LGPD vs. GDPR – Top 10 Main Differences
If your company has relations with partners, suppliers or even has subsidiaries spread over either the European Economic Area or Brazil, bear in mind the need to adapt your business management and stay compliant with both the LGPD and the GDPR privacy regulations.
Two years after the GDPR entered into force across the European Economic Area and with the brazilian LGPD coming into force soon, even considering the numerous regulations’ similarities, one can’t say that understanding their uniqueness is an easy task, especially in the digital disruption era we are all living in.
This compliance challenge may put in risk not only the individuals whose personal information is used by companies, but the business itself: by the time the GDPR had its first anniversary, the national European authorities had received over 144.000 complaints and logged over 89.000 data breaches, which means reputational damage and gigantic monetary losses for the companies involved.
Hence, if you do or plan to do business in both, Europe and Brazil, it’s important to know their diferences. We summarised the most relevant differences between them below.
1) Processing of Sensitive Personal Data
Although both regulations give sensitive personal data a higher level of protection while limiting its treatment possibilities to specific situations, there are some differences in each regulation on the exceptions when sensitive personal data can be processed by a company.
The GDPR makes two exceptions that the LGPD doesn’t include and those are:
- The Data Subject makes their sensitive personal data public and
- The sensitive data treatment is carried by members or former members of a non-profit association, foundation or organization acting with legitimate interests and with the necessary security measures.
Similarily, the LGPD also has some exceptions for sensitive personal data processing which the GDPR doesn’t consider. Which are:
- The execution of public policies and
- To register fraud prevention in electronic systems
In respect of the similarities, both the GDPR and the LGPD allow the sensitive data processing when:
1. The subject gives explicit consent
2. The controller needs to fullfill a contractual or regulatory obligation
3. To protect the vital interests of the data subject or another individual’s
4. For the controller to exercise legal rights in court
5. For reasons of substantial public interest, and
6. For medical purporses.
2) Age of Consent
While the LGPD requires the parents’ consent when treating data from subjects under 18 years old, the GDPR allows data subjects over 16 years old to give free consent to have their data collected and treated without the need from the parents’ permission. Further, the GDPR allows countries in the EEU to reduce the age to 13 years of age.
3) Data Protection Policies
When it comes to holding technical or administrative in-company measures to comply with privacy and the regulations, the GDPR directly obligates every controller to have data protection policies in place, while the LGPD doesn’t refer to them as mandatory, although those measures can be taken into consideration by the Brazilian Supervisory Authority as a penalty mitigation factor in case of a violation.
4) Data Privacy Impact Assessments and Prior Consultation
The GDPR establishes that, whenever a data treatment process presents a high degree of risk to the individuals’ privacy and freedom rights, the company must prepare a written Data Privacy Impact Assessment and consult the Supervisory Authority for advice before starting the process. It’s latin counterpart though, the LGPD, lacks the same obligations and doesn’t specify whether the DPIA must be done for any new data treatment and doesn’t have any article imposing the need for consultation with the authorities.
5) Legal Bases
The GDPR settles 6 hypothesis in which companies are authorized to collect and treat personal data:
1. The explicit consent given by the individual
2. The performance of a contract
3. The use for public policies’ effectiveness
4. Legal obligations
5. Vital protection and
6. Legitimate interest.
The LGPD adopts 4 more situations, totalizing 10 legal bases:
1. The use of personal data in order to protect the patient’s health during a medical procedure
2. Scientific and researching studies purposes
3. Loan protection and
4. To exercise legal rights in a judicial process.
6) Data Protection Officers — DPO
Unlike the LGPD, under the GDPR, only companies which collect and treat a large scale of personal data or that treat sensitive personal data are required to appoint a Data Protection Officer (DPO) to act like a privacy compliance officer.
On the other hand, the LGPD requires that all companies who act like controllers of personal data must appoint a DPO, regardless of the type or volume of personal information collected.
7) Territorial Scope
Both legislations have an extraterritorial reach and apply to companies located outside its territories as long as they offer goods and services to individuals located in the European Economic Area or Brazil.
Despite that, only the GDPR includes organizations that are not located in the EEA but that monitor the behavior of its citizens. In the same sense, on the contrary from the GDPR, the LGPD also has no provision concerning protecting data that is merely in transit in its territory and that doesn’t have Brazil as a final destination for processing.
Aside from those main significant differences between the regulations, there are a few more specificities regarding deadlines and each authority’s procedures that require a greater attention to detail when implementing a proper compliance program.
8) Responding to Data Subject Requests
Under the GDPR, the companies have 30 days to answer the data subjects’ access to their own data request, while the LGPD gives them 15 days.
9) Breach Notifications
In the same sense, the GDPR imposes that the authority must be notificated of a data breach in 72 hours from the incident, while the brazilian legislation doesn’t pre determinate a deadline, as long as it’s done in a reasonable amount of time.
10) Cost of Penalties
There is also a subtle difference between the cost of penalties under either the GDPR or the LGPD that can cause companies a great monetary loss: in GDPR, the fees can go as high as EUR 20,000,000 or 4% of a company’s global annual turnover (whichever is greater) and in the LGPD, the limit is 2% or up to R$ 50.000.000,00 brazilian reais or approximately EUR 7,500,000, whichever is higher.
To summarize:
It’s important to notice that the LGPD left broad many provisions yet to be adjusted or complemented by its authority, which will probably be created within the first months of enforcement.
Despite that, it’s important for companies to stay updated about the privacy regulations, to understand the differences between different regulations and to have the right processes and tools to help them achieve global compliance.
Sources:
2. https://edpb.europa.eu/news/news/2019/1-year-gdpr-taking-stock_en
