The General Data Protection Law (LGPD) in Brazil
By Marcelo Carvalho, DATAPEERS commercial in Brazil
The LGPD (Law No. 13.709, of 08/14/2018) entered into force in Brazil on September 18, 2020 and with this we became part of a select group of countries that have specific legislation for the protection of personal data of its citizens.
The main goals of the LGPD are:
• Ensure the right to privacy and protection of users’ personal data through transparent and secure practices, guaranteeing the fundamental rights of Brazilians;
• Establish clear rules regarding the processing of personal data;
• Promote competition and free economic activity with data portability;
• Strengthen the security of legal relationships and the holder’s trust in the processing of personal data;
LGPD compliance is not an option. A company that does not comply with security regulations is subject to a fine of up to 2% of its revenue and amounts that reach R$50 million, and may have its activities suspended by the National Data Protection Authority.
The Importance of Data Anonymization and DATAPEERS
The General Law for the Protection of Personal Data mentions anonymized data, which is that which originally was related to a person, but which went through stages that ensured its unlinking from that person. If data is masked, then LGPD will not apply to it. It is noteworthy that a data is only considered effectively anonymized if it does not allow, via technical and other means, to reconstruct the path to “discover” who the owner of the data was – if in any way the identification occurs, then it is not fact, anonymized data is pseudonymized data and will then be subject to the LGPD.
According to specialists, masked data are essential for the growth of artificial intelligence, the internet of things, machine learning, smart cities, behavior analysis, among others. They also indicate that, whenever possible, a public or private organization performs the anonymization of personal data, as this improves information security in the organization and thus generates more trust in its services and for its audiences.
DATAPEERS is an innovative and automated solution that allows data anonymization and masking and helps companies comply with the privacy requirements of their data, increasing the quality of software development, testing and certification processes, ensuring greater flexibility and protection of information that sometimes needs to be shared with customers, suppliers and service providers.
DATAPEERS ensures that sensitive data is replaced with new anonymized data and that new data is secure and consistent based on the originals.
GDPR vs LGPD: the similarities and diferences
It is likely that you have heard of LGPD or GDPR, and even know the main purpose of the regulation. However, despite having the same basic concept, they also have some differences that you should know, especially if you are operating simultaneously in the European and Brazilian markets.
To help you, we briefly clarify the main SIMILARITIES AND DIFFERENCES between the two regulations.
| GDPR | LGPD | |
| Description | General Data Protection Regulation | General Data Protection Law |
| Date of entry into force | May 25, 2018 | August 20, 2020 |
| Where | European Union | Brazil |
| Who oversees | CNPD (National Data Protection Commission) | ANPD (National Data Protection Authority) |
| Main Concepts | • Protection of Personal Data (name, email …) • Regulates consumers’ rights and duties of companies regarding data collection and processing • Determines the concept of sensitive personal data | |
| User guarantees | • More Privacy • Stricter control over your personal information • Greater transparency | |
| Security Means | The data must be encrypted and masked in databases | Guidance for keeping data safe (each company defines how to protect it) |
| International Application | Companies that collect, store and use EU citizen data must match the GDPR | • Companies that collect, store and use data from Brazilian citizens must comply with the LGPD • Companies in Brazil that have their business in the EU must adopt the 2 standards |
| Data Portability | • The holder is entitled to require that his data be transferred to another service provider • The holder must be informed about all transitions / portabilities to which his data is subject. | |
| Data leakage | • Must be reported within 72 hours after being detected • The consumer must be informed | • Must be reported shortly after being detected • The consumer must be informed |
| Consent to obtain data | • Explicit consent • You may have to demonstrate to the authorities how you got permission from the holder | • Holder consent is not required |
| Exceptions | • Execution of a public policy provided for by law • Compliance with a legal obligation • Conducting studies through research bodies • Protection of a citizen’s credit • Preserving a citizen’s life and physical integrity |
TIPS FOR IMPLEMENTING A DATA MASKING SOLUTION
Data security is an increasingly important issue in the future of companies, so it is essential to find solutions that prevent a possible breach. One of the most efficient ways to prevent it is to ensure that sensitive data is masked through a consistent, controlled and compatible solution with the organization’s entire information system.
