General Data Protection Law (LGPD)

 
After two years of work by the Special Commission for the Processing and Protection
of Personal Data, President Michel Temer sanctioned the General Data Protection
Law (LGPD) to be implemented from Jan, 2020 on. Under this law, companies and
public institutions should follow rules for collecting and processing personal data, or
even texts and photos published on social networks. The new law will only come into
force after a transition period of 18 months, but companies and users are already
impacted by it now. How?

The General Data Protection Law

The new law covers the treatment operations carried out in Brazil, or the collection of
data made in the country by Brazilian or foreign companies. The standard also
applies to companies or entities that offer goods and services or treat information of
people who are in Brazil. International data transfer is also permitted, provided that
the country of destination has a compatible level of protection or when the company
proves that it guarantees the same conditions required by the Law, such as by
contract.
From this law, Brazil equates to more than 100 countries that already have a
standard on the subject, changing the daily life of users, companies and the
Government.
The text was sanctioned, but with vetoes. The main one is the creation of a
regulatory body, the National Data Protection Authority (ANPD), which would be
responsible for issuing supplementary standards and overseeing the obligations
provided by law. The National Council for the Protection of Personal Data and
Privacy was also banned, which would assist the ANPD with strategies and prepare
an annual report on the implementation of the National Policy of the area.
The justification for the veto was legal, since the creation of these organs would have
to be an initiative of the Executive Power, and not by virtue of the approval of the
law. According to the president, the veto is a "formal" issue and does not change the
merits of the new law.
As was the case with the enactment of the European data protection law, the
General Data Protection Regulation (GDPR), which prompted the adoption of
Brazilian law, it is expected that there will be a great demand by users for privacy,
requiring that companies are able to respond and adapt quickly.
 
How companies need to adjust to the new requirements?
To be in compliance with new law, companies will need to invest in new solutions
such as third-party risk assessment systems, data management, data masking,
secure data transfer portals, secure and high volumetric databases,
management of consumer and customer identity, as well as the adoption of
technology architectures and practices that consider security by design, such as the
native encryption of personal data when
In order to attend the requirements of the new law, the companies will face
challenges to guarantee the data protection. It is recommended that companies
follow four basic steps:

I. Find out: Identify and perform the inventory of personal data, including
its classification, who controls, who processes it and how it is transferred;
II. Manage: assess the level of data protection in all involved, whether they
are themselves or third parties;
III. Protect: Define and deploy solutions, policies, and data governance
across the organization;
IV. Monitor: Control and continuously audit the level of protection, as well
as constantly evaluate possible leaks internally and externally.

LGPD and GDPR

The GDPR Regulation aims to strengthen citizens' right to data protection and
facilitate processes that require more clarity of personal information of European
citizens.
Below are some points that are addressed in the regulation:

• Companies should have a responsible person or department to serve as a bridge

• Notifications will be necessary in case of leaks of information and incidents that

• Creation of Local Controlling Bodies, for each member country;

• Data privacy of children under the age of 13, who should be aware of those
responsible;

• As a citizen's right, the regulation specifies that it should be easy to access all
information with transparency, with right to rectification of data, right to oppose,
portability and to be excluded when requested;

• If the regulation is not met according to specifications will be subject to a fine, which
can reach 20 million Euros.

The Law 13,709 / 2018 (Civil Internet Framework), welcomed the international
agreement on Data Protection and inserted Brazil into the structure of countries that
will create mechanisms for the general protection of data of persons, public or
private law in a global way, instituting security, quality, transparency, non-
discrimination, prevention, free access, suitability, purpose and need. The General
Law on Data Protection establishes a series of guidelines on the processing of
personal data of natural or legal persons practiced by a natural person or a public or
private legal entity provided that it has the purpose of providing goods or services or
treatment of data from individuals located in the country.

According to item X, article 5 of Law 13709/2018 (also known as the Internet Civil
Registry, which has received the General Law on Protection of Personal Data -
LGPD), the aforementioned treatment is related to all transactions carried out with
personal data that collection, production, reception, classification, use, access,
reproduction, transmission, distribution, processing, archiving, storage, disposal,
evaluation or control of information, modification, communication, transfer,
dissemination or extraction.

All referred data treatment can only be carried out by consent to attend the legal
obligation.
It may also be carried out in judicial, administrative or arbitration proceedings,
protection of life, health, credit or any interest of the controller.
Handling of this data shall be performed by controller who is the person responsible
for all decisions on the processing of personal data or by the operator responsible for
handling such data on behalf of the controller. Treatment agents (given name or
operator and controller) will be responsible for adopting data security and
confidentiality measures, as well as techniques to protect against unauthorized
access or unauthorized access and any form of illicit or inappropriate treatment.