Brazil initially passed LGPD (Lei Geral de Proteção de Dados) in 2018 to go into effect in February 2020. The implementation date pushed to August 16, 2020, which is about a month away. Is your company ready?
Let's compare LGPD to the European Union's General Data Protection Regulation (GDPR).
Personal Data
Both LGPD and GDPR have a similar scope of personal data. LGPD is technically a broader definition that includes any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment.
Data subject rights
These are necessarily the same. LGPD broke our 'the right to information about public and private entities with which the controller has shared data' out of the more generic GDPR 'right to be informed' right.
Data protection officers
LGPD implies that any organization processing data require a data protection officer (DPO). GDPR has precise rules for when a DPO is required.
Legal basis for processing
GDPR lists six lawful bases for processing data. LGPD lists ten, and the most unique from GDPR is 'to protect credit (referring to a credit score).'
Reporting data breaches
GDPR has a specific 72-hour notification requirement. LGPD does not have a firm deadline.
Fines
A GDPR violation can cost companies up to 20 million Euros or 4% of the annual global revenue, whichever is higher. LGPD is less severe. Maximum fines in Brazil are 2% of the company’s revenue in Brazil from the prior fiscal year, excluding taxes, up to a maximum of 11 million Euros. The 11 million Euro fine is not a concern for any of the world's largest data processors.
At the highest level, LGPD and GDPR are the same with small differences. It will be worth watching how Brazil enforces LGPD since GDPR is not enforced strictly in Europe.