In recent years, lawmakers have placed increasing emphasis on protecting personal data. As a result, new legislation has arisen to shield consumer information.
This legislation includes the EU’s General Data Protection Regulation (GDPR). America has contributed California’s Consumer Privacy Act (CCPA). To this, Brazil recently added the Lei Geral de Proteção de Dados (LGPD) or General Protection Data Protection Law.
The GDPR and the CCPA have garnered much of the media’s attention since 2018. Marketers must also be aware of the LGPD and its regulations, however. Like the GDPR and the CCPA, the LGDP puts restrictions on the use, processing, collection, and storage of personal data.
These restrictions apply to both data gathered electronically and in physical form. The statute impacts all sectors and industries of the Brazilian economy.
Keep reading to learn more about what LGDP compliance looks like. That way, you won’t get caught off guard by its requirements.
Before Brazil enacted the LGPD, its data protection regulatory framework looked quite different. Sector-based, it was primarily overseen by the nation’s Consumer Protection Code and its Civil Rights Framework for the Internet (Internet Act), among others.
After passing the LGPD, Brazil created the Brazilian National Data Protection Authority. Designed to enforce the LGPD, the Brazilian National Data Protection Authority has extended the LGPD compliance period through August 2020.
What do you, as a marketer, need to know about the LGDP? How will it impact the way your company does business? Let’s start with an understanding of which individuals and companies the LGDP governs.
Who the LGDP Governs
The LGDP applies to any individual or organization, private or public, involved in the following activities:
- Intending to offer or provide goods or services to individuals in Brazil
- Collecting or processing personal data in Brazil
As you’ll note, the individual or organization does not have to be headquartered in Brazil or even have a Brazilian physical address. So, you could already fall under the influence of the LGDP and not even realize it.
What are the stakes if you don’t comply with these regulations? They can result in fines of up to two percent of your company’s gross revenues from Brazil. This figure is the equivalent of 50 million reais or $13 million per violation.
What the LGDP Regulates
The LGDP restricts the collection and use of personal information. In this case, personal information or data is defined broadly as anything relating to an identified or identifiable natural person. Both in digital and non-digital form.
Unlike other privacy laws, however, the LGDP’s definition does not include examples of personal data. However, it does define “sensitive personal data” as any information relating to:
- Ethnic or racial origin
- Political opinion
- Religious belief
- Philosophical or political organization
- Sexual orientation
- Genetic or biometric data
- Union membership
Like the GDPR, however, there are some notable exceptions to the rule. The processing of anonymous or personal data related to household, journalistic, academic, artistic, or national security purposes is exempt from LGPD governance.
Business-to-business (B2B) information doesn’t fall under the purview of the LGDP, either. Neither does zero-party or declared data derived through direct customer interactions (e.g., surveys, polls, etc.)
Train your employees to understand best practices for staying GDPR, CCPA, and LGDP compliant. After all, 52 percent of American employees report little to no knowledge of laws regulating the proper handling of sensitive information.
Their lack of knowledge could cost your company millions of dollars. Ensure every employee at your company, whether in the IT, HR, or customer service departments, all have thorough training.
Entities the LGPD Impacts
Like the GDPR, the LGPD makes distinctions between controllers and processors of personal data. How does this legislation define controllers and processors?
The LGDP defines controllers as those legal or natural entities who decide why and how to process and collect personal data. Processors are those entities who process the data according to instructions laid out by the controllers.
LGDP vs. GDPR
When it comes to new data protection regulations, you need to understand their similarities and differences. By recognizing the outliers in each regulatory body, you’ll be in a better position to comply.
The EU’s GDPR inspired the LGDP. Yet, many notable differences exist between these two statutes.
For one, the LGDP includes extra-legal means of personal data processing. It also encompasses an additional basis related to the protection of credit. There are also significant differences when it comes to the “legitimate interest” basis for processing.
On the one hand, the LGDP ‘s standard is satisfied when personal data processing promotes and supports the controller’s activities. These activities still get viewed through the filter of the data subject’s protected privacy rights.
On the other hand, the GDPR stipulates that the legitimate interests of the controller cannot override the fundamental freedoms and rights of the data subject. As a result, the LGDP appears more flexible when it comes to processing personal data.
There’s also a distinction regarding reporting time with each of these laws. The GDPR adheres to a strict 72-hour deadline for reporting data breaches. The LGDP, however, requires reporting within a “reasonable time.”
The LGDP and Data Protection Officers (DPOs)
All companies that fall under the governance of the LGDP as controllers must appoint a data protection officer (DPO). This portion of the LGDP, however, still requires greater clarification from the Brazilian National Data Protection Authority.
However, we’ll explore the regulations as they currently stand. Before we take a closer look at the role of the DPO, it’s worth noting another difference between the LGDP and the GDPR.
Unlike the LGDP, the GDPR only requires the appointment of a DPO under specific circumstances.
Appointing a DPO represents, by far, one of the most significant changes that American companies must accommodate to stay LGDP-compliant. Particularly if they don’t have a presence in the EU or Brazil.
The GDPR requires the appointment of a representative in the EU. The LGDP, however, is less clear on this point. More clarification on the part of lawmakers regarding the requirements for DPOs would prove helpful.
Data Processing Agreements
Another area of ambiguity remains data processing agreements. Brazilian legislators have yet to explain whether or not the LGDP will require data processing agreements between processors and collectors. (These are required by the GDPR.)
While there’s currently no functional article regarding these agreements, that doesn’t mean you should neglect this step.
Most experts recommend implementing data processing agreements so that all parties involved understand their respective responsibilities. Which responsibilities should such a data processing agreement cover? Everything from the collection to the use of data and its protection.
Why take this extra precaution? It’ll come in handy if there’s ever an incident involving personal data.
Remember that liability is joint and several absent an agreement limiting a processor’s ability. As a result, it’s in your best interest to take this additional step.
When it comes to the LGDP and its impact on American enterprises, remember these four critical points:
- The LGDP applies extraterritorially
- The LGPD only applies to personal data
- The LGDP is technology-blind
- The GDPR, the CCPA, and the LGDP contain many of the same measures for compliance
Let’s take a closer look at each of these four takeaway points. We’ll also delve into why they’re crucial to your company’s ability to adhere to the LGDP.
The Extraterritorial Nature of the LGDP
First, the LGDP, like both the GDPR and the CCPA, also applies extraterritorially. In other words, it impacts businesses that don’t have a physical presence in Brazil. To find out whether it applies to you, you need to take a closer look at the data you’ve compiled.
Are you collecting and processing the personal data of Brazilians? Do you plan on marketing to or providing goods and services for individuals in Brazil? If you answered yes to either of these questions, then you’re under the jurisdiction of the LGDP.
Put another way, all of the provisions of the LGDP apply to you.
The LGPD and Personal Data
Second, the GDPR, CCPA, and LGDP all only apply to personal data. So, when it comes to non-personal data such as that used for business-to-business (B2B) marketing, then these privacy laws do not apply.
What if you feel the data you’re using falls into a gray area? Then, you’ll need to conduct a data-mapping analysis. Why? So that you can better understand the different types of data flowing into the business from inception through the terminus of the data’s life cycle.
To create a useful and accurate data map, you’ll need to rely on input from the business’s data-driven departments, such a human resources and marketing.
Once your company has generated such a map, you’ll have a visual way to identify non-compliant areas of data within your company’s current data landscape.
The Technology-Blind Nature of the LGDP
From a marketing standpoint, it can be easy to forget that all of the data protection regulations are technology-blind.
What does this mean? It means they make no distinction between personal data derived from a digital format or hard copy documentation.
What’s more, these statutes will apply for many years to come. No matter the technological changes that occur in the meantime. That goes for everything from blockchain technologies to artificial intelligence.
As you can imagine, the pervasive and long-term implications of these bodies of legislation are already proving a compliance challenge for come organizations.
As you move forward with your data-mapping effort, you must keep this in mind. Otherwise, you might overlook data collection and processing activities that fall under LGDP regulations.
As with all things in life, when it comes to the GDPR, CCPA, and LGDP, old lessons are the best lessons. It’s better to be safe than sorry.
The Commonalities of GDPR, CCPA, and LGDP Compliance
For US companies doing business in Brazil who have already worked diligently to comply with the GDPR and the CCPA’s personal data measures, adhering to the requirements of the LGDP will be much easier.
Each of these statutes has at its heart the same primary objectives, to protect the privacy of internet users. As a result, there are many similar mechanisms at work in each one.
For one, the mechanisms through which companies respond to subject access requests (SARs) are more or less the same.
While the LGDP does not specify the need for data processing agreements, they go a long way towards demonstrating compliance. They remain among the best tactics available to protect your business’s interests moving forward.
Prepare for the August Compliance Deadline
When it comes to complying with new data privacy regulations like the GDPR, CCPA, and LGDP, it’s time to get proactive. These regulations have serious teeth and could have a catastrophic financial impact on your business for infractions.
Time is of the essence. Companies have until August 20, 2020, to come into compliance. Anything short of the ratification of a provisional measure won’t stop the ticking clock.
That’s why you must understand how these regulations work and what you need to do to make your collection and processing of personal data comply. It’s also time that you get on board with interactive marketing and declared data.
Onward and Upward with Interactive Marketing
Relying on zero-party or declared data is a proven way to increase the engagement of high-quality prospects.
What’s more, because the information is ascertained directly from the consumer by asking them, it doesn’t fall under the same restrictions as other types of personal data under the LGPD.