After a number of postponements and many discussions about further delay, the Brazilian Lei Geral de Protecção de Dados Pessoais (General Data Protection Law, LGPD) is on the verge of entering into force. In a surprise move, the Brazilian Senate on Wednesday 26 August decided not to agree to a further postponement, but to let the law enter into application immediately. Enforcement of the law will start in August 2021.
While waiting for the official start sign of the law, this seems to be the right moment to take another look at what the LGPD requires from organizations doing business in Brazil. When looking at the new Brazilian law, it is immediately clear that there is a fair amount of overlap between the LGPD and the GDPR. This is no surprise - the LGPD is an omnibus data protection law as well, modeled after the GDPR. It explicitly recognises that data protection is linked to the respect for privacy, to informed self-determination and human rights, but also to free enterprise and free competition.
Join this webinar to learn about LGPD requirements and what is required from organizations doing business in Brazil.
This webinar will review:
-The current status of LGPD and its enforcement timeline
-Requirements for organizations doing business in Brazil including accountability, legal bases, individual rights and International transfers
-How to prepare for compliance
2. Speakers
2
Paul Breitbarth
LL.M
Director, EU Policy & Strategy
TrustArc
Christina Fratschko
HBA, MLIS, CIPP/US
Privacy Research Specialist, Privacy
Intelligence
TrustArc
Jucival Dos Santos
MBA
Managing Principal & Founder
Assent Trust
3. Agenda
3
● The current status of LGPD and its enforcement timeline
● Requirements for organizations doing business in Brazil including
accountability, legal bases, individual rights and International transfers
● How to prepare for compliance
5. Adoption of the LGPD
5
16 August 2020 Expected entry into force of LGPD
Proposal to postpone to 3 May 2021, because of
COVID-19
26 August 2020 Senate rejects 2021 postponement
Publication of the ANPD Decree
(regulator)
Before
17 September 2020 President Bolsonaro confirms application of LGPD
August 2021 LGPD penalties can be imposed
7. Legal Bases
7
I. Consent
II. Compliance with a legal obligation
III. Public administration for public policies
IV.Research
V. Execution of a contract, or preliminary procedures for a contract
VI.Legal procedures
VII.Protection of life or physical safety
VIII.Protection of health [only for healthcare professionals]
IX.Legitimate interests
X. Protection of credit
Article 7 LGPD et seq.
8. Individual Rights
8
● Data ownership
● Confirmation of the existence of processing
● Access
● Correction
● Anonymization, blocking or deletion of unnecessary or excessive data
● Data portability
● Withdrawal of consent, followed by deletion
● Information about data sharing
Article 17 LGPD et seq.
9. International Transfers
9
● International data transfers: the transfer of personal data to a foreign country or to an
international entity of which the country is a member.
● Main Rule: data transfers only to adequate countries
○ Brazilian DPA will need to draft the list once up and running
○ Criteria: applicable data protection regime and the nature of the data; alignment of security
requirements with the LGPD; existence of judicial and institutional guarantees for
respecting the rights of personal data protection
● Alternative: transfers based on sufficient guarantees the data will be protected
○ standard contractual clauses or ad hoc agreements;
○ global corporate rules (like BCRs and CPBRs);
○ public interests;
○ consent; or
○ following approval by the DPA.
Chapter V LGPD
10. Data Breaches
10
● Security incidents that may lead to material risk or harm must be reported, in a
reasonable time period, to the national authority (to be the DPA), and affected data
subjects.
● The notification should include a:
○ description of the nature of personal data affected;
○ information about affected data subjects;
○ an indication of the technical and safety measures used to protect personal data;
○ risks related to the incident;
○ measures that will be adopted to reverse or mitigate the effects of the incident; and
○ reasons for any delayed notification.
● The DPA may require controllers to adopt measures such as:
○ wide dissemination of the incident to the media; and
○ measures to reverse or mitigate the effects of the incident.
Article 48 LGPD
11. Accountability Obligations
11
● One of the key principles of the LGPD
● Both controllers and processors will need to be able to demonstrate “the adoption of measures
which are efficient and capable of proving the compliance with the rules of personal data
protection, including the efficacy of such measures”
● Includes:
○ Appointment of DPO (subject to ANPD guidance)
○ Processing activities register
○ Impact and Risk Assessments (subject to ANPD guidance)
● Suggestion to develop a privacy compliance program
○ Demonstrating commitment to adopt internal processes and policies that ensure broad
compliance
○ Establishing adequate policies and safeguards based on a process of systematic
evaluation of the impacts on and risks to privacy
○ Integrate privacy governance into the general governance structure
○ Regular updates
Article 6(x) and 50 LGPD
14. Main characteristics of the ANPD
14
● The ANPD will be part of the Federal Administration and bound to the Executive Office of the
President
● Two main bodies of the ANPD are:
○ The Board of Directors:
■ This is the top executive body and is comprised of 5 members, including the Chairman, who has
normative, investigatory, and corrective powers
○ The National Data Protection and Privacy Council (aka the Advisory Board):
■ This is a consulting body, comprised of 21 members who are chosen among representatives of
different bodies of the administration, the Legislative Branch, the Judicial Branch, and entities
representing civil society organizations
● ANPD officials will be appointed based on a reappointment of the budget of the Ministry of the
Economy, and the President will have the authority to appoint the Board and Council Members
● Board Members will have a 4 year term, however the terms of office of the first members of
the Board will be 2, 3, 4, 5, and 6 years
● Council members will have a 2 year term and reelection is permitted only once
● The Decree will come into force upon publication of the appointment of the Chairman of the
Board by the President
15. Powers of the ANPD
15
● ANPD Responsibilities Includes:
○ Ensuring protection of personal data
○ Editing procedures of protection of personal data
○ Requesting information from controllers and processors, at any time, on
processing operations
○ Inspecting and applying sanctions for processing violations
○ Carrying out audits to determine compliance with the LGPD
○ Communicating any criminal offenses to competent authorities
○ Promoting cooperation actions with personal data protection authorities of
other countries
○ Ensuring processing of data on the elderly is carried out in a simple, clear,
accessible and appropriate way for their understanding
○ Imposing administrative sanctions
16. Powers of the Board of Directors of the Executive Board
16
● Requesting from Controllers:
○ An impact report on the protection of personal data when processing is based on legitimate interests
○ Supplementary information and carry out checks on processing operations, in the context of
approving international data transfers
● Authorizing International Data Transfers:
○ Including evaluating the adequacy of other countries' personal data protection
● Regulating:
○ Communication or shared use of sensitive personal data between controllers for economic
advantage
○ Access to personal databases by research bodies when carrying out public health studies
○ Ethical standards related to studies and research:
■ Including the use of anonymization or pseudonymization
○ Portability of personal data between service or product supplies
○ Presentation format of data sent to data subjects upon their request:
■ i.e., that it is provided in a format that allows its subsequent use
○ Communication or shared use of personal data from legal entities under public law to legal entities
under private law
17. Powers of the Directing Council of the Executive Board
17
● Providing:
○ Standards and techniques used in anonymization processes
○ Forms of publicity for data processing operations carried out by legal entities governed by
public law
● Determining:
○ Cessation of processing when there is a violation of the LGPD
○ Performance of an audit to verify discriminatory aspects in automated processing of
personal data
○ Adoption of correction measures based on the severity of security incidents
○ Deadline to report a data breach
○ Methodologies that will guide the calculation of sanctions
18. Project of Legislative Decree 394/2020
18
● Key Aspects of the Proposal - More Autonomy for the ANPD:
○ The proposal seeks to suspend certain provisions from Decree No. 10,474 of August 26,
2020 which this deputy believes reduces the autonomy of the ANPD
○ Concerns include:
■ Overarching power by the President, as he appoints the Board of Directors, who in turn
appoint an Advisory Board off of a list of criteria established by the Board of Directors
■ Article 37 from Decree No.10,474, which gives the ANPD power to appoint military help
when needed, however the military will only respond to the President and not the
ANPD
■ The presidency of the CNPD will be exercised by the Representative of the Civil House
of the Presidency
22. How to prepare for compliance?
22
1. Understanding your legal requirements under LGPD
○ Ongoing activity - due to yet to be drafted ANPD guidelines
2. Assess your Brazilian data processing operations (+ create register)
○ Processing taking place in Brazil
○ Processing targeting the Brazilian mark
○ Processing personal data from persons in Brazil
3. Document data transfers to and from Brazil
4. Update Individual Rights procedures to deal with LGPD requirements and
deadlines
5. Keep documentation of all implementation steps
23. Why TrustArc
23
The Combination of Automation, Intelligence and Dedicated Success Teams
This automated, single platform
experience delivered through
its unique combination of
privacy frameworks,
intelligence, knowledge and
operations.
Complete
Automation
Embedded Deep
Intelligence
Dedicated
to Success
Only TrustArc can deliver the
depth of privacy intelligence
that’s essential to today’s ever-
changing digital world combined
with a fully-automated platform
for end-to-end privacy
management.
Our comprehensive onboarding
with dedicated customer success
teams can be augmented with
privacy and compliance
consulting expertise to build and
grow successful privacy
programs
23
24. 24
Platform
Capabilities
PRIVACY SOLUTIONS
Regulatory Insights and Monitoring
Privacy Program Assessments
Risk Management
Frameworks and Planning
Consent Management
Privacy Rights Management
Breach Response
Audit and Assurance
Compliance Monitoring
Awareness and Training
Task Management and Action Plans
Reporting
DataCapture
Applications
External API’s
KNOWLEDGE BASE
Data Inventory Hub My Company Info Tracker Scans
Intelligence
System(IoP)
Libraries
TrustArc Privacy and Data Governance Accountability Framework
Law and Regulatory
Standards Repository
INTELLIGENCE ENGINES
Deep Intelligence + Complete Automation
How TrustArc Helps: Data Privacy Management Platform
27. Upcoming Webinars
27
Past Webinars
Cookie Consent Regulatory Updates: How to
Maintain Compliance
September 30, 2020
@ 9:00 PST
The Brazilian LGPD is Here: What You Need
to Know
Free Download
How to Leverage Your GDPR Compliance for
CCPA, Privacy Shield & More New
Requirements
Free Download