Connect with us now for your initial LGPD consultation
Before understanding how to achieve LGPD compliance, it is important to understand what kind of businesses are obligated to comply with LGPD.
The Brazilian General Data Protection Law, the Lei Geral de Proteção de Dados Pessoais (LGPD) can be considered as Brazil’s answer to the GDPR – with the Brazilian law aligning with the European Regulation in many ways, while differing in others. It’s intended to replace or supplement its current dispersed legal landscape (of over 40 federal sector-based norms) with one main regulatory framework.
The LGPD aims at creating a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors.
As with the GDPR, the LGPD has a territorial scope that extends outside of Brazil. This means that you may have to comply even if you or your business are not based in Brazil. In practical terms, the LGPD applies to you if:
The LGPD applies to data controllers and data processors, together referred to as processing agents, who may be businesses, public bodies, institutions as well as not-for-profit organisations
In general terms, you can likely assume that the LGPD will apply to you if you either process the personal data of people located in Brazil or process the personal data of anyone, regardless of nationality, within the Brazilian territory. The LGPD also applies, irrespective of the location of an entity’s headquarters, or the location of the data being processed, if the purpose of an entity’s
processing activity is to offer or provide goods or services to individuals located in Brazil.
Under the LGPD, companies can be fined up to 2% of the previous year’s gross revenue or R$50 million (around $9 million USD), whichever is higher. This is known as a simple fine.
However, repeat offenders could face a daily fine instead. These companies are fined a set amount for every day they’re in breach of the Act, up to a total maximum of R$50 million.
There’s no ‘one size fits all” approach to preparing for LGPD. Rather, each business needs to know exactly what needs to be achieved to comply and who is the data controller who has taken responsibility for ensuring it happens. You are expected to put into place comprehensive but proportionate governance measures.
That could be the responsibility of an individual in a small business, or even a whole department in a multinational corporation. Either way, budgets, systems and personnel will all need to be considered to make it work.
Under LGPD provisions, companies need to implement appropriate technical and organisational measures. This could include data protection provisions (staff training, internal audits of processing activities, and reviews of HR policies), technical updations, mapping of your data as well as continuing documentation on processing activities.
Currently, nearly all of the information and marketing material available regarding data privacy emphasizes technical expertise and the requirements of experts in order to manage compliance. All of this seems extremely daunting to a small to medium-sized business that lacks the resources to onboard such resources. Ayottaz acts as an unbiased interface between enterprises and service providers. We are in the unique position to assure quality products and services to enterprises without any allegiance to a particular product or service. Getting the first mover’s advantage and using the platform to build long-lasting relationships with our customers will help us stay ahead of the competition in the future.