On August 14, 2018, the new General Law for the Protection of Personal Data was passed, regulating the use, protection and transfer of personal data.

Although legal obligations and penalties will become effective as of February 2020, many companies have already had to comply with the GDPR (General Data Protection Regulation) – in force in the European Union since May 2018 and are preparing to transition to a regulated data economy.


The LGPD applies to companies that are established in Brazil, offer services to the Brazilian market / consumer and collect / process data from people located in the country.

Which business areas are impacted by the LGPD?

  • Marketing
  • Software and IT development
  • Product Management
  • Legal
  • Compliance
  • Human Resources
  • Services and Logistics
  • Data analysis

In practice, each organization will have to establish criteria for each piece of information about people (employees, customers, prospects, etc.) and restrict exposure and risk to what is needed to provide the service.

According to the LGPD, personal data is any information that can lead to the identification of a person, directly or indirectly. Ex .: cadastral data, location data, electronic identifiers, consumption habits, preferences, etc.

Operations such as data transfer, load shifting between data centers, or global service delivery tend to be restricted to countries with comparable legislation. Brazilian law has some slightly different criteria of protection and is more precise on items such as definition of “anonymous data”. But the principles of purpose, consent, responsibilities, and penalties prevail.

Several mechanisms of the Data Protection Act complement or ratify existing rules, such as the Civil Internet Framework or global regulations such as PCI.

In terms of technology and data security approaches, there is much to be gained in companies in sectors subject to some regulation. But the legal framework also reinforces the attention of partners, customers and consumers to the way in which their data is handled.

Personal, sensitive and anonymous data

According to the law, “the data processed or collected in the national territory, or that serve the supply of goods and services in the Brazilian market” is protected.

The concept of “sensitive data” is very comprehensive and includes metadata such as: IP address, location, and clearly personal information.

Possibly due to the contribution of professional associations, the text brings strong protection of the individual right, without encoding the technology or business models based on data science.

In relation to “anonymous” data, the law imposes the guarantee that they can not be reversed, for identification of the original data, with “reasonable technical means available at the time of its treatment”. That is, personalization of services, statistical analysis and other ways to leverage data need not be discarded as long as the information is not personally identifiable.

New data collection, transfer and governance procedures

The principles of Purpose and Consent guide both GDPR and Brazilian law. In summary, it is illegal to use or transfer personal data for purposes that are not expressly authorized by the citizen. “The consent must refer to specific purposes, and generic authorizations for the processing of personal data are null and void,” Article 8, paragraph 4, makes explicit. “Consent may be revoked at any time, by express expression of the owner, through a free procedure and facilitated, “says the following paragraph.

Cloud data and international transfers

The law does not go into details about location and sovereignty of data. Article 3 itself, which typifies data under protection, makes it clear that the application is “irrespective of the environment, the country of its seat or the country in which the data are located”.

Articles dealing with international data transfer are relatively flexible, provided that the rules of purpose and consent are met, there are no general restrictions on storage or treatment outside the country. However, it is left to the “competent body” to ratify national laws, codes of conduct of global corporations and other criteria to regulate international transfers.

Typically, there are three criteria for defining data sovereignty:

– physical (where the data is stored);

– by jurisdiction (the power of the national authority over the website on which the data is held); and

– logical sovereignty (who encrypts, accesses and manages).

It is a fact that GDPR and similar laws encourage global providers to invest in local data centers, but rules based on physical location tend to fall into disuse.

In summary, the tendency of the compliance auditors or certifiers is to look at the information’s protection itself. Whether you’re on the company server, in the cloud, or traveling the network. What matters is to ensure that the data can only be viewed, transferred or changed according to the guidelines of the law.

Responsibility of providers, data owners

Data protection laws do not go into detail about infrastructure and technology architecture, because it would compromise their longevity. Security and compliance issues, as well as the distribution of responsibilities, are peculiar in each case.

Potential losses and internal risks

In addition to responding to damage from leaks or misuse of data, among the expected penalties of the LGPD, is a fine of up to 2% of the organization’s gross annual revenue.

Notification of leak or breach incidents is mandatory to the “competent body”, which will determine whether or not the public communication to the data subjects and other interested parties will be made. However, it allows for mitigation of possible sanctions if the organization has demonstrated intent with good practices and audited action plans to minimize damages.

The scope of LGPD across organizations will extend the data issue to various levels. Clarity about risks is no longer restricted to technologists. Of course, today’s oversights, such as exposing critical data to the most elementary attacks, will soon make business unfeasible. One of the predictable counterparts of this maturing of companies, unfortunately, must be the proliferation of attempts to entice employees or users with privileged access.