What is the LGPD? - General Data Protection Law

Brazil's General Personal Data Protection Law (LGPD) regulates how personal data provided to companies is handled.

It causes changes in the Civil Rights Framework for the Internet, In particular, Articles 7 and 16.

With the advent of the law, Brazil became part of the group of countries that have specific legislation on the security of citizens' data.

The national LGPD was inspired by the General Data Protection Regulation (GDPR) of the European Union, which was made compulsory in 2018.

These laws involve a series of concepts and values, such as privacy, preservation of intimacy and honor of the image, for example, based on the human rights of dignity and freedom.

Despite being extremely necessary, the law forces companies to make complex changes to their structures and security systems.

For this reason, the issue became the subject of discussion and the decree was modified several times.

So, if you want to learn more about the General Data Protection Law, keep reading this article, it will give you complete information on this subject.

What is the General Data Protection Act?

First of all, the General Data Protection Law came into being with the aim of regulating how consumer data is handled.

But because it has led to changes in companies' systems, adapting to them has become a major challenge.

According to Article 5(X), the LGPD states that data processing is any operation involving the collection, use, storage or distribution of personal information.

This new law has had a number of major impacts on the protection of individuals' privacy and the security of their data.

As such, the LGPD imposes a series of requirements on companies that use personal information in any way and imposes penalties in the event of non-compliance with the rules in question.

Among the prohibitions of the LGPD are the collection and use of personal information by any person or institution without proper consent and use in an unlawful or abusive manner.

Faced with this issue, companies have started to look for compatible alternatives to adapt to the new data processing rules.

Even compliance with standards could be seen as a competitive advantage over competitors.

The LGPD was sanctioned by the president in August 2018, after which companies had until February 2020 to comply with the new rules.

However, several institutions pressured the government to extend the deadline to allow more time for compliance.

Then the new deadline would have been August 2022, but due to the Covid-19 pandemic and the pressure it has put on companies and the economy in general, it has brought a scenario of uncertainty.

As such, it is not yet known whether or not there will be a further extension of the deadlines for companies to comply, given that the pandemic has had a major economic impact on companies around the world.

Are companies ready for the LGPD to come into force?

Nowadays, information is very valuable because it can be used strategically, to the benefit of large companies.

Even the media often refer to this information as “the new oil".

This is because, given the technological developments that have taken place over the last few decades, companies have adapted to the scenario by using the large flow of information as raw material in their business.

However, it is known that the impacts of using personal data inappropriately are enormous.

This is why alternatives have been sought to curb their uncontrolled use, threatening the safety of individuals.

In this scenario, the European Union was a pioneer in creating regulations, followed by the United States.

So following this strong global trend, in August 2018 Brazil sanctioned the General Data Protection Law.

It establishes how companies use the information provided by their customers, both online and offline.

It contains ten legal bases according to which data must be collected, processed, stored and distributed, thus benefiting its owners.

Who is the law aimed at?

The General Data Protection Law is aimed at all companies that in some way collect and process data from their users, regardless of the medium in which this is done.

In addition, the rules apply to operations in national territory, even if the company's headquarters are in another country.

In other words, the law applies to all companies that collect and manipulate data in Brazil, regardless of their country of origin.

In Article 2 of this law, the main foundations of data protection are:

1. Respect privacy;
2. Informative determination;
3. There must be freedom of communication, expression and information;
4. Image, honor and privacy cannot be violated;
5. There must be technological innovation and investment in economic development;
6. Consumer protection must take place, and free competition and free enterprise must be guaranteed;
7. Human rights must be guaranteed, as well as dignity and the exercise of citizenship.

What information is protected by the LGPD?

LGPD regulations apply to some specific types of data. See which ones below:

Personal data

This category includes any information related to natural persons who have identification.

The most commonly collected personal data is CPF, ID, address, e-mail and telephone, as well as so-called indirect information, such as IP and geolocation data provided by electronic devices.

By using this data, companies can profile their customers and identify each individual using this information.

Sensitive data

Sensitive data are those that determine race or ethnicity, religion, political opinion, or membership of trade unions, political, religious or philosophical organizations.

This category also includes information of a genetic, biomedical nature or related to an individual's health and sex life.

Pseudo-anonymized data

Data falling into this category undergoes a process similar to anonymization, whereby it is no longer associated with any individual, either directly or indirectly.

This form of anonymity is encouraged by the law's own regulations as an efficient way of reducing the risks associated with exposing information.

The General Data Protection Act and Transparency

According to Art. 9 of the LGPD the data subject has the right to receive transparent and clear information on how the information provided is being processed.

The data subject must have free access to information such as:

• Purpose for collecting your information;
• How the data will be processed and for how long;
• Identification and information of the agency responsible for storing and processing the data;
• Detailed information on data sharing;
• Rules governing the processing of data by the agency responsible;
• Rights that data subjects have over the processing of their data.

What are the purposes of the data regulated by the LGPD?

According to the LGPD, there are some regulated ways of handling personal data correctly. Here are some of the requirements related to this:

• Data may be processed with the consent of the data subject. This consent must be given in writing and can be revoked at any time;
• The information may be used to comply with legal or regulatory obligations;
• The data can be used to carry out historical, scientific, statistical or technological research.
• Use for the execution of public policies provided for by law or described in a contract;
• The data may be used to execute a contract or preliminary procedure at the request of the data subject;
• The information can be useful in legal proceedings, both administrative and arbitration.
• In order to protect the physical integrity or life of the data subject or other persons, the use of information is also permitted;
• The information can also be used whenever it is relevant to carrying out health or sanitary procedures.
• The data is required for credit protection purposes;
• Finally, it is permissible to request personal information to satisfy the interests of controllers, except when the data subject's right to liberty requires the protection of this information.

What are the rights of data subjects under the LGPD?

The LGPD preserves the rights of freedom, privacy and ownership of the individuals who provide their information.

This allows the data subject to request information on how their data is being used by the controller.

In this sense, the main rights of data subjects are:

• Request confirmation that your data is being used or stored;
• Obtain free access to all information that is being used in any way by third parties;
• The right to edit and correct outdated, incorrect or incomplete data;
• Block or delete your information at any time;
• The data may be passed on to another service or product provider;
• Request information on any and all entities responsible for controlling and sharing your personal data;
• Receive information on how to block the use and sharing of personal information;
• The right to revoke the declaration of consent to the use of information at any time, simply by expressly stating so;
• Possibility for the data subject to object to the way their data is processed if the LGPD is being violated in any way.

How does the LGPD protect children and adolescents?

The General Data Protection Law has specific rules for how children's and adolescents' information should be handled.

The aim is to prevent this information from being used inappropriately, putting these individuals at risk.

This group includes individuals up to the age of 18. The rules stipulated in this case are:

• The use of the information must be consented to by the individual's legal guardian;
• Information may be collected without authorization only if it is necessary to ensure the safety of the young person or to contact their guardians;
• The use of online games or applications should not be linked to the provision of information, unless it is strictly necessary;
• The controller therefore has a duty to check that the information has actually been provided by a responsible adult;
• Finally, the controller must be transparent about how the data is used.

Companies will have to organize themselves to comply

Among the specifications of the General Data Protection Law are the measures that must be applied in relation to the corporation.

Ideally, all Brazilian companies should develop internal programs that follow these recommendations:

• Commitment to data security;
• Internal policy that includes caveats regarding the effects and risks of violating privacy;
• Constant search for a relationship of partnership and trust with the owners of the information;
• Creation and application of internal and external measures to supervise data handling;
• Planning action measures in the event of incidents, as well as efficient ways to remedy them;
• Constant updating of corporate programs related to the protection of third-party data.

Compliance with the LGPD benefits companies

Despite the fact that it requires profound changes in the structure and rules of companies, adapting to the LGPD standards can bring a number of benefits:

• The relationship between the company and its customers becomes more transparent and, consequently, is based on greater trust;
• Due to the implementation of national data processing standards, all companies will have to behave in the same way;
• The LGPD can contribute to improvements in digital marketing for small businesses, This is due to the deletion of unnecessary, non-existent or incorrect information. Communication will only take place with customers who are really interested in the brand;
• The law requires companies to adopt more efficient security systems that are better suited to protecting their customers' information and detecting breaches quickly;
• The LGPD improves the way data is organized and managed, which can greatly benefit business administration.

What are the penalties for violating the LGPD?

As mentioned above, there are a number of requirements laid down by the LGPD regarding the processing of customer data, which must be complied with from the date the law comes into force. Failure to comply with them will incur penalties:

• Warnings with the right to a period of time to make the necessary correction;
• In more serious cases, a fine of 2% calculated on the company's turnover can be imposed, limited to 50 million reais;
• Daily fine for failure to comply with the standards in question;
• The infringement may become public and the information may be blocked until the situation is normalized;
• In some cases the information can be deleted.

How does the GDPR impact programmatic media?

Currently digital marketing is one of the main factors contributing to the growth and increased profitability of companies.

But as it is based on the use of customers' personal information, it will have to undergo several changes to adapt to the new requirements of the LGPD.

Information such as name, ID, CPF and e-mail, for example, can only be collected with the authorization of the bearer.

Allied to this, companies will have to work on transparency with customers, who will now have the right to know how their personal information will be used, as well as to cancel authorization at any time.

Furthermore, the request for personal data should only be made with extremely relevant information.

The companies will also be responsible for improving the systems of security to ensure that the information is used correctly, so that its customers are not harmed in any way.

Likewise, all information must be stored securely and confidentially, once again with security in mind.

Therefore, the entire chain related to programmatic media will have to go through LGPD changes in-depth efforts to comply with current legislation.

As a result, publishers wishing to provide personalized ads will have to use a legal basis, as well as being transparent with companies wishing to track them.

Advertising companies that use information stored in data centers will have to redouble their precautions with regard to data suppliers, who will also have to work in accordance with the LGPD.

In some cases, the data must be anonymized so that it can be used to profile customers without violating the law.

As soon as the General Data Protection Law comes into force in Brazil, it will completely change the way marketers deal with information and they will need to adapt to this new reality. 

How to prepare for the GDPR

The LGPD should have come into force by now if its deadline hadn't been revoked, and most companies still haven't adapted to this new reality.

Larger companies with more resources are leading the way on this long road and are gaining a competitive advantage in the market.

However, this is not the reality for most people and, to make matters worse, the Covid-19 pandemic has hit the global economy hard.

As a result, companies have even fewer resources available to spend on regulation in accordance with the LGPD.

In addition to technical adaptations, companies also need to change their corporate culture, including the way their employees think.

This is of the utmost importance because the new law is quite strict and there is no possibility of making mistakes that compromise the safety of your customers and consequently harm the company.

In order to adapt to the new requirements, companies will not only have to adopt new privacy policies, but also work on deeper changes to their entire structure and employee mentality.

You can count on a privacy policy generator, offered by Cloudshop. Here you can generate information for your users.

Finally, drawing up a Data Protection Impact Report is essential for correctly mapping the way information is being handled and thus correcting any possible flaws that may be occurring.

Keeping up to date is essential at this time

Although the law is still relatively far away, it is essential that companies implement the changes as soon as possible.

This is because adaptation is slow, as is employee training. So the sooner the changes take place, the fewer mistakes the company is likely to make in the future.

The biggest challenge with data protection laws is providing the resources to implement them, as well as changing the mentality of customers and employees regarding the proper use of information.

In addition to workers having to understand the importance of security in the processing of data, carriers must also demand the need for authorization to use it.

The market must therefore be educated by encouraging companies that operate in the sector and make use of their customers' personal information.

Another important issue to consider is that in order to comply with the standards, constant monitoring will be necessary to prevent serious failures from occurring.

In addition, companies must develop action plans for when information security problems occur.

By complying with the rules, companies gain the trust of their customers more and more.

However, it is necessary to constantly update and adapt the security system, as the world changes very quickly.

Conclusion

The main objective of the General Data Protection Law is to guarantee security in the use of personal information, as well as to give data subjects greater autonomy over their data.

Although it was developed at a time when the great importance of protecting information was being understood, companies are still a long way from adapting to all the demands made by the LGPD.

Need a professional website?

Find out how much your website costs

Request a Quote

Caio Nogueira

Caio Nogueira is co-founder of UpSites and a reference in website development and SEO consultancy. With over 10 years' experience and more than 900 projects completed for brands such as KaBuM, UNIMED, USP and Nestlé, Caio stands out for his competence in digital project management.Caio has also been a guest author on influential digital marketing websites such as Neil Patel, Rock Content, Hostinger, Duda, Hostgator and Locaweb, where he has shared his expertise in SEO and content marketing.

See all posts