How to be prepared for Brazil’s new sweeping privacy law
By Luis Fernando Prado Chaves e Fábio Aspis
On May 29, the Brazilian National Congress approved Provisional Measure no. 869/18, which made some important changes to the Brazilian General Data Protection Law (or LGPD, used to refer the law in Portuguese), also known as the “Brazilian GDPR.”
The data protection framework, which is highly inspired by the EU General Data Protection Regulation and is also applicable to any company doing business in Brazil, was sanctioned Aug. 14, 2018 and created rules for the processing of personal data carried out by a natural person or legal entity, both online and offline.
It is important to note that the LGPD is quite innovative in the Brazilian scenario, considering that the country did not have such comprehensive federal regulation before. Additionally, the LGPD sets out provisions to create a data protection authority, a totally new body responsible for the LGPD administrative enforcement. Originally, this entity was vetoed by former Brazillian President Michel Temer due to constitutional issues. Because of this fact, in one of his last acts as the head of the Brazilian executive branch, the former president proposed the aforementioned provisional measure that created our DPA, strictly linked to the Presidency of the Republic (which is a point of intense criticism by the major data protection professionals in the country).
After intense debates in the Brazilian National Congress, the provisional measure proposed by Temer was approved — with relevant modifications — by the House of Representatives and the Senate. At the present moment, those changes are pending presidential confirmation, which may occur by the beginning of July. However, for the companies doing business in Brazil, there is no time to wait; the LGPD will come into force Aug. 16, 2020.
With some relevant particularities in comparison to the GDPR, Brazil’s data protection scenario is finally created. The seeds of the privacy tree were planted by the legislators. Now, companies should grow their data protection compliance process in a suitable, balanced and sustainable way for their business.
How to comply with the LGPD
The first thing to observe is that LGPD’s Article 52 sets forth sanctions to those who do not comply with the new law. On the list, a noncompliant company may face punishments, such as a simple warning, a R$50,000,000.00 (around 13 million U.S. dollars) fine or, in some cases, partial or total prohibition of its data-processing activities. Therefore, it is highly recommended for companies operating in Brazil or dealing with personal data collected in the country to start a compliance project as soon as possible.
The compliance process with the LGPD is complex but not that challenging for companies that are GPDR compliant (even in this case, a tropicalization of the data protection practices and policies is needed). Nevertheless, a LGPD implementation program usually involves four major phases dealing with different aspects: assessing the company’s activities, building a compliance program with new governance and good practice standards, developing awareness and data protection culture within the company’s environment (staff training), and day-to-day compliance plan reviews and maintenance.
At the assessment, the first step is to collect information on the relevant company’s processing personal data activities. From the information collected from the various departments of a company, it should be possible to assess if such data is really necessary, for example. Afterward, a comparison between the current data-processing activities and the new standard demanded by the legislation is made, which enables identifying risks and gaps.
Phase two relates to the building (or re-building, in the case of the GDPR-compliant companies) policies and other kinds of data protection documents. In addition, at this point, the data protection officer position must be structured, outlining the criteria for their appointment and their functions. It is worth mentioning that according to the final version of the LGPD, every company subject to the new regulation must appoint a DPO.
Phase three is the awareness development. All these efforts would be pointless if companies’ employees did not realize the importance of the LGPD and their respective roles for maintaining the company’s compliance with it. Therefore, data protection training programs should be put in place to reinforce the company’s new practices.
Finally, to be compliant with LGPD is a temporary status, which should be maintained on a day-to-day basis. In other words, there is no final line in the LGPD compliance program, since new projects and business plans should always be evaluated according to the new data protection rules and principles.
Conclusively, the LGPD’s compliance process is an intricate and demanding task. Since its vacatio legis, the period between the promulgation of the law and its implementation, ends in August 2020, time is running short, and every second is valuable. If you are familiar with the GDPR’s implementation, you know how challenging it can be. If you’re not, you probably have no idea how big this matter is, but it would be best to catch up quickly.
Article published in the IAPP, read on https://iapp.org/news/a/how-to-be-prepared-for-brazils-new-sweeping-privacy-law/