Everything You Need to Know About Brazil LGPD: Penalty For Non-Compliance of LGPD

The LGPD, or Lei Geral de Proteção de Dados in Portuguese, is General Data Protection Law of Brazil. It is a comprehensive data protection regulation that was enacted to govern the processing of personal data in Brazil. LDPD became fully effective on September 18, 2020. It was signed into law in August 2018, and the enforcement of its provisions began on that date. Organizations and entities subject to the LGPD had to ensure compliance with the law and its data protection requirements from September 18, 2020, onward. The Brazil General Data Protection law was heavily inspired by the European Union’s General Data Protection Regulation (GDPR) and is designed to provide individuals with greater control over their personal data and establish rules and requirements for organizations that handle such data. This blog contains everything you need to know about LGPD (Brazil data protection law).

It’s important to understand the purpose & objectives of LGPD:

The purpose of the LGPD is to regulate the processing of personal data in Brazil with the aim of:

1. Protecting Privacy: One of the primary objectives of the Brazilian Data Protection Law – LGPD, is to safeguard the privacy rights of individuals by establishing clear rules for the processing of their personal data.
2. Empowering Data Subjects: The law seeks to empower data subjects (the individuals to whom the data relates) by giving them greater control over their personal information. This includes the right to access, correct, delete, and transfer their data.
3. Fostering Trust: By providing a legal framework for data protection, the LGPD aims to increase trust between individuals and organizations that handle their data. This trust is crucial for the development of digital services, e-commerce, and the growth of the digital economy.
4. Prevent Data Abuse: Deter and prevent the misuse of sensitive personal data, such as unauthorized access, data breaches, and other privacy violations.
5. Create Accountability: Hold organizations accountable for their data processing activities by imposing penalties for non-compliance and data breaches.

The LGPD Brazil data protection law grants data subjects several rights regarding their personal data: 

1. Access: Data subjects can ask to see their personal data.
2. Rectification: Data subjects can request corrections to their data if it’s inaccurate or incomplete.
3. Deletion: Data subjects can ask for their data to be deleted in certain situations.
4. Consent: Data subjects must provide informed consent for their data to be processed, and they can withdraw it.
5. Information: Controllers must provide clear information about how they use data of sensitive personal data subjects.
6. Objection: Data subjects can object to data processing for specific purposes.
7. Non-Discrimination: Data subjects can’t be discriminated against for exercising their data protection rights.

Remember, data controllers and processors are responsible for respecting these rights. If they don’t, there can be legal consequences, and data subjects can contact the Brazilian Data Protection Authority for help.

The Brazil’s Lei Geral de Proteção de Dados applies to the following:

1. It applies to individuals (natural person) whose personal data is processed, regardless of whether they are Brazilian citizens or located in Brazil.
2. It applies to organizations or individuals that determine the purposes and means of processing personal data.
3. It applies to entities or individuals that process personal data on behalf of data controllers.
4. LGPD may require certain organizations to appoint DPOs to oversee data protection compliance.
5. LGPD is enforced by the Brazilian National Data Protection Authority (ANPD), which ensures compliance with data protection regulations.

In summary, LGPD applies to data subjects, data controllers, data processors, Data Protection Officers, and is enforced by the Data Protection Authority (ANPD).

LGPD excludes data processing for personal, journalistic, artistic, literary, academic, national security, national defense, public safety, or criminal investigation purposes when conducted by an individual.

Complying with LGPD involves taking several steps to ensure that your organization follows the principles and requirements of the law. Here’s a general guide to help you achieve LGPD compliance:

1. Obtain Consent:

   Ensure that you have proper consent mechanisms in place for processing personal data. Consent should be clear, informed, and freely given. Data subjects should be able to withdraw their consent at any time.

2. Data Mapping:

   Identify and document all the personal data your organization processes. This includes data sources, the types of data, the purposes for processing, and how long data is retained.

3. Appoint a Data Protection Officer (DPO):

   If your organization processes a significant amount of personal data, it may be required to appoint a Data Protection Officer to oversee compliance with the LGPD.

4. Implement Data Protection Impact Assessments (DPIAs):

   Conduct DPIAs to assess the potential risks and impacts of data processing activities on data subjects. Implement measures to mitigate identified risks.

5. Data Subject Rights:

   Establish processes for data subjects to exercise their rights, such as the right to access, correct, delete, or transfer their data. Respond to data subject requests promptly.

6. Data Breach Response Plan:

   Develop and document a data breach response plan, including notification procedures to inform data subjects and regulatory authorities in the event of a data breach.

Remember that LGPD compliance is an ongoing process, and it’s essential to keep abreast of any changes in the law and adapt your practices accordingly.

Non-compliance with LGPD can result in various consequences and penalties. The law includes provisions for both administrative and civil sanctions. Here are some of the potential consequences and penalties for non-compliance:

1. Fines: LGPD allows for fines of up to 2% of a company’s annual revenue in Brazil or up to 50 million Brazilian Reais (BRL), whichever is greater, for each violation of the law. This can add up to significant financial penalties for organizations found to be in violation of LGPD.
2. Warning: The National Data Protection Authority (ANPD) may issue warnings or recommendations to organizations that are not in compliance with LGPD. These warnings can serve as an initial step before imposing fines.
3. Suspension of Data Processing: In serious cases of non-compliance, the ANPD has the authority to temporarily or definitively suspend the processing of personal data, which can disrupt an organization’s operations.
4. Data Processing Restrictions: The ANPD can impose restrictions on how an organization processes personal data, limiting certain activities or requiring specific measures to be taken to address non-compliance.
5. Data Erasure: The ANPD can order the erasure of personal data that is being processed in violation of LGPD.
6. Data Processing Suspension: In certain situations, the ANPD can suspend all data processing activities related to a specific processing operation or data subject.
7. Publicizing Violations: The ANPD can publicly disclose the violations and penalties imposed on organizations, which can harm an organization’s reputation.

It’s important to note that the LGPD aims to encourage compliance through its administrative sanctions, but it also provides a legal framework for individuals to seek compensation for harm caused by data privacy violations. The LGPD Privacy Policy promotes accountability and responsible data processing practices among organizations operating in Brazil.

In conclusion, LGPD is a robust data protection law in Brazil aimed at safeguarding privacy, empowering individuals, and fostering trust in data processing. Compliance involves obtaining consent, mapping data, and appointing a DPO. Non-compliance carries administrative fines, civil liability, data processing suspension, and public disclosure. LGPD encourages accountability and responsible data practices in Brazil.