If your company has any customers, clients, or website visitors in Brazil, you should begin preparing for LGPD compliance. If you are already GDPR compliant, then you have already done the bulk of the work necessary to comply with the LGPD. Here’s how to comply with the LGPD.
What is the LGPD?
Defining of the principles and data process will be done by the new law, and will see the devolvement of a new Data Protection Authority (ANPD) which will oversee and enforce data protection laws across Brazil.
It will apply to any business, organization, or individual that processes the personal data of the people in Brazil, regardless of where that business, organization, or individual may be located.
Who does the LGPD apply to?
This means, that even if your company is not located in Brazil, but processes the data of Brazilian people, you are obligated to comply with the LGPD.
Requirements in the LGPD cover the collection, processing, use, and storage of personal data regardless of its online or offline form.
Therefore, if you have a Brazilian version of your website, or target Brazilian visitors and customers, the LGPD applies to your business.
What is personal data under the LGPD?
Personal data definition in the LGPD is very similar to the definition in the GDPR. The LGPD states that personal data can be any data that by itself or combined with other data can identify a natural person.
Legal basis for data processing
- With the consent of the data subject;
- To comply with a legal or regulatory obligation of the controller;
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
- To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
- To execute a contract or preliminary procedure related to a contract of which the data subject is a party, at the request of the data subject;
- To exercise rights in judicial, administrative, or arbitration procedures;
- To protect the life or physical safety of the data subject or a third party;
- To protect the health, in a procedure carried out by health professionals or by health entities;
- To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
- To protect credit (referring to a credit score)
How to comply with the LGPD?
- Inform visitors of cookies and data processing. Who is processing what data for what purpose?
- Obtain your visitor’s consent before your website sets cookies. Consent must be freely given and be an active choice by the visitor.
- Give your users the option to decline cookies (the right to opt out).
- Store consents so you can document consents to the ANPD.