LGPD
The LGPD, or Lei Geral de Proteção de Dados Pessoais, is Brazil’s version of the GDPR. It goes into effect in February of 2020.
The LGPD clarifies, updates, improves and supplements Brazil’s former information privacy laws to create more comprehensive support for the privacy of its citizen’s information.
How Do Brazil’s New Privacy Laws Affect You?
The LGPD applies to any organization or business, no matter where it is located, that processes the personal data of Brazilian people. Therefore, if your organization has any clients or customers who reside in Brazil, you will be required to comply with the LGPD. The good news? If you are already in compliance with the GDPR, you are well on your way to LGPD compliance.
The LGPD is far-reaching, applying to processing both within and outside of Brazil (i.e., to any processing “carried out in the national territory”) affecting personal data of individuals, or services or goods offered in the national territory; or personal information collected in the national territory. Similar to the GDPR, the law is far- reaching, and applies to processing activities that are completely performed outside of Brazil, but target or relate to Brazilian citizens.
If your business is outside of Brazil—in America, for instance—but you interact with the personal data of individuals in Brazil, you must be in compliance with the LGPD regarding this data. Conducting processing outside the legal requirements of the LGPD can be costly, with sanctions of up to 50M reais (about $12.9M USD)—or even prohibition from processing the personal data of people from Brazil.
The InfoComply software platform helps organizations meet LGPD requirements by automating records of processing activities, privacy impact assessments and data mapping, identifying privacy risks, and enforcing risk management activities, in an integrated platform.
Infocomply experts are ready to guide you with industry proven solutions & best practices, with key bottom line to faster compliance and reduce risk.
Requst For DemoBelow are eight steps that can help your organization reach LGPD compliance. InfoComply will work with you every step of the way, helping you reduce the time to reach compliance.
1 - Governance and Accountability
The LGPD requires organizations to take steps to reduce their risk of breaching the LGPD and to prove that an organization has taken data governance seriously. One of the first tasks you need to accomplish is to develop a set of accountability measures for your organization. These should include measures such as:
- Privacy Impact Assessments (PIAs)
- Policy reviews
- Audits
- Activity records
- Appointment of a Data Protection Officer (DPO)
These measures are required to ensure that processing is conducted in accordance with LGPD regulations, and should be reviewed and updated when necessary.
The Infocomply Readiness Assessment automation tool is designed to identify gaps in your current privacy program as it relates to LGPD, provide executive-level visibility and reporting, and demonstrate accountability and compliance in the event of a regulatory audit.
2 - Privacy by Design and Secure Processing
Your organization will need to implement technical and organization measures to show that you have carefully considered data compliance measures and integrated them into your data processing activities.
As a security measure for accountability and to ensure the safe processing of data, both the operator and the controller must keep records of their data processing operations. In other words, vendors will need to hold one another accountable in meeting the LGPD security control requirements.
InfoComply software provides many pre-defined screening and vendor
questionnaires to choose from, or organizations can import and tailor their own using a point and click, drag and drop interface. Infocomply provides features to extend approval workflows and risk tracking workflows, distribute the questionnaires to business users via email notifications or a self-service portal, and collect responses and analyze risks through automated or manual risk identification.
3 - Consent and Information Disclosures
A data holder must provide consent in writing or some other means showing proof of their desire for the consent to be valid. Proof that the consent was acquired in accordance with LGPD requirements is the responsibility of the controller.
General consent from a data holder is not acceptable; it must be given for a specific purpose. Furthermore, the data holder can withdraw his/her consent at any time, referred to as the “right to opt-out.”
Additionally, the data holder must be informed about the data processing prior to the giving of consent. If the processing information given to the data holder is non-transparent or misleading, the consent is considered void.
Infocomply software provides a consent management solution that can be embedded into the organization’s website or provide option via other notification touch points, devices and internal systems by capturing consent transactions in a standardized way. Organizations can then demonstrate consent individually to regulators as well as provide data subjects a list of all the things they have consented to for them to accept or withdraw their consent.
4 - Data Mapping and Records of Processing Activities
Under LGPD regulations, processors of personal information are responsible for maintaining records of their processing activities. The processing records, which must be kept by both the controller and the processer, must contain, at minimum: (a) the type of data collected, (b) methods employed for the data collection, and (c) the information security measures employed. The controller may be requested to provide a Data Protection Impact Assessment (Impact Report on Protection of Personal Data or DPIA) detailing how the company’s data processing operations ensure the protection of personal data, including the protection of sensitive data.
InfoComply software enables the capture of data flow inventory through approaches like surveys, scanning technologies, and workshops. It also helps keep the inventory up to date with PIA assessments for ongoing changes across the enterprise. Our out-of-the-box templates meet regulation requirements and are extendible, saving you time and effort.
5 - Data Subject Requests, Notifications and Communications
For compliance with LGPD, an organization must have in place a standardized process for reviewing and handling data subject requests, including collection, correction, or removal of the personal data. Referred to as Data Subject Access Requests (DSARs), organizations are given 15 days to handle them.
When a DASR is submitted, a confirmation that data processing operations are in place must be sent by the controller. This response can be sent immediately in a simple, easy-to-understand format, or can be sent in 15 days in a different format containing much more specific details, including but not limited to: the criteria used for the processing, the origin of the data, the purpose of processing, the identity and contact information of the controller, the purpose for sharing the information and with whom it is shared, and more. Explicit reference to LGPD’s Article 8, the rights of the data holder, must also be included in the response. Data holders also have the right to request data that is excessive, collected unnecessarily, or not processed in accordance with LGPD provisions be deleted.
InfoComply simplifies DSAR management. InfoComply software provides organizations with the ability to customize a branded web form, link to the form from the company’s privacy policy webpage, receive notification when a request has been submitted, and automatically request an extension if a deadline approaches. When the request is fulfilled, data must be securely transmitted to the individual, and the request
InfoComply software provides organizations the ability to customize a branded web form, link to the form from the company’s privacy policy webpage, receive notification when a request has been submitted, and automatically request an extension if a deadline approaches. When the request is fulfilled, securely transmit the data to the individual, and link the request to the underlying data map to efficiently fulfill the request, as well as ultimately generate the proper documentation and evidence should a regulator inquire about the request linked to the underlying data map to efficiently record the data in order to generate the proper documentation and evidence in the event a regulator inquires about the request.
6 - Training and Competency
An LGPD awareness campaign must address multi-channel stakeholders and offer specific training materials for employees, HR, IT, Customer Support, Marketing, and other key stakeholder areas.
InfoComply’s training toolkit provides training content, which can be further customized to the specific needs of an enterprise.
7 - Breach Management
LGPD requires incident response preparedness, response and notification plans to help companies meet the 72-hour breach notification requirements.
Infocomply software leverages a systematic process for organizations to document the incident, understand if the incident has resulted in a breach, analyze the breach for harm to the individual, and determine if it is necessary to notify the supervisory authority or data subject.
8 - Audits and Monitoring
A program should be in place to conduct an independent review and audit of your existing LGPD program to identify potential areas of improvement and ongoing compliance.
InfoComply’s Audit and Evidence Module has tools to consider key articles of regulation and provide documented evidence.