by Jason Remillard
Data protection initiatives are growing around the world, and after years of debate the Brazilian Federal Senate is the newest to introduce legislation governing how businesses collect, use, disclose, and process personal data. Brazil’s data protection law Lei Geral de Proteção de Dados (LGPD) will come into effect February 15, 2020, requiring organizations to be in line with strict compliancy laws regarding consumers personal identifiable information.
Once the law is implemented, the Data Protection Authority (DPA) will be responsible for enforcing the LGPD and interpretive guidelines. These guidelines, while very broad for now, will shape how the laws interpreted, implemented and enforced.
So, its best we learn the basics.
Who must comply with LGPD?
Any individual or legal entity with data processing activities that:
- Are carried out in Brazil
- Are for the purpose of offering or supplying goods or services in Brazil or relate to individuals located in Brazil
- Involve personal data collected in Brazil
Who doesn’t have to comply?
LGPD does not apply to data processing carried out:
- By a person for a strictly personal purpose
- Exclusively for journalistic, artistic, literary or academic purposes
- Exclusively for national security, national defense, public safety or criminal investigation/punishment activities
- Some anonymous data may be protected as “personal data” when used for profiling. Generally, anonymous data is exempt from LGPD, however, Article 12 states that it may be deemed “personal data” when it is used to enhance, build upon or create behavioral profiles about individuals.
- There are no incentives for data controllers to pseudonymize data – it is addressed under Article 13, which encourages public health research bodies to anonymize or pseudonymize health data.
What happens when businesses breach LGPD law?
They can face a fine of up to R$50 million (approximately 12 million USD) or 2 percent of total revenue in Brazil, whichever is higher.
LGPD is just the next step in global privacy laws, as Gartner states that by 2022, half of our planet’s population will have their personal information protected under local privacy regulations in line with the GDPR, up from a tenth today. Also, by 2025, at least 25% of the world’s nations will be in “reciprocal adequacy agreement” with the EU or China, up from a few countries today.
What do we do?
How do we comply with these new laws without killing the productivity of our company?
It’s time to use what we learned from GDPR.
When looking back on how we’ve fared when GDPR came into effect, Gartner finds businesses face the following challenges due to growing privacy laws:
- Global businesses are faced with new privacy compliance mandates within each major market.
- New and jurisdiction-specific privacy requirements are often addressed by costly independent projects with different approaches and levels of rigor.
- Ongoing monitoring efforts lack proactive and shared risk management plans, leading to redundant work and higher cost.
GDPR came into force on May 25th, 2018, meaning the 6 month-iversary was just a few weeks ago. You’d expect all businesses to gain compliancy in this time frame, however, a TrustArc study reports that by the end of 2018, only 76% EU, 76% U.K., and 68% U.S. businesses will be fully compliant.
So why the low numbers of expected compliancy? Well, it seems that many businesses have tried to adopt legacy solutions. These have been proven ineffective, as information is too far spread out. A poll done by Citrix found that the average large UK business was reliant on 24 systems to manage and store personal data, with 21% using over 40 systems to do so. This kind of data sprawl can make compliancy extremely difficult, as knowledge about the location of customer information is limited and accessing and distributing this data to customers who request it can be a lengthy and expensive task.
Continuous compliancy is key for a business to thrive in the new consumer privacy landscape – they need a solid foundation to build upon that enforces and facilitates compliancy privacy policies. Businesses need the next-gen solution, an all in one platform that strictly governs the security of the data, who can access it, and how it is distributed.
As we learned with GDPR, LGPD is all or nothing, and it is best organizations adopt proactive practices that cover all LGPD laws, not just a subset. Businesses need user-enabled, governance-enabled, up-to-date security for every data point, every time.