NEW RULES FOR DATA PROTECTION

Provisional Measure 869 of 27 December 2018 creates the National Data Protection Authority ANPD  

General Law of Data Protection - LGPD comes into force on August 14, 2020, affecting companies in Brazil and abroad.

  • What is the LGPD?

The LGPD (Law No. 13,709, of August 14, 2018) aims to ensure the protection of citizens' personal datathat is, to give each individual greater control over the data that companies and the State have on them.

  • Who is subject to the LGPD?

All companies will be subject to the new data protection regime, regardless of whether they operate in the digital environment or in a more traditional way. All personal data will be subject, whether in the trade of goods and services to consumers, or in "back-office"as well as in their own financial management and personnel control.

  • Is there punishment for those who do not comply with LGPD?

The LGPD provides for heavy punishments, such as administrative fines of up to R$ 50,000,000.00 (fifty million reais) per violation, in addition to civil liability for damages caused to individuals affected by the irregular treatment of data or even to the community through a public civil action.

  • How to comply with LGPD?

In order to comply with the LGPD, the company needs to make sure that its treatment of the personal data in its possession complies with everything provided for by law and ensure the security of such personal data, transparency in their use and the rights of the respective data subjects.

To comply with the LGPD, the company must have an inventory of the personal data it uses, control its processing operations and analyze the impact of this processing with regard to the protection of each data subject's data. The company should correct the gaps in its processes and review its information security practices and policies to bring them into compliance with the new law. Finally, the company should implement a governance program that ensures constant maintenance and updating of compliance with the LGPD.

 

  • Is there a difference in LGPD obligations for smaller companies?

There is no segregation between the various categories of companies in the LGPD. It is expected that the National Data Protection Authority - which will regulate the application of the LGPD - will create a simplified regime for smaller companies or those that are not data-intensive in their activity. Until then, a risk-based approach is recommended for the adaptation of different companies to the new law.

  • What data does LGPD refer to?

Personal data is defined in the law broadly, referring to any and all information related to an identified or identifiable natural person identified or identifiable, from the most trivial such as name, telephone number and address, to the most sensitive such as financial and economic data, racial or ethnic origin, religious belief, political opinion and genetic data.

  • Who in the company is responsible for LGPD compliance?

The LGPD provides for the appointment of a particular person for the role of Data Protection Officer of the company, but the responsibility lies with all its staff. The Provisional Measure allows the officer to be a legal entity. Adaptation to the new law should be carried out by an interdisciplinary team with experts in process management, marketing, information technology, among others with knowledge of each specific part of your business model, as well as lawyers specializing in data protection legislation.

  • What is the deadline for compliance with LGPD?

The LGPD will come into force on August 16, 2020according to the Provisional Measure, so the adaptation should be started as soon as possible, since it involves processes that may be complex and take a long time, depending on the characteristics of the company and its business

O Barcellos Tucunduva Advogados is available to answer your questions and help you in this endeavor through the Intellectual Property and Privacy area of the firm: https://btlaw.com.br/areas-atuacao/propriedade-intelectual/