The Brazilian General Data Protection Law (LGPD) came into effect on August 16, 2020. The law creates new rights for individuals with respect to their data and imposes significant obligations on companies that process personal data. This guide will provide an overview of the key provisions of the LGPD and explain the steps that companies must take to comply with the law.
What is the LGPD?
The Lei Geral de Proteção de Dados Pessoais, or LGPD, is a federal law that regulates the processing of personal data by entities operating in Brazil. The law was passed in 2018 and came into effect on August 16, 2020. The LGPD applies to any company that either process data in Brazil (e.g. using Brazilian servers) or provides services to Brazilian citizens, regardless of where the company is located.
What are the Key Provisions of the LGPD?
The LGPD creates new rights for individuals with respect to their data and imposes significant obligations on companies that process personal data. Some of the key provisions of the LGPD are as follows:
- Companies must obtain explicit consent from individuals before collecting, using, or disclosing their personal data.
- Companies must provide individuals with clear and concise information about their rights under the LGPD and how their personal data will be used.
- Companies must take appropriate security measures to protect personal data from unauthorized access, use, or disclosure.
- Companies must appoint a Data Protection Officer (DPO) who will be responsible for ensuring compliance with the LGPD.
- Companies that process sensitive personal data must implement additional security measures to protect this type of data.
- Companies that suffer a data breach must notify individuals whose personal data was affected by the breach within 72 hours after becoming aware of the incident.
What Steps Must Companies Take to Comply with the LGPD?
Organizations processing the personal data of Brazilian citizens must take steps to ensure compliance with the LGPD. Some of the steps that companies can take to comply with the law are as follows:
- Appoint a DPO who will be responsible for ensuring compliance with the LGPD;
- Implement appropriate security measures to protect personal data from unauthorized access, use, or disclosure;
- Provide individuals with clear and concise information about their rights under the LGPD and how their personal data will be used; and
- Obtain explicit consent from individuals before collecting, using, or disclosing their personal data.
What is Personal Data?
Personal data is any information that can be used to identify an individual. This includes information such as name, address, date of birth, email address, and phone number. Sensitive personal data is a subset of personal data that includes information such as race, ethnicity, religion, political opinion, health status, and sexual orientation. Within Brazil, things like CPF numbers and Identity Card Numbers count as personal data that must be secured.
Organizations must obtain explicit consent from individuals before collecting, storing, or processing their personal data. Individuals have the right to withdraw their consent at any time. Organizations must also ensure that personal data is accurate and up-to-date. They must take reasonable steps to delete inaccurate or out-of-date personal data.
Organizations are required to disclose their contact information to individuals whose personal data they have collected. Individuals have the right to request access to their personal data and request that it be corrected or deleted. Organizations must respond to requests within 30 days.
What are the penalties for non-compliance?
Penalties for non-compliance with the LGPD can range from warnings and fines to suspension of operations. The size of the fine will depend on the severity of the violation and whether the business took steps to correct the problem after being notified of the violation.
The LGPD imposes significant fines for violations, including up to 2% of an organization's global revenue or 50 million Brazilian reais (approximately US $10 million), whichever is greater. The law also allows individuals to file lawsuits against organizations for damages resulting from violations of the LGPD.
What is Data loss prevention (DLP)?
DLP is a security measure that helps businesses prevent sensitive data from being leaked accidentally or deliberately. DLP can be implemented in a number of ways, but some common methods include data and activity monitoring.
Why is DLP Important for LGPD Compliance?
The LGPD contains a number of provisions that are designed to protect the privacy of Brazilian citizens. One of the most important provisions is the requirement for organizations to implement measures to prevent data leaks. Data leak prevention (DLP) is a set of technologies and processes that are designed to detect and prevent the unauthorized disclosure of confidential information.
DLP is important for LGPD compliance because it helps organizations protect the personal data of Brazilian citizens from unauthorized disclosure. By implementing DLP measures, organizations can ensure that only authorized individuals have access to personal data and that personal data is not accidentally or deliberately leaked outside of the organization. In addition, DLP can help organizations to monitor and prevent unauthorized access to personal data.
How Can DLP Help with LGPD Compliance?
There are a number of ways in which DLP can help with LGPD compliance. First, DLP can help organizations identify where personal data is stored and who has access to it. This information can assist in creating a register of processing activities, as required by the LGPD. Second, DLP can help organizations to implement security controls to protect personal data from unauthorized access and disclosure. Third, DLP can help organizations to monitor and prevent unauthorized access to personal data. Finally, DLP can help organizations to respond quickly and effectively to incidents involving the unauthorized access or disclosure of personal data.
How Can DLP Help Prevent Data Breaches?
In addition to helping businesses comply with the LGPD, DLP can also help prevent data breaches. By encrypting sensitive data and controlling who has access to it, businesses can make it much more difficult for hackers to obtain and misuse customer information. Additionally, by monitoring user activity, businesses can quickly detect and respond to any suspicious activity that could indicate an attempted breach.
How do I implement DLP for LGPD Compliance?
Implementing DLP for LGPD compliance will depend heavily on the type of technology you’re using and your existing processes for where and how customer data is processed. However, a solution like Nightfall DLP can help organizations validate that they’re not inappropriately sharing sensitive data, like customer PII, within the cloud applications that they’re using.
Nightfall accomplishes this by using machine learning detectors, to scan cloud applications like Slack, Google Drive, Confluence, and others for sensitive data that could lead to data breaches if exposed. With Nightfall organizations can find and protect PII like names, addresses, phone numbers, and identity card numbers for Brazilian customers. For more information, schedule a call with us to discuss how you can use Nightfall in your LGPD program, and to see Nightfall in action.