TRUNOMI SOLUTIONS TO THE BRAZIL GENERAL DATA PROTECTION LAW (LGPD)

Posted 11th December 2018 by in GDPR, LGPD, Whitepaper

The Data Rights Management Regulations Driving Innovation

TRUNOMI SOLUTIONS TO THE BRAZIL GENERAL DATA PROTECTION LAW (LGPD) 

Abstract

This whitepaper offers a comprehensive overview of the incoming Brazilian General Data Protection Law (LGPD), and how the Trunomi platform helps Controllers efficiently solve key articles of incoming regulation, avoid heavy fines and sanctions, and empower Data Subjects with improved transparency and actionable, extended data rights.

Brazil LGPD Whitepaper Download

  • This field is for validation purposes and should be left unchanged.

Background to LGPD: Brazil takes inspiration from Europe’s GDPR.

Brazil’s new General Data Protection Law (LGPD) was approved on August 14, 2018, with this regulation coming into effect in February 2020.  The LGPD, federal law 13.709/2018, aims to secure and extend the basic rights of Data Subjects whilst fostering technological innovation through the adoption of clear and transparent legislation that outlines the appropriate methods for the processing of personal data. It is worth noting that Brazil’s new legislation is similar, although not identical, to the EU’s General Data Protection Regulation (GDPR) which came into force on 25th May 2018.

The LGPD has 65 articles and creates a new legal framework for the online and offline processing of personal data in Brazil in both the private and public sectors. This new legislation represents a major change to Data Privacy regulation and details the legal basis for the processing of personal data, highlighting best-practice data processes based around the legitimate interests of the Data Controller and the extended rights of the Data Subject, and defines the obligations and limitations of large-scale processing of personal data.

The following bullet points offer an overview of the key elements of the LGPD [1]:

  • Legal grounds for data processing, consent and legitimate interest: Companies must demonstrate a lawful basis for the collection and processing of personal data.  The LGPD deems consent just one condition for the lawful processing of personal data. There exist a total of 10 conditions, versus the 6 under the GDPR, and are as follows: (i) consent; (ii) legal obligation; (iii) implementation of public policies by the public administration; (iv) research by public study entities; (v) contractual performance; (vi) exercise of rights in legal proceedings; (vii) life protection; (viii) health protection; (ix) legitimate interest; and (x) protection to credit.
  • Territorial scope: Application of the LGPD will extend beyond Brazil’s geographical borders and applies to any Data Controller, located in or outside of Brazil, that holds and processes the personal data of Data Subjects located in Brazil, irrespective of their nationality.
  • Privacy by design and by default: Data Controllers must adopt processes – technological solutions or otherwise – that guarantee privacy and data protection rights.
  • Data Protection Officers (DPO): Data Controllers involved in the large-scale processing of data must nominate a Data Protection Officer. The DPO is the individual charged with ensuring LGPD compliance and whose role will involve the management of Data Subject Requests (DSRs), effectively serving as the point of contact between the Controller and Data Subjects. Unlike its European cousin, the LGPD is currently unclear as to whether all Controllers, irrespective of their size, and the volume and type of processed data, will have to nominate a DPO.
  • Record data processing activities: All personal data processing activities must be recorded for the duration of the Data Subject lifecycle. Controllers must indicate the types of personal data collected, the legal basis for its collection and use, the length of time the Controller plans on holding the data, and the security practices in place to ensure the safe handling and storage of the data.
  • Data breaches & right to know: Disclosure of data breaches must be made to the data protection authority within a reasonable time frame, yet to be defined by the authority. Severe breaches may require the Data Controller to notify the data subjects involved.
  • Data portability (a Data Subject’s Right to easy access to his/her data): the individual’s right to request copies of the personal data held by Data Controllers. Copies must be produced in a usable, readable and transferable format.
  • Data erasure (‘the right to be forgotten’): the Data Subject equally reserves the right to request the erasure of their data, i.e. withdraw consent, provided there exists no contractual or legal basis for retaining it.
  • Anonymisation of data: Similar to the GDPR, the LGDP stipulates that natural persons should not be easily identifiable by the data held, and that anonymised data cannot be reversed without clear reasonable means as defined by the LGPD, (cost, time, and technology). However, the LGPD also applies more subjective conditions in ascertaining whether or not data can be deemed reversible and attributable to natural persons: ‘the uses of own resources’ does not explicitly state whether or not said ‘resources’ are those of Controllers or Processors, and as such whether anonymised data can be easily reversed, and within the scope of the law. Unlike the GDPR, the LGPD does not differentiate between anonymised and pseudonymised data.
  • Treatment of Sensitive Information: Personal Data deemed as sensitive will be processed with additional security and under a different legal basis. Sensitive information refers to information on the Data Subject that could lead to discrimination, such as racial or ethnic origins, religious beliefs, political opinion, and health related data. Any data that allows identification of the data subject, such as genetic data or biometric, is likewise considered sensitive.
  • Codes of Conduct and Authoritative Bodies: The LGPD clearly encourages the adoption of industry-specific codes of conduct and authoritative bodies that can ensure compliance with data protection regulation. Certain sectors may choose to create their own internal, best-practice codes of conduct which may in some cases be even more stringent than the law.
  • Penalties: A violation of the LGPD may lead to administrative sanctions by the relevant authority. Fines may vary from 2 percent of a company’s turnover in Brazil in its last fiscal year, up to a maximum of R 50,000,000.00 – that is in the order of ten million British pounds or thirteen million US dollars.
  • Transition and adaptation period: The LGPD comes into force 18 months after its publication. Public and private entities will have until February 2020 to adapt to the new legislation.

 

LGPD AND GDPR, A TABLE OF COMPARISON[2]: The LGPD is similar, although not identical, to the EU’s GDPR. 

LGPD GDPR
Covers processing of data by individuals and entities, in or out of Brazil, provided that either the data is collected or processed in Brazil or processing is for the purpose of offering or providing goods or services in Brazil. Covers processing of personal data by all entities (for-profit or nonprofit) with an “establishment” in the European Union, or entities outside of the European Union that offer goods and services to individuals in the European Union or trace their data.
Uses a broad definition of “personal data” to include information related to an identified or identifiable individual. Publicly available information is included in the definition, but with limitations allowing for use consistent with the purposes for which the information was made public. Uses a broad definition of “personal data” to include categories of data that directly or indirectly identify a person. Publicly available information is included.
Third-party vendors reviewing documents are bound to the same principles as the entity requesting the data treatment. Third-party vendor agreements must contain a standard set of EU-approved commitments.
Grants consumers the right to be informed of, access, correct, obtain a portable copy of, anonymize and delete their personal data. Grants consumers the right to be informed of, access, correct and (in more limited circumstances) delete, restrict processing of or obtain a portable copy of their personal data.
Requires entities to have a lawful basis for processing information if not seeking subjects’ consent. Requires entities to have a lawful basis for processing information if not seeking subjects’ consent.

So What Now?

Data controllers and processors should adopt effective measures if they are to demonstrate LGPD compliance. This can be done through data protection assessments and the implementation of technologies that enable best-practice consent and data privacy management (i.e. Privacy by Design and Default). Under the LGPD, all personal data processing activities must be recorded and indicate the types of personal data collected, as well as the legal basis for processing.

TRUNOMI IS HERE TO HELP: The Universal Solution to Data Rights Management

Solution Overview:

Trunomi is a global market leader in Consent and Data Rights Management technology.  Our unique, patented technology, TruCert, proves the legal basis of processing under LGPD.  Trunomi provides Data Controllers and their DPOs with the tools to power seamless Consent Management, minimising the distance between them and Data Subjects whilst improving transparency and building trust. We offer peace of mind to DPOs and Marketers in their past, present and future data operations.

Privacy by Design and Default:

Trunomi’s solutions cover a wide-range of LGPD regulation including:

  • Demonstrating LGPD-Compliance
  • Consent Management
  • Prove Legal Basis for Processing
  • DPOs and Data Subjects: Right of Access, Rectification and Erasure
  • Treatment of Sensitive Information

DEMONSTRATING LGPD-COMPLIANCE: 

Problem Statement

The incoming LGPD, like the GDPR, places the onus on Controllers and Processors to demonstrate present and past regulatory compliance. Although current Data processes may be compliant under the LGPD, Controllers and Processors should be able to demonstrate the lawful basis of past processing, or risk leaving themselves vulnerable to sanctions.

Trunomi Solution

Trunomi is designed to easily evidence LGPD-compliance. Every ‘Consent Event’ generates an audit-ready TruCertTM, a digital certificate that creates an immutable record of the event.  The TruCertTM can also be used to record, at an individual level, all legal basis for processing data such as legitimate interest, ensuring that accidental processing does not occur. TruCertTMs can be accessed via the Ledger/Notary API, or directly by the customer through the “Data Rights” widget.

Trunomi analytics, available through the Enterprise DPO Portal, can also be used to demonstrate the lawful basis of processing across the Controller and KPIs in delivering upon data subject requests.

CONSENT MANAGEMENT:

Problem Statement

Obtaining consent for individually defined purposes without inadvertently generating ‘consent-fatigue’ amongst Data Subjects is absolutely critical in the effort to maintain and strengthen the customer-relationship. As such, avoiding ‘consent fatigue’ amongst Data Subjects will be key factor in a Controller’s ability to harness, increase and improve the volume and quality of available data, whilst also driving a transparent and seamless customer experience.

Trunomi Solution

Trunomi allows Controllers to transform the consent-capture process from a static and monolithic operation into a dynamic and direct customer-interaction. The objective is to seek correct consent from each individual, at the right time, and in the appropriate context.

The TruCert Consent Receipt certifies any consent-event requested via a Trunomi widget and confirms the exact notice that was presented to the customer. Trunomi then transforms the ‘consent-event’ into machine readable Data Rights that can be accessed by Controller systems via the Rights API in order to verify whether or not lawful processing is possible. Trunomi also calculates the duration (time limit) of individual consents, and expires these data rights at the appropriate time.

Consent Request Widgets are integrated into web applications using java script tags.  These can be triggered by context or by using 1:1 targeting lists, uploaded through a provisioning process and accessed via the Context API. The actual consent widgets can appear inline or as an overlay (mounted in the page as a DIV or iframe). Using Trunomi widgets, the DPO can ensure ‘consent notices’ are standardised across multiple touch points, and that interactions are presented clearly.

LAWFUL BASIS FOR PROCESSING:

Problem Statement

There exists a total of 10 conditions: (i) consent; (ii) legal obligation; (iii) implementation of public policies by the public administration; (iv) research by public study entities; (v) contractual performance; (vi) exercise of rights in legal proceedings; (vii) life protection; (viii) health protection; (ix) legitimate interest; and (x) protection to credit. Businesses should be able to evidence the lawful basis of processing in their data operations.

Trunomi Solution

The legal basis for processing data is referred to as data rights within the Trunomi platform. Beyond explicit consent management, Trunomi also allows other lawful bases for processing to be notarised at an individual level and updated as necessary.  This is achieved by populating the Method of Collection (MOC) and Justification fields when invoking the API. For example, when a data subject enters a new service agreement, the Controller can notarise an array of data processing that will occur to achieve contract performance.  Once the service is closed, the array of rights associated with the contract can be withdrawn. Trunomi’s RESTful APIs allow real-time access to up-to-date data rights. This ensures Controller systems and platforms can easily access the data rights in order to process data.

DSRS: RIGHT OF ACCESS, RECTIFICATION, ERASURE & OBJECT REQUESTS:

Problem Statement

Data Protection Officers face the singularly daunting task of overseeing the processing of Personal Data without a single, harmonised and holistic tool that offers both a global view of Data Subject Requests, and the tools to manage outstanding DSRs.

Trunomi Solution

Trunomi’s DPO dashboard assists the Data Protection Officer in their Data Rights Management.  Trunomi offers assistance in the customer, DPO and back-end system messaging associated with such requests. The tools include specific Data Subject Request widgets that can be embedded into web apps to provide a customer interface to log and review requests. Review and status monitoring allows DPOs to review and manage the status of outstanding DSR (Data Subject Request) from within the DPO Enterprise Portal, whilst the Message Event Service can pass DSRs to backend systems.

All requests and interactions are captured and evidenced by TruCertTM digital certificates so the Data Controller can easily demonstrate to regulators and Data Subjects the specific interactions that have taken place.

Trunomi also offers Controllers the ability to act as the system of record for data location. However, it remains the Controller’s responsibility to embed this metadata pointer into the TruCert and act on the detail.

There are four levels: Request, Triage, Action, and Delivered.

Request: Controllers have two options for managing and recording data subject requests. They can create a website / app section that allows the customer to digitally lodge these requests on a universal basis or when referencing an individual data type then processed by the Controller. The front-end can be rendered independently, or a series of Trunomi widgets (My Data, Data Subject Requests, My Requests) can be embedded into secure web pages to manage elements of the customer communication.  Four types of requests are possible: Access, Erase, Rectify or ObjectThe Object function can also be used to achieve the Right to Restriction of Processing.

Triage: During the provisioning process, Controllers can configure whether a request should undergo triage, review or automatic processing according to the request type, the reason provided by customer or the data type. The DPO can view all outstanding requests from within the Trunomi Enterprise Portal.  Once the appropriate review of the request has taken place (outside of Trunomi platform) the DPO can change the request status to reject or accept. An Accept status will initiate the Actioning phase. During this phase, Data Subjects can see the status of their request e.g. Reviewing in the relevant widgets, as well as an accompanying explanation.

Actioning: During the Actioning phase a message is passed from the Trunomi Event Service to the Controller’s back end system, such as an Enterprise Service Bus (ESB) or message queue, informing it of the outstanding customer request. N.B, it is the Controller’s responsibility to ensure that requests are enforced across all platforms containing personal information.

Controllers also have the option to use Trunomi to inform their back-end system of the location of data types affected by the customer request.  This can be achieved if the Controller has inserted opaque data location information and pointers into API interactions with Trunomi. The DPO will receive visual notification in the Enterprise Portal if delivery of a request is taking too long (against configurable Service Level Agreements (SLAs)).  The ability to inform the customer of the late delivery of a request can be delivered by widgets and provide an explanation of the delay.

Complete: Once the Controller has completed the Data Subject Request, the Controller’s systems should provide a message to the Trunomi Event System informing it of a successful completion. Manual updates are also possible. The status of the request will subsequently update within the Enterprise Portal and the MyRequests widget. Although Trunomi’s technology can evidence each Consent Event, it is the Controller’s active responsibility to share the relevant data with the recipient.

TREATMENT OF SENSITIVE INFORMATION: 

Problem Statement

Personal Data deemed as sensitive (e.g racial, ethnic origins, religious beliefs, political opinion, health related data) must be processed with additional security and under a different legal basis. Sensitive information refers to information on the Data Subject that could lead to discrimination. Any data that allows identification of the data subject, such as genetic data or biometric, is likewise considered sensitive.

Trunomi Solution

Trunomi enables express consent to be used to lawfully capture and process sensitive data. Furthermore, consent & associated data types can be labelled as ‘sensitive’ and subsequently excluded from specific processing.

SUMMARY

In Summary the LGPD allows for a clear and unambiguous harmonisation of Data Privacy Regulation that serves to improve consumer confidence in the marketplace whilst fostering a best-practice approach to data processing operations. To that end, the LGPD should not be seen as a regulatory hurdle to existing operations but rather an opportunity to optimise Consent and Data Management, improve trust between Controllers and their Data Subjects, and ultimately enhance the quality of data held.

At Trunomi, we believe that Controllers that expedite LGPD-compliance will be better placed to anticipate future changes to regulation in Brazil and across the globe, and maintain their competitive advantage in a digitally connected world and shifting regulatory landscape.

 

References:

[1] https://iapp.org/news/a/gdpr-matchup-brazils-general-data-protection-law/

[2]https://www.debevoise.com/~/media/files/insights/publications/2018/08/08202018_the_brazilian_data_protection_law_lgpd.pdf

https://gdpr.report/news/2018/08/21/brazils-general-data-protection-law-isnt-quite-gdpr/

https://iapp.org/news/a/the-new-brazilian-general-data-protection-law-a-detailed-analysis/