Lei Geral de Proteção de Dados Pessoais (LGPD), better known to the English-speaking world as Brazil’s new General Data Protection Law, has been active for a month now and if nothing else is going to be a major job creator for Latin America’s biggest nation. A new report from the International Association of Privacy Professionals (IAPP) found that approximately 50,000 new data protection officers (DPOs) will be needed in the country to ensure that all of the organizations that it applies to are in compliance.
IAPP study sees massive need for DPOs in Brazil
The LGPD has been somewhat below the radar internationally due to the enforcement date being pushed back nearly a full year. The IAPP study is one of the first comprehensive look at the new law as its terms become active. The key takeaway is that since any organization that processes personal data in Brazil (pending company size requirements) must appoint DPOs even if it is not headquartered in the country, some 50,000 DPOs are expected to be needed in the very near future.
As the IAPP study points out, the vast majority of Brazil’s businesses are too small to expect to be subject to the data protection terms of the LGPD; they either do not employ enough people or do not process enough customer data. The current terms of the LGPD do state that any legal entity (regardless of size) that processes personal data must put its protections in place, but further guidance is also expected. IAPP predicts that the further points of clarification will specify that the vast majority of Brazil’s 4 million+ small businesses will not be held to these terms. Section 3 of Article 41 of the LGPD specifies that waivers are to be established based on ” … nature and the size of the entity or the volume of data processing operations.”
That must remain speculation for the moment as the government body meant to issue such clarifying guidance and updates, the Autoridade Nacional de Proteção de Dados (ANPD), has yet to actually be formed even though the LGPD has technically been in effect since early September. The IAPP’s study thus focused on predicting how ANPD guidance will ultimately shake out and who will ultimately be required to appoint DPOs.
The IAPP ultimately determined that LGPD-obligated companies will be those with at least 250 employees that deal in large-scale data processing. Based on those requirements, the study found that at least 12,100 domestic Brazilian companies would be subject to its terms. However, that does not account for foreign companies that process enough data in Brazil to also be subject to the LGPD. IAPP views this estimation through the lens of the EU’s General Data Protection Regulation (GDPR) in its first year. The GDPR precipitated the appointment of about 500,000 new DPOs under similar circumstances in 2018, but Brazil’s economy is only about 10% of the size of Europe’s: thus the final estimate of about 50,000 new DPOs in Brazil.
LGPD and the role of DPOs
Given that the ANPD has yet to be formed and get involved, the described role of the DPO under the LGPD is currently quite basic: to serve as the central point of contact standing between the data controller, its data subjects and the data protection authority. The DPO must be intimately familiar with the terms of the LGPD and serve as the organization’s internal compliance officer, fundamentally mirroring the role of the EU’s DPOs. There will (at least initially) be more on-the-job learning and keeping up with evolving terms, however, as the ANPD gradually comes online and begins issuing guidance.
The final version of the law also removed the requirement for DPOs to be familiar with the terms of the GDPR. Additionally, the DPO is not required to be physically located in Brazil.
One point that new LGPD DPOs will need to watch closely is the establishment of data breach reporting requirements. Presently there is no deadline; the current law simply words it as a “reasonable time.” The GDPR requires notification within 72 hours, and it’s likely that the ANPD will eventually issue guidance that sets a similarly firm time frame.
The maximum penalty for LGPD violations is similarly stringent, however; it can be the greater of 2% of an organization’s annual turnover or the equivalent of about $12,894,500 per violation. Repeat and intentional violators can also be banned from the processing of sensitive data or even ordered to entirely shut down for up to 10 years.
There are still major unanswered questions about how enforcement will end up working; technically any violations at present could be punished as of August 2021, but it’s still unclear as to who will actually be subject to them.