On April 3, 2020, the Brazilian Senate approved a Bill of Law (“PL 1179/2020”), which includes a number of emergency measures intended to address the COVID-19 pandemic.
Of particular interest to us, one provision delays the effective date of the Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais, “LGPD”) until January 2021. Fines and sanctions for companies that fail to comply with the LGPD are now scheduled to become effective August 2021.
Why the LGPD delay?
In a nutshell, preparing for it means making changes to data management and infrastructure. That’s a lot to ask in the midst of a global pandemic.
This comprehensive data protection law contains a number of detailed rules regarding the collection, use, processing and storage of personal data, both electronic and physical. The Bill, which is inspired by the EU General Data Protection Regulation (“GDPR”), outlines detailed rules for the collection, use, processing and storage of personal data, both electronic and physical.
In January, however, Brazil’s data protection law goes into effect and requires companies to comply with strict requirements related to the processing of personal data as well as sensitive personal data.
Who is subject to LGPD?
The law applies to any private or public individual or company with personal data collection or processing activities that are carried out in Brazil and those that offer and supply of goods or services in Brazil.
That’s every company in Brazil and most in Latin America! Certainly the ones who want to build trust among their customers.
How can businesses prepare for LGPD compliance?
To avoid a breach, many forward-thinking companies are proactively paving the way for when the bill is enforced. Knowing that noncompliance with the Bill can result in fines of up to two percent of gross sales, limited to 50 million reais (approximately USD 12.9 million) per violation, they’re forging partnerships with companies who specialize in data compliance while implementing the key requirements of the Bill:
- National Data Protection Authority. The Bill calls for the establishment of a national data protection authority which will be responsible for regulating data protection, supervising compliance with the Bill and enforcing sanctions.
- Data Protection Officer. The Bill requires businesses to appoint a data protection officer.
- Legal Basis for Data Processing. Similar to the GDPR, the Bill provides that the processing of personal data may only be carried out where there is a legal basis for the processing, which may include, among other bases, where the processing is (1) done with the consent of the data subject, (2) necessary for compliance with a legal or regulatory obligation, (3) necessary for the fulfillment of an agreement, or (4) necessary to meet the legitimate interest of the data controller or third parties. The legal basis for data processing must be registered and documented. Processing of sensitive data (including, among other data elements, health information, biometric information and genetic data) is subject to additional restrictions.
- Consent Requirements. Where consent of the data subject is relied upon for processing personal data, consent must be provided in advance and must be free, informed and unequivocal, and provided for a specific purpose. Data subjects may revoke consent at any time.
- Data Breach Notification. The Bill requires notification of data breaches to the data protection authority and, in some circumstances, to affected data subjects.
- Privacy by Design and Privacy Impact Assessments. The Bill requires organizations to adopt data protection measures as part of the creation of new products or technologies. The data protection authority will be empowered to require a privacy impact assessment in certain circumstances.
- Data Transfer Restrictions. The Bill places restrictions on cross-border transfers of personal data. Such transfers are allowed (1) to countries deemed by the data protection authority to provide an adequate level of data protection, and (2) where effectuated using standard contractual clauses or other mechanisms approved by the data protection authority.
If the right roles are established and the right data protocols are in place, none of these requirements are daunting. It’s just a matter of knowing the guidelines coming—and getting ready for them in time.
If you do business in Brazil/LATAM and would like more information on partners who specialize in data compliance, data transfer restrictions, privacy, data breach notifications, and consent requirements feel free to send an email to Preston@MetaRouter.io with LGPD info in the subject line.