Brazilian GDPR Enforcement Starts August 2020
It can be head spinning to try to keep up with all that is going on in the United States with regards to privacy and cyber security, if you are a global organization, doing business in Brazil, your job just got a little more complicated. The Brazilian General Data Protection Law (or LGPD, in Portuguese) aka the Brazilian GDPR goes into enforcement in August 2020. If you are a company that does business in Brazil, hopefully this is not news to you!
The LGPD is Brazil’s first comprehensive federal data protection regulation and was sanctioned in August 2018, the law “created rules for the processing of personal data carried out by a natural person or legal entity, both online and offline.” Some important things to note, because in the U.S. we seem to care more about how much will it hurt me if I don’t comply, punishments can range from a simple warning, next would be a possible fine of up to 13 million U.S. dollars, or even a possible ban on all data-processing activities. So, it has some teeth, especially if you have significant ties to the country.
There are four (4) main phases a company should walk through for compliance. These should sound very familiar….
Assessing the company’s activities (Assessment)
Building a compliance program with new governance and good practice standards (Program Development)
Developing awareness and data protection culture within the company’s environment (Training)
Day-to-day compliance plan reviews and maintenance (Continuous Improvement)
Oftentimes both people on the technical side and on the legal side look at me like I have 3 heads when I say none of these laws are new, meaning what the laws are asking you to do is something any company should be familiar with, it is not like learning a new skill. It is using the same process done previously, assess the problem, develop a program that defines your processes, procedures, etc. on how your company is going to deal with the problem, train your staff, monitor for effectiveness and change as necessary. The panic that exists when you see a law like LGPD or any other privacy and/or cyber security law, is because for so long organizations have been self-regulated (trust me) and now the law is asking that you to actually prove it.