The Brazilian General Data Protection Law or the LGPD (Lei Geral de Proteção de Dados Pessoais) is a law that was passed by in 2018 and came into force in 2020.
This law serves a legal basis for data usage of individuals in Brazil no matter where the data processor is located. Much like the GDPR, businesses are required to protect the data of individuals irrespective of their location.
The LGPD provides 9 rights for the data subject, provides the definition of sensitive data, and establishes a new data protection authority.
In this article, we will discuss what is the LGPD, what rights data subjects have, and how DataSunrise can help your business to stay in compliance.
The Definition of Sensitive Data
The LGPD defines sensitive data as a special category of personal data that deserve additional protection due to its sensitive nature. Sensitive data is any data connected with:
- Racial or ethnic origin
- Religious beliefs
- Political opinions
- Health or biometric data
- Sexual orientation
- Genetic data
- Criminal record
The processing of sensitive data is generally prohibited under the LGPD. There are exceptions such as data subject’ explicit consent, or when processing is necessary for a specific purpose, such as public health or law enforcement.
The LGPD imposes additional requirements on the processing of sensitive data, such as the requirement to obtain explicit consent from the data subject, to inform the data subject of the specific purpose of the processing, and to use higher standards of data security to ensure the protection of sensitive data.
Data Subject Rights by the LGPD
The LGPD provides the following rights for data subjects:
- The right to access data.
- The right to confirm the existing processing.
- The right to request the correction of inaccurate, incomplete, or out-of-date data.
- The right to block or delete unnecessary or excessive information if data is not processed in compliance with the LGPD.
- The right to transfer data to another data processor or service in a structured, commonly used, and machine-readable format.
- The right to request deletion of personal data.
- The right to know about public and private entities with which data is shared.
- The right to information about the possibility of denying consent and its consequences.
- The right to revoke consent.
However, these rights may have limitations and exceptions, such as when processing is necessary for compliance with legal obligations or the performance of a contract.
Comparison of the LGPD and the GDPR
The LGPD is similar to the GDPR in that both laws apply to businesses and organizations that process personal data regardless of their location, and both provide data subjects with similar rights. However, there are some differences between the two laws, such as the description of sensitive data, data breach notification requirements, and maximum fines.
For example, under the GDPR the maximum fine is 4% of annual global revenue or up to €20 million, whichever is higher. Under the LGPD the fines are 2% of a revenue in Brazil for the prior fiscal year or 50 million reals.
How Can Businesses Be Compliant with the LGPD?
First of all, you need to know who must comply with the LGPD. So, the LGPD applies to any natural person or legal entity that processes personal data in Brazil, regardless of their location. According to that, not only Brazilian companies but also foreign companies that process the personal data of Brazilian individuals must comply with the LGPD.
The LGPD applies to both public and private entities, and both online and offline data processing. Businesses must comply with the LGPD’s requirements, including obtaining consent, implementing technical and organizational measures for personal data protection, and providing customers with their data subject rights.
The LGPD does not apply to:
- If data is processed by a person strictly for individual purposes.
- If data is used only for journalistic, artistic, literary, or academic purposes.
- If data is used for national security, public safety, criminal investigations, or punishment activities.
The Autoridade Nacional de Proteção de Dados (ANPD) is the authority responsible for overseeing compliance with the LGPD, issuing rules and regulations about data protection and privacy, imposing administrative sanctions for LGPD violations, and requesting information about the processing of personal data from data controllers and processors.
To stay in compliance with the LGPD, you need the following:
- Appoint a DPO (Data Protection Officer). This person will be responsible for ensuring compliance with the LGPD and will serve as the intermediary between the business, individuals, and the ANPD.
- Identify the personal data you are working with, how it is processed, and the risks associated with that processing.
- Obtain individuals’ consent before collecting, using, or sharing personal data.
- Implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction.
- Train employees on how they must comply with the LGPD and what they should do to protect personal data.
- Maintain documentation of compliance with the LGPD.
How DataSunrise Can Help?
DataSunrise is a data protection software that helps you to stay in compliance with various data protection acts and laws such as CCPA, HIPAA, and others.
To be compliant with the LGPD together with DataSunrise you can use Database Activity Monitoring. You will always know who has access to data, what this user has done with this data, and when. Monitoring user activity enables you to increase the visibility of user actions. If there will be any alert, DataSunrise can send notifications via email, SNMP, and various instant messengers.
DataSunrise provides Static and Dynamic Data Masking for sensitive data protection. With Dynamic Masking, you can obfuscate sensitive data at the moment of a query and do not consume any additional space for a database copy. With Static Masking, you can send sensitive information in an obfuscated format as a copy of a real database.
Format-Preserving Encryption enables you to save the original format of sensitive data.With Sensitive Data Discovery you always know where sensitive data resides. Our OCR Data Discovery enables you to search sensitive data in images without problems. Fast and accurate search enables you to apply masking, audit, and security rules to data after discovering it.
DataSunrise makes sure that your data is under control and secures it while you comply with different regulations and laws such as the LGPD.