How can you make your business Lei Geral de Proteção de Dados Pessoais or LGPD compliant?

Understand LGPD

Know if your business needs to be compliant with LGPD

How can Ayottaz help

Understand how Ayottaz simplifies LGPD compliance

Connect with us now for your  initial LGPD consultation 

Understand if your business is impacted by Lei Geral de Proteção de Dados Pessoais or LGPD

Before understanding how to achieve LGPD compliance, it is important to understand  what kind of businesses are obligated to comply with LGPD.  

What is LGPD?

The Brazilian General Data Protection Law, the Lei Geral de Proteção de Dados Pessoais (LGPD) can be considered as Brazil’s answer to the GDPR – with the Brazilian law aligning with the European Regulation in many ways, while differing in others. It’s intended to replace or supplement its current dispersed legal landscape (of over 40 federal sector-based norms) with one main regulatory framework.

The LGPD aims at creating a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors.

Created by potrace 1.15, written by Peter Selinger 2001-2017

Who does LGPD apply to?

As with the GDPR, the LGPD has a territorial scope that extends outside of Brazil. This means that you may have to comply even if you or your business are not based in Brazil. In practical terms, the LGPD applies to you if:

  • your data processing activities are carried out in Brazil (e.g. you use servers based in Brazil);
  • you offer or supply goods or services to persons located in Brazil, regardless of their nationality; or
  • you process data which refer to individuals located in Brazil (even if the person was only in Brazil at the time of the collection of the data and has since changed locations).

 

In general terms, you can likely assume that the LGPD will apply to you if you either process the personal data of people located in Brazil or process the personal data of anyone, regardless of nationality, within the Brazilian territory.

The LGPD applies to data controllers and data processors, together referred to as processing agents, who may be businesses, public bodies, institutions as well as not-for-profit organisations 

Data Controller

natural or legal person that is in charge of making decisions regarding the processing of personal data as defined under LGPD

Data Processor

natural person or legal entity, of public or private law, that processes personal data in the name of the controller

What does LGPD mean for businesses?

In general terms, you can likely assume that the LGPD will apply to you if you either process the personal data of people located in Brazil or process the personal data of anyone, regardless of nationality, within the Brazilian territory. The LGPD also applies, irrespective of the location of an entity’s headquarters, or the location of the data being processed, if the purpose of an entity’s
processing activity is to offer or provide goods or services to individuals located in Brazil.

Individual Rights under LGPD

What are the penalties under LGPD?

Under the LGPD, companies can be fined up to 2% of the previous year’s gross revenue or R$50 million (around $9 million USD), whichever is higher. This is known as a simple fine.

However, repeat offenders could face a daily fine instead. These companies are fined a set amount for every day they’re in breach of the Act, up to a total maximum of R$50 million.

9 Million

2% of an organization’s fiscal-year revenue in Brazil not exceeding R$50 million.

Ayottaz can simplify your LGPD compliance journey

There’s no ‘one size fits all” approach to preparing for LGPD. Rather, each business needs to know exactly what needs to be achieved to comply and who is the data controller who has taken responsibility for ensuring it happens. You are expected to put into place comprehensive but proportionate governance measures.  

That could be the responsibility of an individual in a small business, or even a whole department in a multinational corporation. Either way, budgets, systems and personnel will all need to be considered to make it work.

Under LGPD provisions, companies need to implement appropriate technical and organisational measures. This could include data protection provisions (staff training, internal audits of processing activities, and reviews of HR policies), technical updations, mapping of your data as well as continuing documentation on processing activities.  

 

Easily comply with Data Privacy regulations

Currently, nearly all of the information and marketing material available regarding data privacy emphasizes technical expertise and the requirements of experts in order to manage compliance. All of this seems extremely daunting to a small to medium-sized business that lacks the resources to onboard such resources. Ayottaz acts as an unbiased interface between enterprises and service providers. We are in the unique position to assure quality products and services to enterprises without any allegiance to a particular product or service. Getting the first mover’s advantage and using the platform to build long-lasting relationships with our customers will help us stay ahead of the competition in the future. 

Connect with us now for your  initial LGPD consultation 

Or

Find a product or service now to become LGPD compliant