LGPD: What It Is and How to Prepare for It
We all know how important it is to comply with all the Data Privacy and Data Protection rules and regulations.
This is why most companies which are located in Brazil, or international brands that deal with Brazilian companies and citizens are now worried about the LGPD that will come into effect on May 3, 2021. Why are we talking about it now?
The LGPD was supposed to come into effect on August 15, 2020. This is the reason why this document is so widely discussed now.
But some articles and sections of this Brazilian Data Protection Law were vetoed by President. This Law now also has to be reviewed by the Brazilian Congress by August 26, 2020.
Why care about it now?
This LGPD will come into effect gradually.
The Substantial part of the Law takes force on May 3, 2021.
Administrative sanctions described in this Law will become effective on August 1, 2021.
By the time this Law comes into effect, companies are supposed to get prepared:
Hire a Data Protection Officer
Companies need to appoint a Data Protection Officer (DPO) — you can get a new hire or a third party entity, like a Law Firm.
What is this natural person/legal entity about to do?
This person/entity will be in charge of the processing of personal data and will be responsible for communication between the companies and controllers. Controllers are the National Data Protection Authority (ANPD).
In the doc, translated from Brazilian into English, you can see that the entire ANPD section has been vetoed by the Brazilian President. However, this dep will exist. Its principal duties are subject to clarification.
Review the way they process personal data
Well, no matter when sanctions come up, we need to review our emails to make sure they comply with the LGPD.
If you have optimized your email marketing for the GDPR — you’ve done the biggest part of preparation.
In fact, there are just slight differences between LGPD and GDPR.
- Children and adolescents’ personal data should be processed only once written consent has been given by at least one of the parents or a legal representative. Exception: When there’s a need to contact parents immediately for the protection of a child’s health or life.
- Consent can be revoked at any time.
- The subject must be given access to personal data within 15 days. In the GDPR, it is a month.
- Fines are considered less severe than the fines in the GDPR. The maximum amount is €11 million against to €20 million in the Europian Law.
The GDPR editor compared the GDPR and the LGPD regulations. Please see the full table.
Yes, the same as with the GDPR — to be allowed to send promo emails to a contact list, a company has to get the user’s consent.
In order to comply with all the Data Protection Laws, we need to get prepared now.
All the clauses described above are to remain unchanged, so we can work on them now.
Like children’s data, or the data protection officer.
But as long as some articles of this LDPG will be reviewed by the Brazilian Congress, we recommend that we all revise our emails in September after the Law has been fully approved.