Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

The Brazilian LGPD is Here: What You Need to Know

352 visualizaciones

Publicado el

After a number of postponements and many discussions about further delay, the Brazilian Lei Geral de Protecção de Dados Pessoais (General Data Protection Law, LGPD) is on the verge of entering into force. In a surprise move, the Brazilian Senate on Wednesday 26 August decided not to agree to a further postponement, but to let the law enter into application immediately. Enforcement of the law will start in August 2021.

While waiting for the official start sign of the law, this seems to be the right moment to take another look at what the LGPD requires from organizations doing business in Brazil. When looking at the new Brazilian law, it is immediately clear that there is a fair amount of overlap between the LGPD and the GDPR. This is no surprise - the LGPD is an omnibus data protection law as well, modeled after the GDPR. It explicitly recognises that data protection is linked to the respect for privacy, to informed self-determination and human rights, but also to free enterprise and free competition.

Join this webinar to learn about LGPD requirements and what is required from organizations doing business in Brazil.

This webinar will review:
-The current status of LGPD and its enforcement timeline
-Requirements for organizations doing business in Brazil including accountability, legal bases, individual rights and International transfers
-How to prepare for compliance

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

The Brazilian LGPD is Here: What You Need to Know

  1. 1. © 2020 TrustArc Inc. Proprietary and Confidential Information. The Brazilian LGPD is Here: What You Need to Know September 16, 2020 1
  2. 2. Speakers 2 Paul Breitbarth LL.M Director, EU Policy & Strategy TrustArc Christina Fratschko HBA, MLIS, CIPP/US Privacy Research Specialist, Privacy Intelligence TrustArc Jucival Dos Santos MBA Managing Principal & Founder Assent Trust
  3. 3. Agenda 3 ● The current status of LGPD and its enforcement timeline ● Requirements for organizations doing business in Brazil including accountability, legal bases, individual rights and International transfers ● How to prepare for compliance
  4. 4. © 2019 TrustArc Inc Proprietary and Confidential Information The current status of LGPD and its enforcement timeline
  5. 5. Adoption of the LGPD 5 16 August 2020 Expected entry into force of LGPD Proposal to postpone to 3 May 2021, because of COVID-19 26 August 2020 Senate rejects 2021 postponement Publication of the ANPD Decree (regulator) Before 17 September 2020 President Bolsonaro confirms application of LGPD August 2021 LGPD penalties can be imposed
  6. 6. © 2019 TrustArc Inc Proprietary and Confidential Information Requirements for organizations doing business in Brazil
  7. 7. Legal Bases 7 I. Consent II. Compliance with a legal obligation III. Public administration for public policies IV.Research V. Execution of a contract, or preliminary procedures for a contract VI.Legal procedures VII.Protection of life or physical safety VIII.Protection of health [only for healthcare professionals] IX.Legitimate interests X. Protection of credit Article 7 LGPD et seq.
  8. 8. Individual Rights 8 ● Data ownership ● Confirmation of the existence of processing ● Access ● Correction ● Anonymization, blocking or deletion of unnecessary or excessive data ● Data portability ● Withdrawal of consent, followed by deletion ● Information about data sharing Article 17 LGPD et seq.
  9. 9. International Transfers 9 ● International data transfers: the transfer of personal data to a foreign country or to an international entity of which the country is a member. ● Main Rule: data transfers only to adequate countries ○ Brazilian DPA will need to draft the list once up and running ○ Criteria: applicable data protection regime and the nature of the data; alignment of security requirements with the LGPD; existence of judicial and institutional guarantees for respecting the rights of personal data protection ● Alternative: transfers based on sufficient guarantees the data will be protected ○ standard contractual clauses or ad hoc agreements; ○ global corporate rules (like BCRs and CPBRs); ○ public interests; ○ consent; or ○ following approval by the DPA. Chapter V LGPD
  10. 10. Data Breaches 10 ● Security incidents that may lead to material risk or harm must be reported, in a reasonable time period, to the national authority (to be the DPA), and affected data subjects. ● The notification should include a: ○ description of the nature of personal data affected; ○ information about affected data subjects; ○ an indication of the technical and safety measures used to protect personal data; ○ risks related to the incident; ○ measures that will be adopted to reverse or mitigate the effects of the incident; and ○ reasons for any delayed notification. ● The DPA may require controllers to adopt measures such as: ○ wide dissemination of the incident to the media; and ○ measures to reverse or mitigate the effects of the incident. Article 48 LGPD
  11. 11. Accountability Obligations 11 ● One of the key principles of the LGPD ● Both controllers and processors will need to be able to demonstrate “the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures” ● Includes: ○ Appointment of DPO (subject to ANPD guidance) ○ Processing activities register ○ Impact and Risk Assessments (subject to ANPD guidance) ● Suggestion to develop a privacy compliance program ○ Demonstrating commitment to adopt internal processes and policies that ensure broad compliance ○ Establishing adequate policies and safeguards based on a process of systematic evaluation of the impacts on and risks to privacy ○ Integrate privacy governance into the general governance structure ○ Regular updates Article 6(x) and 50 LGPD
  12. 12. © 2019 TrustArc Inc Proprietary and Confidential Information The new Brazilian Data Protection Authority
  13. 13. Main Characteristics of the ANPD 13
  14. 14. Main characteristics of the ANPD 14 ● The ANPD will be part of the Federal Administration and bound to the Executive Office of the President ● Two main bodies of the ANPD are: ○ The Board of Directors: ■ This is the top executive body and is comprised of 5 members, including the Chairman, who has normative, investigatory, and corrective powers ○ The National Data Protection and Privacy Council (aka the Advisory Board): ■ This is a consulting body, comprised of 21 members who are chosen among representatives of different bodies of the administration, the Legislative Branch, the Judicial Branch, and entities representing civil society organizations ● ANPD officials will be appointed based on a reappointment of the budget of the Ministry of the Economy, and the President will have the authority to appoint the Board and Council Members ● Board Members will have a 4 year term, however the terms of office of the first members of the Board will be 2, 3, 4, 5, and 6 years ● Council members will have a 2 year term and reelection is permitted only once ● The Decree will come into force upon publication of the appointment of the Chairman of the Board by the President
  15. 15. Powers of the ANPD 15 ● ANPD Responsibilities Includes: ○ Ensuring protection of personal data ○ Editing procedures of protection of personal data ○ Requesting information from controllers and processors, at any time, on processing operations ○ Inspecting and applying sanctions for processing violations ○ Carrying out audits to determine compliance with the LGPD ○ Communicating any criminal offenses to competent authorities ○ Promoting cooperation actions with personal data protection authorities of other countries ○ Ensuring processing of data on the elderly is carried out in a simple, clear, accessible and appropriate way for their understanding ○ Imposing administrative sanctions
  16. 16. Powers of the Board of Directors of the Executive Board 16 ● Requesting from Controllers: ○ An impact report on the protection of personal data when processing is based on legitimate interests ○ Supplementary information and carry out checks on processing operations, in the context of approving international data transfers ● Authorizing International Data Transfers: ○ Including evaluating the adequacy of other countries' personal data protection ● Regulating: ○ Communication or shared use of sensitive personal data between controllers for economic advantage ○ Access to personal databases by research bodies when carrying out public health studies ○ Ethical standards related to studies and research: ■ Including the use of anonymization or pseudonymization ○ Portability of personal data between service or product supplies ○ Presentation format of data sent to data subjects upon their request: ■ i.e., that it is provided in a format that allows its subsequent use ○ Communication or shared use of personal data from legal entities under public law to legal entities under private law
  17. 17. Powers of the Directing Council of the Executive Board 17 ● Providing: ○ Standards and techniques used in anonymization processes ○ Forms of publicity for data processing operations carried out by legal entities governed by public law ● Determining: ○ Cessation of processing when there is a violation of the LGPD ○ Performance of an audit to verify discriminatory aspects in automated processing of personal data ○ Adoption of correction measures based on the severity of security incidents ○ Deadline to report a data breach ○ Methodologies that will guide the calculation of sanctions
  18. 18. Project of Legislative Decree 394/2020 18 ● Key Aspects of the Proposal - More Autonomy for the ANPD: ○ The proposal seeks to suspend certain provisions from Decree No. 10,474 of August 26, 2020 which this deputy believes reduces the autonomy of the ANPD ○ Concerns include: ■ Overarching power by the President, as he appoints the Board of Directors, who in turn appoint an Advisory Board off of a list of criteria established by the Board of Directors ■ Article 37 from Decree No.10,474, which gives the ANPD power to appoint military help when needed, however the military will only respond to the President and not the ANPD ■ The presidency of the CNPD will be exercised by the Representative of the Civil House of the Presidency
  19. 19. © 2019 TrustArc Inc Proprietary and Confidential Information How to prepare for compliance?
  20. 20. Regulation Knowledge 20 Source: TrustArc Global Benchmarks Survey 2020
  21. 21. Regulation Knowledge 21 Source: TrustArc Global Benchmarks Survey 2020 What is the overall impact of the following regulatory requirements on your business?
  22. 22. How to prepare for compliance? 22 1. Understanding your legal requirements under LGPD ○ Ongoing activity - due to yet to be drafted ANPD guidelines 2. Assess your Brazilian data processing operations (+ create register) ○ Processing taking place in Brazil ○ Processing targeting the Brazilian mark ○ Processing personal data from persons in Brazil 3. Document data transfers to and from Brazil 4. Update Individual Rights procedures to deal with LGPD requirements and deadlines 5. Keep documentation of all implementation steps
  23. 23. Why TrustArc 23 The Combination of Automation, Intelligence and Dedicated Success Teams This automated, single platform experience delivered through its unique combination of privacy frameworks, intelligence, knowledge and operations. Complete Automation Embedded Deep Intelligence Dedicated to Success Only TrustArc can deliver the depth of privacy intelligence that’s essential to today’s ever- changing digital world combined with a fully-automated platform for end-to-end privacy management. Our comprehensive onboarding with dedicated customer success teams can be augmented with privacy and compliance consulting expertise to build and grow successful privacy programs 23
  24. 24. 24 Platform Capabilities PRIVACY SOLUTIONS Regulatory Insights and Monitoring Privacy Program Assessments Risk Management Frameworks and Planning Consent Management Privacy Rights Management Breach Response Audit and Assurance Compliance Monitoring Awareness and Training Task Management and Action Plans Reporting DataCapture Applications External API’s KNOWLEDGE BASE Data Inventory Hub My Company Info Tracker Scans Intelligence System(IoP) Libraries TrustArc Privacy and Data Governance Accountability Framework Law and Regulatory Standards Repository INTELLIGENCE ENGINES Deep Intelligence + Complete Automation How TrustArc Helps: Data Privacy Management Platform
  25. 25. TrustArc Resources 25
  26. 26. © 2019 TrustArc Inc Proprietary and Confidential Information Q&A
  27. 27. Upcoming Webinars 27 Past Webinars Cookie Consent Regulatory Updates: How to Maintain Compliance September 30, 2020 @ 9:00 PST The Brazilian LGPD is Here: What You Need to Know Free Download How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requirements Free Download
  28. 28. © 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to for a free demo.