Businesses faced so many issues in 2020 that they could be forgiven for not updating their protocols for Lei Geral de Proteção de Dados (“LGPD”), Brazil’s new data privacy regulation, especially in light of the government’s refusal to delay implementation of the regulation in light of COVID-19 concerns. Indeed, a number of companies are already facing LGPD enforcement and fines, so if your New Year’s resolution is to get a better handle on your LGPD obligations, the five items listed below will put you on the right track.
1) Understand if LGPD applies to you
Like most data privacy regulations (e.g. GDPR and CCPA), LGPD is considered an “extra-territorial” jurisdiction, meaning that it can be enforced on companies inside of Brazil as well as those without a physical location in the country. LGPD applies to any data collection or processing activities conducted by a company if the data concerns Brazilian citizens. That means even if you have no office, employees or contractors in Brazil, you are still considered subject to the regulation if you’re collecting consumer data. LGPD does include some exemptions for the processing of personal data, including those intended for non-economic, journalistic, artistic, academic, public safety, national defense or state security activities; if you’re a for-profit business it’s highly unlikely you’ll be exempt.
2) What information does LGPD cover?
LGPD applies to the processing of “personal data”. Personal data is considered to be information that can be used to identify a person (e.g. name, address, phone, email, IP address, among others). “Processing” is defined as “any operation carried out with personal data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of the information, modification, communication, transfer, dissemination or extraction.”
3) Should you purge personal information in your possession?
Do you have consumer data from 10 years ago that you don’t use? Like that turquoise tuxedo that you wore to your high school prom, get rid of it! Reducing the volume of personal information that your business stores, a practice called data minimization, is the least costly thing that a business can do to comply with privacy regulations like LGPD. Data minimization mitigates the exposure in a data breach, reduces the work to establish and maintain a privacy program and minimizes the work of responding to data subject access requests.
4) Have you obtained consent to obtain personal information?
LGPD takes a GDPR-style approach to consent, specifically consent that is “free, informed and unambiguous manifestation whereby the data subject agrees to his/her processing of personal data for a given purpose.” In non-legal speak, this means that you have to ask a consumer for consent to collect their information prior to doing so, and this includes cookies that run on your website. As with GDPR, a consumer must be provided with the ability to revoke their consent at any time. LGPD also makes clear that consent is only as good as the basis for which it was given. If you try to mislead, trick or otherwise collect data in a way that isn’t transparent, then any consent you reeive will be deemed void. If you change the manner in or purpose for which you process data in a way that is incompatible with the consent you previously received, you’re required to tell your data subjects about these changes and provide them the opportunity to revoke their consent.
5) What happens if I don’t comply?
LGPD has a number of enforcement mechanisms, chief amount them the ability to fine companies up to R$50,000,000 Brazilian real (approximately $9.4 million U.S.). Like other data privacy regulations, penalties will be based on size and scope of the violation.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.