Similarities and differences between GDPR and LGPD
What is the difference between the GDPR and the LGPD?
Both laws have similar objectives, but there are some differences between the two, despite the influence the GDPR has had on the Brazilian EDP. These differences mainly concern data protection officers, the legal basis for data processing and the reporting of data breaches.
The appointment of a Data Protection Officer (DPO) is required by both laws. While the GDPR outlined the requirements when a DPO must be appointed, the EDP generally defines in Article 41 that “the controller shall appoint a data controller”. Further clarification is expected at some point, but this area of the LGPD appears to be stricter than the GDPR, as it suggests that any organisation processing personal data in Brazil must appoint a DPO.
Compared to the six legal bases for data processing of the GDPR and the fact that a data controller must choose one of them as justification for the use of a data subject’s information, the EDP extends its definition of what constitutes a legal basis for data processing to a list of 10:
- With the consent of the person concerned;
- To comply with any legal or regulatory obligation imposed on the controller;
- To implement public policies provided for in laws or regulations or based on contracts, agreements or similar instruments;
- To carry out studies by research institutions which, whenever possible, guarantee the anonymisation of personal data;
- For the performance of a contract or preliminary proceedings relating to a contract to which the data subject is a party, at the request of the data subject;
- To exercise rights in judicial, administrative or arbitration proceedings;
- To protect the life or physical security of the data subject or a third party;
- To protect health in a procedure carried out by health professionals or health care institutions;
- To protect the legitimate interests of the controller or of a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require the protection of personal data; or
- To protect credits (in terms of a credit rating).
Probably the most significant deviation from the GDPR is to have credit protection as the legal basis for data processing.
Also the definition of the deadline for reporting data breaches to the local data protection authority differs in the GDPR and LGPD. The explicit requirement of the GDPR includes a 72-hour time limit (from discovery) within which an organisation must report a data breach.
However, there is no prescribed timeframe for reporting data breaches in the LGPD and no guidance on a “reasonable period of time”. In Article 48, the Act only stipulates that “the controller shall notify the national authority and the data subject of the occurrence of a security incident which is likely to create a risk or relevant harm to data subjects within a reasonable time, as defined by the national authority”.
The issue is gaining popularity worldwide and data protection laws are beginning to be considered everywhere, from India to the US. So if you achieve GDPR compliance, you are on the right track to meet the LGPD.
LGPD – Brasil‘s version of GDPR – Part 2
Similarities and differences between the GDPR and the LGPD
What is different between the GDPR and the LGPD?
Both laws have similar goals, but there are some differences between the two, despite the influence that GDPR had on the Brasilian LGPD. These differences relate mainly to the data protection officers, the legal basis for processing data and the reporting data breaches.
Hiring a Data Protection Officer (DPO) is required by the both acts. While the GDPR has outlined the requirements when a DPO has to be hired, the LGPD defines generically in Article 41 that “The controller shall appoint an officer to be in charge of the processing of data”. Eventually here can be expected a further clarification, but this area of the LGPD seems to be stringent than the GDPR, because it suggests that any organization that processes the data of people in Brazil will need to hire a DPO.
Compared to the six lawful bases for processing data of the GDPR and the fact that a data controller must choose one of them as a justification for using a data subject’s information, the LGPD expands its definition of what qualifies as a legal basis for processing data to a list of 10:
- With the consent of the data subject;
- To comply with a legal or regulatory obligation of the controller;
- To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;
- To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;
- To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;
- To exercise rights in judicial, administrative or arbitration procedures;
- To protect the life or physical safety of the data subject or a third party;
- To protect health, in a procedure carried out by health professionals or by health entities;
- To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or
- To protect credit (referring to a credit score).
Probably the most substantial departure from the GDPR is having the protection of credit as a legal basis for the processing of data.
Also the specifying of the time period for reporting data breaches to the local data protection authority differs in the GDPR and the LGPD. The explicit requirement of the GDPR includes a deadline of 72 hours (of the dicsovery) in which an organisation must report a data breach.
However, there is no given time window for data breaches reporting in LGPD and also no guidance for what constitutes a “reasonable time period.” In Article 48 the law states only that “the controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subjects… in a reasonable time period, as defined by the national authority.”
The issue is getting a worldwide popularity and the data protection laws are beginning to be considered everywhere, from India to the USA. So by achieving a GDPR compliance, you are on the right way to complying with the LGPD.