When the General Data Protection Regulation (GDPR) came into effect in 2018, it was the biggest shakeup of data protection laws in decades. While GDPR contains many of the same principles as previous data protection laws, they were significantly strengthened under this new law.
Now, just a few years later, we’re starting to see GDPR’s impact as it relates to new privacy laws around the world.
Brazil’s LGPD (Lei Geral de Proteção de Dados), which many believe was modeled closely after GDPR, started being enforced earlier this year. LGPD grants crucial privacy rights for individuals in Brazil -- the world’s fifth largest country --and it provides opportunities for organizations to deepen their commitment to data privacy and personal data protection.
Since there are substantial fines associated with not complying with LGPD, it’s important to understand how it compares to existing data protection laws and the steps you need to take to comply.
How is LGPD similar to GDPR?
The LGPD contains similar terms, concepts, and data subject rights as the GDPR. Specifically, Article 18 of the LGPD, which explains the nine fundamental rights that data subjects have, will look familiar to businesses that have dealt with GDPR compliance.
These rights are similar to GDPR’s eight fundamental rights, with the exception of LGPD’s “right to information about public and private entities with which the controller has shared data” and GDPR’s “the right to be informed,” with the LGPD version being more explicit.
How is LGPD different from GDPR?
One of the key differences is around the appointment of a Data Protection Officer (DPO). While both laws require businesses and organizations to hire a DPO, the GDPR specifically outlines when a DPO is required. The LGPD, on the other hand, states that “The controller shall appoint an officer to be in charge of the processing of data,” suggesting that any organization that processes the data of people in Brazil will need to hire a DPO.
Another difference between the two concerns is what qualifies as a legal basis for processing data. The GDPR has six lawful bases for processing, and a data controller must choose one of them as a justification for using a data subject’s information. The LGPD, however, lists 10.
Finally, while both the GDPR and the LGPD require organizations to report data breaches to the local data protection authority, the level of specificity varies widely between the two laws. Under GDPR, an organization must report a data breach within 72 hours of its discovery. While the LGPD does not give any firm deadline, it does state that notification of a data breach happens in a reasonable timeframe.
The role your backups play in complying with LGPD
While SaaS platforms like Salesforce and Microsoft Dynamics 365 help their customers comply with data protection laws as it relates to the data in their production systems, typically these measures don’t extend to the backups that customers maintain outside of these systems.
That’s why it’s important that when you’re assessing a backup solution, you ask the vendor the following questions:
- What are your security and privacy standards?
- How do you support a culture of privacy by design?
- What specific tools or processes do you provide to help us manage our obligation under LGPD?
How Own can help simplify compliance
Built with data protection and privacy as core tenets from its inception, Own has always been aligned with the principles behind LGPD. Through our entire portfolio of products- Recover, Sandbox Seeding, Archive, and Secure- we enable customers to meet their industry and government regulation requirements, making compliance easier for you as a controller.
Easily respond to subject access requests
Data controllers under LGPD are responsible for maintaining an inventory of personal data and responding to requests for data across your infrastructure. This includes data within third parties, such as backup providers.
With Own Recover, we enable customers to quickly and easily respond to subject access requests within your backups, such as:
- Right to erasure (be forgotten)
- Right to rectification (changes)
- Right to data portability (readable exports) by submitting them directly through Own’s easy-to-use application.
Similarly, within Own Archive, our Right to be Forgotten software development kit (SDK), gives customers the tools to delete records from their archived data on demand.
Customize data retention periods
Own provides custom retention policies- within your backups and your archives- to help you comply with LGPD and meet your corporate risk tolerance for retaining Brazil subject data.
By default, Recover includes 99 years of retention but offers you the flexibility to tailor daily, weekly, monthly and yearly backup retention by org.
With Archive, you can define, automate and manage custom data retention policies that include specific data to be archived, how frequently data archiving activities occur, and how long archived data is retained. Once policies are configured, Archive removes specified records and attachments from production and securely stores immutable replicas to the cloud without changing the integrity of data relationships.
Ensure immutable backups for disaster recovery
For both Europe and Brazil, data privacy law entails data security. Under both the LGPD and GDPR, you’re required to implement appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration or destruction.
And Own goes even further to provide customers with solutions that bolster data security and safety including:
- Encryption at rest and in transit (FIPS 140-2)
- Bring Your Own Key
- Archival data resiliency
- Granular access controls
- Annual SOC 2 Type II Audit
- ISO 27001 and 27701 certifications
Every organization’s approach to LGPD compliance is different and depends on many factors, including the type of data you control, the regulatory environment in which you operate, and your current privacy and security capabilities.
Contact us for a personalized 1:1 demo to find out how Own can help simplify compliance for your data needs.