As the digital age continues to grow, data protection and privacy have become significant issues worldwide. Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) is a recent legal framework that has raised attention with its comprehensive guidelines for managing personal information in business operations.
The LGPD principles are designed as stringent standards to ensure that everyday internet users can stay protected without fear of misuse or exposure by businesses.
This article offers business owners some valuable insights into how they should handle customers’ crucial data while operating with Brazilian residents—a detailed overview of each guideline highlighted under the ten LGPD principles.
Key Takeaways
LGPD principles are outlined in Article 6 of the law, “Principles That Govern Processing Activities.”
The LGPD principles are: purpose, adequacy, need, free access, data quality, transparency, security, prevention, non-discrimination, and responsibility and accountability.
Failure to comply with these principles can lead to fines of up to 50 million Brazilian reals ($10 million), legal action from data subjects, criminal charges, loss of data processing privileges, damage to reputation, and loss of customer trust.
LGPD Explained
LGPD Explained.jpg
LGPD, or Lei Geral de Proteção de Dados, is a data protection law created to regulate and protect the personal information and data privacy of Brazilian residents and how businesses can process their data.
The law became effective on 18 September 2020, and while it has similarities with other laws like the CPRA and the GDPR, it still has its unique provisions and requirements.
The LGPD is enforced by the Brazilian National Data Protection Authority (ANPD) and applies to businesses and organizations processing data of Brazilian residents. Your business does not need to be located in Brazil for it to apply to your business.
The main purpose of LGPD is to give individuals more control over their personal data and ensure that businesses handle it responsibly. It also aims to create a safer online environment by promoting transparency and accountability in data processing.
10 LGPD Principles
10 LGPD Principles.png
The 10 LGPD principles are laid out in Article 6 of this law, “Principles That Govern Processing Activities.” They include:
Purpose
Adequacy
Need
Free access
Data quality
Transparency
Security
Prevention
Non-discrimination
Responsibility and accountability
Let’s look at each of these principles and explain their importance.
1. Purpose
This LGPD principle demands that you have a “legitimate, specific, explicit, and informed purpose” for processing data. In other words, a company must have a very good reason to collect, use, and store their customers’ personal information.
This principle is important because it ensures that companies are transparent about why they are collecting personal data and how they will use it. It also helps prevent the misuse of personal information for purposes other than what was agreed upon by the individual.
2. Adequacy
The principle of adequacy ensures that the first principle (purpose) is followed. Namely, the processing activity must be in line with the processing purpose that the company reported to the customers whose data it is processing.
This principle emphasizes the importance of honest and accurate communication with customers about data processing activities.
3. Need
The principle of need or necessity requires that the business doesn’t collect or process more data than it needs to fulfill its purpose.
This is important because it promotes data minimization, where companies only collect and process the minimum amount of personal information necessary to achieve their goals.
This helps protect individuals’ privacy rights by limiting the amount of sensitive data that is collected and stored.
4. Free Access
The fourth LGPD principle guarantees data subjects free access and transparency to their data during processing.
This implies that at any moment, individuals should be able to ask to access, correct, or remove their personal information. This key principle encourages openness and responsibility in businesses by allowing clients total control over their own data.
5. Data Quality
According to the fifth principle of LGPD, personal data the company collects must be accurate and up-to-date. This means that companies have a responsibility to regularly review and update the personal information they hold.
This principle is important because inaccurate or outdated data can lead to incorrect processing decisions, potentially harming individuals. It also promotes trust between customers and companies by ensuring the accuracy of their personal information.
6. Transparency
This principle guarantees that the data subjects will receive honest, accurate, and clear information about their personal data from the company at all times.
This means companies must provide individuals with a clear understanding of how their data is being collected, used, and stored. It also requires companies to inform customers about any changes or updates to their privacy policies.
7. Security
The security principle revolves around establishing adequate measures by companies to avoid unauthorized access, potential thefts like identity theft, unlawful modifications, or losses associated with customers’ sensitive data.
Security is crucial for safeguarding personal information and protecting individuals from potential harm or identity theft. It also ensures that companies are taking responsibility for properly securing the data they collect.
8. Prevention
Prevention always goes together with security. As such, the principle of prevention covers the measures the business will adopt and take to prevent unauthorized access, data breach, destruction, loss, or alteration of data.
This principle requires companies to proactively identify and address potential security vulnerabilities before they lead to a data breach. By taking preventative measures, companies can minimize the risk of misuse or unauthorized access to personal information.
9. Non-Discrimination
The list of potential purposes for processing can be very long. However, it does not include discrimination, abuse, or other illicit purposes.
This implies that personal information must not be leveraged to discriminate against specific individuals or groups.
Companies are responsible for ensuring their data processing activities do not lead to unfair treatment or discrimination due mainly, but certainly not limited only, to grounds such as race, gender, religion, and sexual orientation, among others.
10. Responsibility and Accountability
The “final” LGPD principle requires the company to adopt and use the necessary measures that will prove regulatory compliance, and that they can also prove the effectiveness of those measures.
Responsibility and accountability go hand in hand with all of the other principles. Companies must take responsibility for their processing activities, ensuring that they are following these compliance principles and protecting individuals’ personal information.
How to Comply with Each LGPD Principle?
Understanding each LGPD principle and how to comply with it will make it much easier to stay compliant with the whole law and avoid hefty fines and penalties.
Here are some actionable and practical steps to take to comply with the 10 LGPD principles.
Purpose
The principle of purpose requires the company to have a specific, clear, and legitimate purpose for processing personal data. Take these steps to make sure your company is compliant:
Take an inventory and categorize all personal data your company collects, collects and uses
Clearly define why you are collecting data
Create a privacy policy or notice that will tell customers why their data is being collected and processed
Get data subjects’ consent for processing their data. This consent needs to be explicit and informed.
Only collect data necessary for fulfilling a specified purpose
Adequacy
Your organization should take the following steps to comply with the principle of adequacy:
Identify and implement the right data transfer mechanisms if you transfer data outside of the EU. These include Adequacy Decisions, Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs), or obtain their explicit and informed consent
Perform a DPIA for high-risk data processing activities
Ensure that 3rd-party vendors and service providers you share personal data with have adequate measures to protect data on their end
Review and revise your data processing activities and ensure they are limited to their purposes
Inform data subjects and ensure they can exercise their rights
Need
Here are five actionable steps you can take to ensure compliance with this principle:
Define and document the specific and legitimate purpose for data processing
Collect and process only the minimum of data necessary for the processing purpose
Educate and train your employees on the importance of following this principle
Inform data subjects on the purpose of collecting and using their data and ensure they can access, correct, or delete their personal data
Monitor and perform regular audits of your data processing activities
Free Access
To comply with the LGPD principle of free access, the business can take the following practical and actionable steps:
First, set up data procedures for individuals to request access to their personal data
Next, define a timeframe in which you must respond to their request. Article 19 says the response must be given within 15 days
Make sure that the request comes from the data subject and not an impostor through identity verification measures
Give data subjects a way to access and view their data
Keep records and document all data access requests, including times, responses, actions, and other details to prove your compliance
Data Quality
Adhere to these practical steps to ensure compliance with LGPD’s principle of data quality:
Ensure you have accurate information by having solid data collection procedures
Verify and validate data for authenticity and accuracy
Identify and correct errors, duplicates, and inconsistencies and remove irrelevant and out-of-date data
Ensure data subjects can easily request correction or deletion of their data
Transparency
Follow the principle of transparency with these steps:
Create and maintain a privacy notice or policy on your website to inform data subjects on how you will collect, use, and process their personal data. This notice/policy should be prominent on your website and easily accessible
Communicate data subject rights (right to confirm and access, right to correct, right to delete, right to portability, right to consent, right to information, and right to object) clearly. Article 18 of the regulation outlines these rights
Keep a record of data processing that you can provide to the authorities upon request
Get consent from data subjects before processing their personal data
Implement data breach notification procedures for both data subjects and authorities
Security and Prevention
LGPD principles of security and prevention are closely intertwined so we’re going to put them together here and give you 5 steps you can take to be compliant with them:
Conduct a Data Protection Impact Assessment (DPIA) for data processing activities with a high risk of harming the data subject’s rights and personal safety as per Article 38 of LGPD
Ensure both security by design and by default and that you prioritize user privacy and security
Create a culture of security awareness in your company through regular security training, awareness, and education
Create and follow an incident response plan that will help you detect, respond to, report, and mitigate security incidents
Prevent unauthorized data access with role-based permissions, access control, and data encryption in transit and at rest
Non-Discrimination
Follow these steps to comply with the principle of non-discrimination:
Only collect the data that is necessary for the specified purpose
Do not discriminate against data subjects who want to exercise their rights
Treat all data subjects equally – do not treat certain categories of people differently because they are in that category
Address and correct any discriminatory practices promptly
Regularly review and audit your data processing activities to ensure compliance with this principle
Responsibility and Accountability
Last (but certainly not the least) LGPD principle is the principle of responsibility and accountability. Here are the steps a business can take to comply with it:
Designate a person who will be responsible for data protection compliance within the company – Data Protection Officer (DPO), according to Article 41 of the regulation.
Establish data protection procedures and policies that align with the LGPD
Document your data processing activities, risk assessments, DPIAs, and other security measures to protect personal data
Clearly communicate their rights and how they can exercise them to your data subjects and respond timely to their requests
Perform regular audits to ensure your compliance with the LGPD and address any non-compliance and violations
What Happens if I Don’t Follow the LGPD Principles?
On their own, LGPD principles are not a law, but they do serve as an important guide. Not following them will inevitably result in non-compliance with the regulations and fines.
LGPD fines can go up to 50 million Brazilian real ($10 million or €9.3 million) or 2% of the business’s annual revenue.
In addition, a non-compliant business can also face loss of data processing privileges by the ANPD, legal action from affected data subjects, criminal charges, and, finally, loss of consumer trust and damaged reputation.
Closing
Now you know all the LGPD principles and how to follow them properly. You should follow the LGPD principles to comply with the Brazilian protection law. However, this task can be complex. But you don’t have to do it alone.
Instead, get in touch with data privacy and compliance experts from Captain Compliance today and ensure your business’s compliance with global privacy policies.
FAQs
What are the 10 principles of LGPD?
The 10 principles of LGPD are set out in Article 6 of this law they are:
Purpose
Adequacy
Need
Free access
Data quality
Transparency
Security
Prevention
Non-discrimination
Responsibility and accountability
Is LGPD the same as GDPR?
While LGPD and GDPR are both data protection laws and have similarities, these are different regulations. LGPD is a data protection law in Brazil, which means that it applies to Brazilian businesses and residents.
At the same time, GDPR is a data protection law in the EU and applies to EU businesses and residents.
What does LGPD stand for?
LGPD stands for “Lei Geral de Proteção de Dados”, or “General Data Protection Law.”
What is LGPD compliance?
LGPD compliance refers to regulatory compliance with the Brazilian data protection law, LGPD. This law applies to the territory of Brazil and regulates the protection of the personal information and data privacy of the residents of Brazil.