What is LGPD, the Brazilian General Data Protection Law?

Updated at: Dec 07, 2020
By Gatefy

Brazilian flag to represent LGPD.

Today we're going to explain more succinctly what LGPD is, its main points, and how it interferes in your routine or your business if you have any connection with Brazil.

LGPD is the Brazilian General Data Protection Law, a set of rules that determine how information and personal data must be treated, shared, and collected. In short, the law came to protect consumers, focusing on their privacy and demanding from companies more protection and attention when dealing with third party information.

LGPD was sanctioned in 2018 and came into force in September 2020. With the law, Brazil is now included in the list of countries that have a specific law for personal data protection and security.

By the way, many people have been calling LGPD "the Brazilian GDPR".

We explain why: General Data Protection Regulation (GDPR) is a similar law that was implemented in the European Union in 2018 and focuses on privacy and the conscious use of personal information by companies and other organizations.

LGPD key points

Just by this brief introduction to LGPD you can see that it's going to change the routine of those who do business in Brazil. To better understand the law, it’s important to understand the context of the country and how internet browsing works nowadays.

Today, we use our personal data in a lot of things we do on the web. For example, to sign up for a social network, you need to provide your personal details. To buy that cool t-shirt online, you also need to provide your information.

That is, we provide our data daily to companies, and what's worse: much of this information has no direct connection with the business purpose.

What's the result of that?

Data that should be treated confidentially and privately is sold and used commercially without your permission and knowledge.

Do you know when you receive a spam email from a store trying to sell you a product and wonder: how did they get my email? Who provided it?

So that's what we're talking about.

LGPD wants to shed light upon this issue. On the one hand, the law requires companies to be clearer and more honest about their customers' data use and, on the other hand, it allows consumers to have more control over how their own information is used.

Therefore, we may note that LGPD and other similar laws arose from the need for transparency, privacy and security.

How LGPD works in practice

According to LGPD law, companies need to comply with 10 principles that should guide personal data processing.

They are purpose, appropriateness, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and responsibility.

To summarize, LGPD's 10 principles say that companies must take security measures to protect personal data, request only data that are relevant to the company, and, ultimately, be transparent to customers, making their intentions and objectives clear.

According to Article 9, “the data owner has the right to have easy access to the information about the processing of his data, which shall be made available clearly”.

The law also states that access must be made available “at any time and upon request”.

In addition, the data owner may require that his data be deleted or even changed, depending on the case.

The agency responsible for mediating this relationship and overseeing companies is called ANPD (National Data Protection Authority). The fines for non-compliance with LGPD can reach BRL 50 million for infringement committed.

Who are the actors or parties involved in LGPD

The first step to meet the requirements of the LGPD law is to understand who is involved in the process. There are 4 actors. See what the law says.

1. Holder or Data Owner

Person to whom personal data are subject to processing.

2. Controller

Person or company that is responsible for maintaining and processing the data.

3. Operator

Person or company that is responsible for processing the personal data on behalf of the controller.

4. Person in charge or DPO (Data Protection Officer)

Person appointed by the controller and operator to act as a communication channel between the controller, the data owner and the ANPD.

How to comply with LGPD

Once the actors are defined, the company needs to analyze and map the flow of gathering, using, and storing personal data. It's necessary to understand the cycle that information follows within the company so that adjustments can be made and vulnerabilities corrected.

Of course, this isn't a simple task, as many areas of the business need to undergo some kind of change. This is why we advise companies that do business in Brazil to seek expert help.

The change to comply with the law may even involve the adoption of new technologies.

Summing it up

Despite the changes, LGPD should be observed more in terms of social responsibility and commitment. What we mean is that serious companies that value the quality of their services and consumers won’t be harmed.

They will have to adapt their operation according to a law that, at first, preaches a more transparent relationship between companies and customers. This, in fact, is a worldwide movement that is landing in Brazil.

If you have any questions or want to talk more about it, write to us. Gatefy has 2 email security solutions that help your company to comply with laws and regulations, protecting data and personal information.

LGPD in full

If you want to check out the full LGPD, in Portuguese, click here.