On August 1, 2021, articles 52 through 54 of Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados or LGPD) will come into force. For businesses that deal with data obtained in Brazil, time is running out to prepare for the LGPD, which is Brazil’s version of the GDPR, the European Union’s General Data Protection Regulation. Given that it provides for fines of up to 50 million Brazilian reais (around US$9 million) for data breaches, companies doing business in or with Brazil cannot afford to take the LGPD lightly.
To avoid fines and other negative impacts, companies must develop and implement comprehensive data protection policies for personal data obtained in Brazil. In particular, businesses should:
1. Formulate a robust data policy that clearly establishes their concern with data privacy and the correct use of information—and ultimately the interests of consumers.
2. When obtaining personal data in Brazil, companies must obtain consent for all uses of information and appropriately document said consent.
3. In case of breach or unauthorized use, companies must have a contingency plan to promptly inform the affected parties and the relevant Brazilian authorities.
4. Companies must carefully document every action taken in response to the breach, such as internal meetings, communication with data owners, and mitigation measures.
Savvy companies will accept that, despite their best efforts, breaches may still occur. For that reason, in the aftermath of an incident, they will be ready to explain their preventive work over time, in addition to any remedial steps. Being able to point to a clear data policy, as well as to specific protocols geared toward the protection of consumers’ data, will help establish the company’s good faith efforts to avoid incidents in the first place. In turn, this will certainly work in the company’s favor when the authorities decide on the appropriate punishment.
In conclusion, be prepared.