality.

Businesses in all sectors are going to have to adjust and adapt their data collection practices to Brazil’s LGPD.

The LGPD applies to any individual or organization, private or public, regardless of residency, that is collecting or processing personal data in Brazil, or intending to offer or provide goods or services to individuals in Brazil. This means companies of all sizes must comply with the LGPD.

The Lei Geral de Proteção de Dados (LGPD) outlines the following 10 principles for processing personal data:

• Purpose: Data processing must have a clear and legitimate purpose, and it should be informed to the data subject.
• Adequacy: The processing should be relevant and limited to what is necessary for the intended purpose.
• Necessity: The data processing should be essential for the purpose it was collected.
• Free Access: Data subjects have the right to access their personal data easily and without unreasonable barriers.
• Data Quality: Organizations must ensure the accuracy, clarity, relevance, and updated status of the processed data.
• Transparency: Data controllers must provide clear, understandable information about the processing activities.
• Security: Adequate security measures must be implemented to protect personal data from unauthorized access and breaches.
• Prevention: Proactive measures should be taken to prevent potential harm resulting from data processing.
• Non-Discrimination: Data processing should not lead to discriminatory practices against the data subject.
• Accountability: Data controllers are responsible for demonstrating compliance with the principles and for adopting effective measures to ensure data protection.

Designate a DPO, especially for larger organizations or those processing sensitive data.

1. Identify and document all personal data collected, processed, and stored.
2. Maintain detailed records of data processing activities, ensuring accountability and compliance documentation.
3. Determine the legal basis for data processing and obtain explicit consent from data subjects when required.
4. Update privacy policies and notices to align with LGPD requirements and inform individuals about data processing activities.
5. Establish processes to facilitate data subject rights, including access, correction, deletion, and data portability.
6. Develop and implement a clear process for reporting and managing data breaches, including notification to the National Data Protection Authority (ANPD) and affected individuals.
7. Perform regular risk assessments to identify and mitigate potential privacy risks associated with data processing activities.

Non-compliance with LGPD can lead to significant consequences, including severe financial penalties and damage to the organization’s reputation. Penalties may range from warnings and fines—up to 2% of the company’s revenue in Brazil, capped at BRL 50 million (approximately €8M or US$9M)—to potential partial or total suspension of business activities related to data processing.