s

LGPD compliance

The Brazilian General Data Protection Act (Lei Geral de Proteção de Dados Pessoais)

Loosely based on GDPR (the data protection regulation enacted by the EU), LGPD is Brazilian legislation that regulates the activities of processing personal data. It was approved on July 10th 2018 and took effect on August 15th 2020.

CookieHub helps you make your web site LGPD compliant using various methods designed to comply with the requirements related to storage and processing of personal information. Of course, there’s more to know about LGPD and the exact things you should be doing to remain in good standing.

What Does The LGPD Do?

The LGPD establishes the conditions under which personal data can be processed, defines a set of rights for data subjects, creates specific obligations for data controllers and creates a series of procedures and standards so that greater care is taken with the processing of personal data and sharing with third parties.

Is The LGPD The Same As GDPR?

If you were to read through this legislation, you might find find a lot of similarities between LGPD and GDPR, but they are not identical. While certainly inspired by the EU's regulations, the LGPD differs in many ways -- starting with its 10 legal bases.

Therefore, being GDPR compliant does not automatically make you LGPD compliant, nor vice versa. That's why Cookiehub helps you be in compliance with both GDPR and LGPD.

What Happens If I’m Not In Compliance?

Failing to be in compliance with LGPD could land you in hot water, with fines costing you up to BRL $50M (about €8M or US$9M) alongside law suits and sanctions. If you have any users based in Brazil and you store and/or process their data within the territory of Brazil, you absolutely have to comply with this legislation.

What Do I Need to Do to Comply?

Like most regulations of its kinds, LGPD has a long checklist of things you need to be doing as a website owner to ensure you’re in compliance. To start, you’ll need to…

  • Document your legal bases for processing Brazilians' personal information. You have to define a basis for every kind of data you collect and then document it in your processing records.
  • Maintain records of the data you process.
  • Include the necessary disclosures within your site's Privacy Policy.
  • Collect users' valid consent and maintain proof of that consent.
  • Develop the right processes for honoring users rights and responding to relevant requests.
  • Implement privacy by default, meaning the default setup for everything must offer the highest possible security.
  • Implement a protocol for keeping user data safe and secure, including an incident response plan and remediation plan in the event of a leak or attack.
  • You must notify the DPA and its users in the event that a data reach occurs and poses "significant risk or damage" to your users.
  • Remain in compliance with the requirements of cross-border data transfer policies.
  • Appoint a Data Protection Officer (DPO) tasked with managing all of these activities.