What is the LGPD or General Personal Data Protection Law?
The LGPD (General Personal Data Protection Law) is law no. 13,709, passed in August 2018 and went into effect as of September 2020. It regulates the processing of personal data, with its objective being to protect the fundamental rights of freedom and privacy and a natural person’s ability to freely develop their personality.
Personal Data Protection
In its content, the LGPD establishes the principles that must be respected in matters of personal data protection:
- Respect for privacy;
- Self-determination of information;
- Freedom of expression, information, communication, and opinion;
- The inviolability of privacy, honor, and image;
- Economic and technological development and innovation;
- Free enterprise, free competition, and consumer protection;
- Human rights, free development of personality, dignity, and the exercise of citizenship by natural persons.
Security Incident
Although the LGPD does not explicitly present the concept of a breach or incident, the National Data Protection Authority describes a security incident involving personal data as "any confirmed adverse event related to the breach in the security of personal data, such as unauthorized, accidental, or unlawful access resulting in destruction, loss, alteration, leakage or even, any form of improper or unlawful processing of data, which may pose a risk to the rights and freedoms of the holder of the personal data".
It is important to know the definition of “incident” to understand the events that involve personal data and that are present in the legislation, like what is stated in Article 42 of the LGPD, for example:
"The Controller or Operator who, due to the act of processing personal data, causes damage to others’ property, be it moral, individual, or collective, in violation of the legislation on protection of personal data, is obliged to repair it."
Article 46 of the LGPD serves as another example, which states that Personal Data Processing Agents must adopt security, technical, and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of improper or unlawful processing.
What Is the Purpose of the LGPD?
The LGPD was created with the purpose of providing greater protection to personal data and greater control over those that are interested in your personal information. To that effect, the LGPD establishes rules, principles, and guidelines applicable to the processing of data, in physical or digital media, carried out by natural persons, when it has economic purposes, and by public or private entities.
How Does the LGPD Define Personal Data?
Article 5 of the LGPD brings the definitions for two categories of data: personal data and sensitive personal data.
Personal Data
Sensitive Personal Data
Who Does the LGPD Apply To?
The LGPD applies to any data processing operation carried out by a natural person or by a legal person under public or private law regardless of the medium, the country of its registered office, or the country where the data is located, provided that:
Important Definitions in the LGPD
There are some very important definitions in the LGPD that help to understand the legal text:
The 9 Rights of the LGPD
As it has the LGPD, the holder has the following rights regarding the processing of their personal data:
1. Confirmation of the existence of the processing
Taking into account that data processing is any activity related to personal data, such as collection, storage, use, and classification, the LGPD guarantees the data subject the right to confirm whether a company carries out the processing of their personal data. The LGPD also determines that the response to the existence of the data must indicate the origin, the criteria used, and the purpose of the processing.
Taking into account that data processing is any activity related to personal data, such as collection, storage, use, and classification, the LGPD guarantees the data subject the right to confirm whether a company carries out the processing of their personal data. The LGPD also determines that the response to the existence of the data must indicate the origin, the criteria used, and the purpose of the processing.
2. Access to the data
Once the data has been processed by the Controller, the data subject may request access to his or her data, which will be provided through a physical or digital copy.
Once the data has been processed by the Controller, the data subject may request access to his or her data, which will be provided through a physical or digital copy.
3. Correction of incomplete, inaccurate, or outdated data
Once the existence of data processing has been confirmed, the LGPS entitles the data subject to request the correction or deletion of any incomplete, inaccurate, or outdated data.
Once the existence of data processing has been confirmed, the LGPS entitles the data subject to request the correction or deletion of any incomplete, inaccurate, or outdated data.
4. Right of anonymization, blocking or deletion
The owner may request the anonymization, blocking, or deletion of their data. The anonymization of data means that it can no longer be related to the holder, so it is no longer personal data. Blocking refers to the temporary suspension of processing for certain purposes. Finally, erasure refers to the exclusion of data that is unnecessary, excessive, or processed in breach of the intended purposes.
The owner may request the anonymization, blocking, or deletion of their data. The anonymization of data means that it can no longer be related to the holder, so it is no longer personal data. Blocking refers to the temporary suspension of processing for certain purposes. Finally, erasure refers to the exclusion of data that is unnecessary, excessive, or processed in breach of the intended purposes.
5. Data portability
Following the regulation of the ANPD or if there is a technical possibility, the holder may request that the Controller provide their data in a structured format for transfer to a third party, except those that have already been anonymized and excluded from the database and do not infringe intellectual and/or industrial property rights, nor are confidential by virtue of the concluded contracts.
Following the regulation of the ANPD or if there is a technical possibility, the holder may request that the Controller provide their data in a structured format for transfer to a third party, except those that have already been anonymized and excluded from the database and do not infringe intellectual and/or industrial property rights, nor are confidential by virtue of the concluded contracts.
6. Right to revoke consent
The owner of the data may cancel any consent he/she has accepted to use his/her personal data.
The owner of the data may cancel any consent he/she has accepted to use his/her personal data.
7. Right to information about the exchange of their data
The data subject has the right to know which types of public and private entities the Controller shares his or her data with.
The data subject has the right to know which types of public and private entities the Controller shares his or her data with.
8. Information on the possibility of not consenting to data processing
The data subject has the right to receive clear and complete information about the possibility and consequences of not consenting.
The data subject has the right to receive clear and complete information about the possibility and consequences of not consenting.
9. Opposition to data processing
The LGPD authorizes the processing of data even without the provision of consent by the data subject. In such cases, legitimate reasons are required for doing so, like in cases when it is necessary to ensure the security of a website and available resources. However, if the owner does not agree with any purpose of processing their data, they can report their opposition by requesting the discontinuation of the processing directly to the Controller.
The LGPD authorizes the processing of data even without the provision of consent by the data subject. In such cases, legitimate reasons are required for doing so, like in cases when it is necessary to ensure the security of a website and available resources. However, if the owner does not agree with any purpose of processing their data, they can report their opposition by requesting the discontinuation of the processing directly to the Controller.
LGDP Compliance Checklist
The LGPD brings a series of compliance measures so that Data Processing Agents can implement an adaptation process. The following measures are worth mentioning:
Data mapping
Preparation of documentation required by the LGPD and the Legal Basis
Adoption of contracts
Definition of deadlines and criteria for storage and disposal of personal data
Adoption of security, technical, and administrative measures
Privacy Governance and Best Practices Program
The Challenges of Compliance With the LGPD
Compliance with the LGPD is not an easy process. Like Brazil, many countries are developing GDPR-inspired compliance regulations, like the California Consumer Privacy Act (CCPA) and Canada's proposed Digital Charter Implementation Act, for example.
To comply with these regulations, organizations must do the hard work of protecting the rights of their stakeholders and conduct impact assessments, report security incidents, and ensure they have audit processes in place.
IT staff will not be able to use manual processes or even temporary controls to help meet the requirements because this approach is not sustainable. Instead, robust data protection technology that is automated and streamlined better meets stringent regulatory requirements to limit access to personal data and protect data at rest and in motion.
Three areas are of particular concern to IT teams:
Cybersecurity Solutions for LGPD Compliance
For LGPD compliance, it is necessary to apply simple policies and pragmatic procedures that lead people to adopt a culture of information protection in your organization and accompany it with the implementation of a layered security approach to ensure compliance with established policies.
HelpSystems' approach consists of guaranteeing information security through granular controls in the information flow and throughout its life cycle, without this representing any drop in the organization's productivity. From intelligent and granular data classification capable of identifying the type of information and its location, to data loss prevention, digital data rights management, and file transfer security, we offer a comprehensive and integrated set of solutions for the execution of your security strategy:
Email Security
Data Classification
Vulnerability Assessments and Intrusion Protection
Secure Managed File Transfer (MFT)
Infrastructure Protection
Data Loss Prevention (DLP)
Get To Know Fortra's Cybersecurity Solutions
Your Cybersecurity Ally
Fortra has been recognized by Cybersecurity Excellence as a winner in several categories, including Data Leak Prevention and Data Security.
Fortra Helps You With GDPR Compliance
At Fortra, we have more than 30 years of experience helping organizations around the world to protect their data. Our globally recognized solutions and our team of experts can help you comply with LGPD and other regulations. Request a no-obligation presentation to learn how our solutions can help your company's security strategy.