LGPD is Here: What to know to understand compliance and enforcement action

1. 1
1
Thank You for Joining “LGPD is Here: What to know to understand
compliance and enforcement action”
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit any
questions for the speakers

2. 2
2
© 2021 TrustArc Inc. Proprietary and Confidential Information.
LGPD is Here: What to know to understand
compliance and enforcement action
25 August 2021

3. 3
3
Speakers
Paul Breitbarth
Director
Global Policy & EU Strategy
TrustArc
Miriam Wimmer
Diretora
Autoridade Nacional de
Proteção de Dados

4. 4
4
Agenda
● The ANPD and its enforcement strategy
● Key Compliance Elements of the LGPD
● Q&A

5. 5
5
The ANPD and its enforcement
strategy

6. 6
6
Key Compliance Elements of the
LGPD

7. 7
7
Legal Bases
Article 7 LGPD et seq.
I. Consent
II. Compliance with a legal obligation
III. Public administration for public policies
IV. Research
V. Execution of a contract, or preliminary procedures for a contract
VI. Legal procedures
VII. Protection of life or physical safety
VIII. Protection of health [only for healthcare professionals]
IX. Legitimate interests
X. Protection of credit

8. 8
8
Individual Rights
Article 17 LGPD et seq.
● Data ownership
● Confirmation of the existence of processing
● Access
● Correction
● Anonymization, blocking or deletion of unnecessary or excessive data
● Data portability
● Withdrawal of consent, followed by deletion
● Information about data sharing

9. 9
9
International Transfers
Chapter V LGPD
● International data transfers: the transfer of personal data to a foreign country or to an
international entity of which the country is a member.
● Data transfers only to adequate countries
○ Brazilian DPA will need to draft the list once up and running
○ Criteria: applicable data protection regime and the nature of the data; alignment of security
requirements with the LGPD; existence of judicial and institutional guarantees for respecting
the rights of personal data protection
● Transfers based on sufficient guarantees the data will be protected
○ standard contractual clauses or ad hoc agreements;
○ global corporate rules (like BCRs and CPBRs);
○ public interests;
○ consent; or
○ following approval by the DPA.

10. 10
10
Data Breaches
Article 48 LGPD
● Security incidents that may lead to material risk or harm must be reported, in a
reasonable time period, to the national authority (to be the DPA), and affected data
subjects.
● The notification should include a:
○ description of the nature of personal data affected;
○ information about affected data subjects;
○ an indication of the technical and safety measures used to protect personal data;
○ risks related to the incident;
○ measures that will be adopted to reverse or mitigate the effects of the incident; and
○ reasons for any delayed notification.
● The DPA may require controllers to adopt measures such as:
○ wide dissemination of the incident to the media; and
○ measures to reverse or mitigate the effects of the incident.

11. 11
11
Accountability Obligations
Article 6(x) and 50 LGPD
● One of the key principles of the LGPD
● Both controllers and processors will need to be able to demonstrate “the adoption of
measures which are efficient and capable of proving the compliance with the rules of
personal data protection, including the efficacy of such measures”
● Includes:
○ Appointment of DPO (subject to ANPD guidance)
○ Processing activities register
○ Impact and Risk Assessments (subject to ANPD guidance)
● Suggestion to develop a privacy compliance program
○ Demonstrating commitment to adopt internal processes and policies that ensure broad
compliance
○ Establishing adequate policies and safeguards based on a process of systematic evaluation of
the impacts on and risks to privacy
○ Integrate privacy governance into the general governance structure
○ Regular updates

12. 12
12
How to prepare for compliance?
1. Understanding your legal requirements under LGPD
○ Ongoing activity - due to yet to be drafted ANPD guidelines
2. Assess your Brazilian data processing operations (+ create register)
○ Processing taking place in Brazil
○ Processing targeting the Brazilian mark
○ Processing personal data from persons in Brazil
3. Document data transfers to and from Brazil
4. Update Individual Rights procedures to deal with LGPD requirements and
deadlines
5. Keep documentation of all implementation steps

13. 13
13
Leverage Compliance Instruments from other Jurisdictions
Framework Element GDPR LGPD CCPA HIPAA Security USSG C&E Program Virginia CDPA
Integrated Governance
Risk Assessment
Resource Allocation
Policies and Standards
Processes
Awareness and Training
Data Necessity
Use, Retention, and Disposal
Disclosures to 3rd Parties & Onward Transfer
Choice and Consent
Access and Individual Rights
Data Integrity and Quality
Security
Transparency
Monitoring and Assurance
Reporting and Certification

14. 14
14
Common Controls merge similar requirements
Put in place appropriate
administrative, physical,
and technical safeguards
to protect personal
information from
unauthorized access and
accidental or unlawful
destruction, loss,
alteration, damage...
GDPR Article 5.1(f)
GDPR Article 32.1
UK GDPR Art. 5.1(f)
UK GDPR Article 32.1
HIPAA § 45 CFR
164.306(a)
HIPAA § 45 CFR
164.530(c)(1) Virginia CDPA
§59.1-574.A.3.
Virginia CDPA
§59.1-578.F.2.
LGPD Chapter I,
Article 6.VII
LGPD Chapter VII,
Section I, Article 46
New Zealand Privacy
Act 2020 - IPP 5
Singapore PDPA
Section 24

15. 15
15
TrustArc Resources
https://trustarc.com/lgpd-compliance/

16. 16
16
Q&A

17. 17
17
Thank You!
See http://www.trustarc.com/insightseries for the
2021 Privacy Insight Series and past webinar
recordings.
If you would like to learn more about how TrustArc can support you with
compliance, please reach out to sales@trustarc.com for a free demo.