Shining a light on Brazil’s new data protection law

General | March 20, 2020 | 4 min read

In the golden age of technology, our most valuable asset is data. Neglecting to implement effective data security measures leaves data vulnerable to theft and manipulation. This is why many countries are coming up with new data protection laws based on economic conditions, the varying levels of security threats, and legal parameters.

What is the LGPD? Why is it necessary?

Lei Geral de Proteção de Dados (LGPD) is a Brazilian data protection law that will go into effect on August 15, 2020. This law will require businesses to handle the personal data of Brazilian citizens with care. The LGPD will require companies to implement proper security measures to ensure the safety of Brazilian consumers’ data or risk heavy fines.

Data, misuse, and repercussions

According to the LGPD:

  • Personal data is defined as the data that can identify a person.

  • All other types of data are categorized as anonymized data.

  • When data is used for a different purpose other than the one stated during its initial collection, it is called data misuse.

Disgruntled or malicious insiders often misuse personal data. For example, consider the case of a ride-sharing app. Customers give their location information to the ride-sharing app company so they can easily get from one place to another. This information is confidential; no one but the driver and the passenger should have this information.

So what if a malicious insider used this location information to track the passenger’s whereabouts? That data misuse could lead to stalking or harassment. In other situations, data misuse can cause identity theft and illegal disclosure of data to an unwanted third party. The repercussions of data misuse can be far-reaching and damaging: loss of revenue, damage to reputation, economic disturbances, operational standstill, and class-action lawsuits.

Processing personal data

The LGPD is written based on a specific set of criteria, and it applies to any company or individual collecting or processing the personal data of Brazilian citizens. Personal data can only be processed in the following events:

  1. By the consent of the data subject (a person whose personal data is being collected, held, or processed)
  2. For the controller’s (a person or company that determines the purpose and means of personal data processing) compliance with a statutory or regulatory obligation
  3. For processing and shared use of data required for the performance of public policies by public administration
  4. For technological studies
  5. For the performance of agreements or procedures to which the data subject is a party
  6. For the exercise of rights in legal proceedings
  7. For the protection of the life or physical safety of the data subject
  8. For the protection of health
  9. For the service of legitimate interests of the controller
  10. For the protection of credit

Brazilian legislation provides more legal authorization for processing personal data, which makes the interpretation of the law flexible. In 2012, Brazil has passed nº 12.414/2011, or the Positive Credit History Law. This set of rules helped establish positive credit bureaus, which are data collection agencies that gather account information from various creditors and provide that information to the reporting agency that previously only tracked the negative reports on the credit scores of individuals or companies. The LGPD is the first law to consider the protection of credit scores.

The LGPD requires consent in situations involving personal data. As per the LGPD’s legitimate interests clause, data can be used for purposes other than what the data was originally collected for. This clause requires the organization to implement measures to protect data against the omnipotent nature of big data, artificial intelligence, and machine learning.  

A machine could misconstrue the consent clause of the LGPD because of the leeway provided for credit score protection, and end up processing data even though the data subject didn’t offer their consent. However, the consent clause is meant to be interpreted restrictively; organizations should limit the use of profiling and automated decision-making.

Rights of the data subject

The LGPD provides the following rights to data subjects:

  1. The right to ask the controller for access to the data and confirmation of data processing.

  2. The right to request the controller correct incomplete, inaccurate, or outdated data.

  3. If data needs to be anonymized, blocked, or eliminated due to its noncompliance with the provision of the law, data subjects can ask the controller to do it for them.

  4. Data subjects can transfer their data from one controller to another if needed.

  5. Data subjects can request the controller to delete their personal data unless the data is for:

    • The controller’s compliance with a statute or regulation

    • Studies by a research body

    • Transfer to a third party

    • Exclusive use by the controller and access to any third party is prohibited.

  6. If the controller has shared data with a public or private entity, the data subject can request that information.

  7. The data subject can also revoke their consent for data processing unless the use of their data falls under one of the circumstances stated in point 5.

Data breach report

According to the LGPD, breaches must be reported within a “reasonable time period.” Autoridade Nacional de Proteção de Dados (ANPD), the Brazilian data protection authority, has not yet defined the time limit for notifying the authorities about a breach, but it requires the data breach notice to contain the following:

  • Description of the nature of the affected data

  • Information about the data subject involved

  • Indication of the security measures involved

  • Risks related to the incident

  • Reasons for the communication delay

  • The measures that were or will be taken to reverse or mitigate the effects of the breach

Fines

Heavy fines will be levied upon companies that violate LGPD requirements. Maximum fines for violations can amount to two percent of the company’s revenue in Brazil during the prior fiscal year, which does not include taxes. Data protection authorities can impose fines of up to 50 million reals (USD 10.4 million).

Data protection planning

The objective of the LGPD is data protection. There are a few areas you need to concentrate on to implement effective data security. You need to determine the nature and location of data in your servers, and that data should be regularly monitored for policy violations. Changes that are made to users, permissions, and groups should be logged and audited to prevent security hazards.

LGPD compliance may seem like a daunting task, but there are products that can help. ManageEngine AD360 helps you govern the identities within your network, and gives you an option to create custom reports for LGPD security audits. Log360, a comprehensive SIEM solution, helps you detect unauthorized data access and security incidents, discover personal data, and archive log data securely. This solution also comes with an option to configure the LGPD audit report that helps you meet the IT security requirements of the mandate.

 

Terence Morais
Product Marketing Specialist