General Data Protection Law

On August 14, 2018, Law 13.709, the General Data Protection Law (termed LGPD in Portuguese), was enacted, in line with similar actions around the world. The LGPD was drafted in reasonably good alignment with international standards on the subject – in particular the EU General Data Protection Regulation (GDPR).

After several setbacks at the National Congress (related to the possibility to postpone the effectiveness the General Data Protection Law (LGPD)), LGPD finally is in full force and effect from September 18, 2020 on. However, it is clear now that the penalties associated with the law can only be applied as of August 1, 2021. Despite of this fact, companies may face indemnification for damages or other type of compensation arising from judiciary claims. This fact means that companies that process personal data within the country will need to be compliant with the law, regardless of whether they have offices or a local presence in Brazil.

The LGDP consistently follows numerous principles and fundamentals of the GDPR, however, with its own DNA, in some regards it is very different. As such, it will not be sufficient for companies to merely be compliant with GDPR; compliance is also necessary with all specific LGDP rules.

The requirements are varied and often complex. Penalties for non-compliance range from warnings to as much as 2% of the company’s gross revenues (up to a maximum of R$50,000,000 per violation).

RGAA has assiduously specialized in this area to help clients in attaining full compliance with the LGDP.

We offer a complete package of solutions:

1. Enterprise data flow mapping: Essential to any data protection program is analysis of what data travel through the company’s operation, and what data are protected under LGPD. The technical base of data used can also be analyzed.
2. Data handling audit. With a focus on uncovering any LGDP non-compliance.
3. Data Protection Impact Assessment – DPIA.
4. Classification of the most suitable legal basis for data handling. User Consent management, if applicable. Validity testing of Legitimate Interest. Alignment of all practices not in compliance, such that there is a framework for the legal bases provided.
5. Preparing the company for compliance with LGPD Principles.
6. Analysis of sensitive data – and their handling/management – if applicable.
7. Implementation of data handling and governance rules. Once issues have been uncovered, it is essential that rules are followed that ensure the company does not find itself in future non-compliance. A governance policy – ideally having permanent focal points of control – should be put into place for this
8. Data Control Panel and useful life of data, within the company’s data flow. Management of Data Users’ requests. Control of data flow, potential non-compliance, and matters for attention.
9. Technical solutions for anonymization, pseudo-anonymization, and data masking.
10. In-house
11. Data Protection Officer – DPO