The Lei Geral de Proteção de Dados (LGPD) is a comprehensive law that regulates the processing of personal data in Brazil, affecting all individuals and organizations that handle personal data. The LGPD applies to all sectors, including public and private entities, with a focus on protecting the rights of data subjects.
The LGPD came into effect on September 18, 2020, with a threshold of $1.5 million in fines for non-compliance.
LGPD Requirements and Legal Standard
The LGPD is governed by Law No. 13,709, which sets out the requirements for the processing of personal data, including the need for transparency, security, and accountability. The legal standard governing this process is the principle of minimization, which requires that personal data be collected and processed in a way that is necessary and proportionate to the purpose for which it is intended. The LGPD also provides for a time limit of 15 days for responding to data subject requests.
In practice, this means that organizations must ensure that they have implemented adequate measures to protect personal data, including implementing security measures to prevent data breaches, within a 30-day deadline. The LGPD also requires that organizations provide clear and transparent information about their data processing activities, with a penalty of up to $500,000 for non-compliance.
Eligibility and Requirements
The LGPD applies to all individuals and organizations that process personal data, regardless of their location, with a residency requirement of at least 6 months. The law also sets out specific requirements for the processing of sensitive personal data, including the need for explicit consent, which must be obtained within a 30-day time limit. The LGPD also provides for an income threshold of $10,000 per year, above which organizations are required to appoint a data protection officer.
In plain terms, this means that organizations must ensure that they have obtained the necessary consent from data subjects before processing their personal data, with a waiting period of 10 days before processing can begin. The LGPD also requires that organizations implement measures to ensure the security and integrity of personal data, including implementing encryption and access controls, with a penalty of up to $1 million for non-compliance.
Required Documents
The LGPD requires that organizations maintain certain documents, including a data protection policy, a record of processing activities, and a incident response plan, which must be obtained within a 60-day time limit. These documents must be made available to the National Data Protection Authority (ANPD) upon request, with a fee of $500 for non-compliance.
The LGPD also requires that organizations provide data subjects with certain information, including the purpose and legal basis for the processing of their personal data, which must be provided within a 15-day deadline. This information must be provided in a clear and transparent manner, with a penalty of up to $200,000 for non-compliance.
The Filing Process
Step 1: Registration
The first step in the filing process is registration, which involves providing the ANPD with certain information about the organization and its data processing activities, with a filing fee of $1,000. This information must be provided within a 30-day time limit, with a penalty of up to $500,000 for non-compliance.
The registration process involves completing a form and providing supporting documentation, including a copy of the organization’s data protection policy, which must be obtained within a 10-day time limit. The ANPD will review the registration and may request additional information or documentation, with a deadline of 60 days for response.
Step 2: Data Protection Impact Assessment
The second step in the filing process is the data protection impact assessment, which involves conducting an assessment of the potential risks and impacts of the data processing activities, with a time limit of 90 days. This assessment must be conducted in accordance with the principles of transparency, security, and accountability, with a penalty of up to $1 million for non-compliance.
The assessment must be documented and made available to the ANPD upon request, with a fee of $500 for non-compliance. The ANPD may also conduct its own assessment and may impose additional requirements or measures to mitigate any identified risks, with a deadline of 30 days for implementation.
Costs and Timeline
The costs associated with compliance with the LGPD can vary depending on the size and complexity of the organization, with a range of $5,000 to $50,000 per year. The timeline for compliance can also vary, with a deadline of 12 months for implementation of the necessary measures, and a penalty of up to $1.5 million for non-compliance.
In practice, this means that organizations must budget for the costs of compliance, including the costs of implementing security measures, training staff, and conducting data protection impact assessments, with a time limit of 6 months for completion. The LGPD also provides for a timeline of 15 days for responding to data subject requests, with a penalty of up to $200,000 for non-compliance.
State-by-State Differences
While the LGPD is a federal law, there are some differences in how it is implemented and enforced at the state level, with a threshold of $500,000 in fines for non-compliance. For example, the state of São Paulo has its own data protection law, which sets out additional requirements for the processing of personal data, with a time limit of 30 days for compliance.
In plain terms, this means that organizations must ensure that they are aware of the specific requirements and regulations in each state in which they operate, with a penalty of up to $1 million for non-compliance. The LGPD also provides for a timeline of 60 days for responding to data subject requests, with a fee of $500 for non-compliance.
What Can Go Wrong
Non-compliance with the LGPD can result in significant fines and penalties, including a penalty of up to $1.5 million for serious breaches, with a time limit of 30 days for payment. The ANPD may also impose additional requirements or measures to mitigate any identified risks, with a deadline of 60 days for implementation.
In practice, this means that organizations must ensure that they have implemented adequate measures to protect personal data, including implementing security measures to prevent data breaches, with a time limit of 10 days for implementation. The LGPD also provides for a timeline of 15 days for responding to data subject requests, with a penalty of up to $200,000 for non-compliance.
The LGPD is currently being enforced by the ANPD, with a focus on educating organizations about their obligations under the law, and a penalty of up to $500,000 for non-compliance. The ANPD is also working to develop guidelines and regulations to support the implementation of the LGPD, with a deadline of 6 months for completion.
- Office of the Law Revision Counsel. relevant federal statute
- U.S. Courts. federal court procedures
- USA.gov. relevant government resource
