LGPD for Small Businesses and Startups
On January 28th 2022, Brazil’s national data protection authority, the ANPD, passed a major regulation which altered the application of the Lei Geral de Proteção de Dados Pessoais (LGPD) on ‘small businesses’. This resolution was passed as per the charge given to the ANPD by Article 55-J (XVIII) of the LGPD. These new regulations have reduced compliance requirements and eased adherence to data protection principles for small businesses, startups and micro enterprises covered under the LGPD.
This approach is in stark contrast to the EU’s approach towards GDPR compliance, which applies the same extensive compliance requirements on small businesses as it does on large multinational corporations. This has been the subject of a fair bit of criticism, as small businesses, start-ups and micro enterprises do not have the resources to comply with the entire breadth of the GPDR as compared to larger businesses and multinational corporations — thus making the GDPR a burden and an anti-competitive measure which reduces entrepreneurship and small business formation.
It is important to note that comprehensive privacy laws passed by US states such as the CCPA (which will be replaced by the CPRA in January 2023) apply only to businesses which cross a certain threshold (either in terms of revenue or the number of persons whose personal data they handle) — automatically, excluding smaller businesses who either do not have the resources to comply with the strict data protection requirements imposed by the law or do not have a significant volume of data for it to be deemed important for them to do so.
We have detailed the changes to LGPD application for small businesses, startups and microenterprises as per these new regulations:
As per Article 1 and 2 of these new regulations, they apply only to ‘Small-Sized Processing Agents’ which are defined as:
- micro-companies, small companies, startups, legal entities governed by private law, including non-profits;
- micro-companies and small companies: business partnership, simple partnership, sole proprietorship limited liability company, pursuant to art. 41 of Law №14,195, of August 26, 2021 and entrepreneurs referred to in art. 966 of Law №10,406, of January 10, 2002 (Civil Code), including individual micro-entrepreneurs, duly registered in the Commercial Companies Registry or in the Civil Registry of Legal Entities, which fall under the terms of art. 3 and 18-A, §1 of Complementary Law №123, of December 14, 2006; and natural persons and depersonalized private entities that process personal data, assuming typical controller or operator obligations;
- Startups: business or corporate organizations, nascent or in recent operation, whose performance is characterized by innovation applied to a business model or to products or services offered, which meet the criteria provided for in Chapter II of Complementary Law №182, of 1st June 2021.
The Small-Sized Processing Agents which cannot take the advantage of these regulations are those which:
- Subject the personal data of data subjects to high-risk treatment/processing;
- Earns gross revenue higher than the limit established in art. 3, II, of Complementary Law nº 123, of 2006 or, in the case of startups, in art. 4, § 1, I, of Complementary Law №182, of 2021; or
- belong to a de facto or de jure economic group, whose global revenue exceeds the limits referred above, as the case may be.
It is also important to note that:
- These regulations do not apply to the processing of personal data carried out by a natural person for exclusively private and non-economic purposes, as well as in the other cases provided for in art. 4 of the LGPD.
2. High risk treatment/processing
As per Article 4 of these regulations, for a processing operation/treatment of personal data to be deemed a high risk treatment/processing, the processing operation/treatment must meet one general and one specific criteria:
- General criterias are defined as:
- large-scale processing of personal data:The processing of personal data on a large scale will be characterized by a processing operation compromising personal data which covers a significant number of data subjects, also considering the volume of data involved, as well as the duration, frequency and geographic extent of the treatment carried out; and
- processing of personal data that may significantly affect the interests and fundamental rights of the holders:The processing of personal data that may significantly affect interests and fundamental rights of data subjects will be characterized, among other situations, in those in processing activities which may prevent the exercise of rights or the use of a service by the data subjects, as well as cause material or moral damages to them, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud or identity theft.
- Specific criterias are:
- use of emerging or innovative technologies;
- surveillance or control of areas accessible to the public;
- decisions made solely on the basis of automated processing of personal data, including those intended to define the personal, professional, health, consumer and credit profile or aspects of the holder’s personality; or
- use of sensitive personal data or personal data of children, adolescents and the elderly.
The ANPD may provide guides and guidelines with the objective of assisting small-scale treatment agents in the evaluation of high-risk treatment and it will be the responsibility of the small sized entities to prove they are Small-Sized Processing Agents as per this regulation or fall within the exclusionary clauses, within 15 days of being provided notice by the ANPD.
3. Non-exempt provisions
As per Article 6 of the new regulations, the waiver or relaxation of the obligations set forth in this regulation does not exempt small processing agents from complying with other provisions of the LGPD, including the legal bases and principles, other legal, regulatory and contractual provisions relating to data protection personal data, as well as the rights of the data subjects (DSRs).
As per Article 16, the ANPD may require Small-Sized Processing Agents to comply with the original obligations of the LGPD, which might have been waived or made more flexible in this regulation, considering the relevant circumstances of the situation, such as the nature or volume of operations, as well as the risks to the data subject.
4. Data Subject Rights
- As per Article 7 of these regulations, Small-Sized Processing Agents must provide information on the processing of personal data and meet the requests of data subjects (DSR request fulfillment) in accordance with the provisions of arts. 9 and 18 of the LGPD, through electronic, printed or any other means to facilitate access to information.
- As per Article 8 of the new regulations, Small-Sized Processing Agents, even those falling within the exclusionary clause of performing high risk processing activities/treatments can organize themselves through entities representing the business activity, legal entities or natural persons for the purposes of negotiation, mediation and conciliation of complaints submitted by data subjects.
5. Simplified ROPAs
As per Article 9 of the new regulations, the ANPD will provide a simplified model to Small-Sized Processing Agents for the preparation and maintenance of ROPA (record of personal data processing activities) reports as they are required under Article 37 of the LGPD.
6. Simplified Breach Notifications
As per Article 10 of the new regulations, the ANPD shall pass further regulations for flexibility or a simplified procedure for reporting security incidents for Small-Sized Processing Agents.
7. Exemption from appointing Data Protection Officer (DPO)
As per Article 11 of these regulations, Small-Sized Processing Agents are not required to indicate the person in charge of the processing of personal data (i.e the Data Protection Officer — DPO) as required by Article 41 of the LGPD. However, those entities which do not appoint a person in charge must provide a communication channel with the data subject to comply with the provisions of Article 41(§2)(I) of the LGPD.
8. Safety and Good Practices
- As per Article 12 of these regulations, Small-Sized Processing Agents must adopt essential and necessary administrative and technical measures, based on minimum information security requirements for the protection of personal data.
- The Small-Sized Processing Agents must consider the level of risk to the privacy of data subjects and their particular circumstances.
- Compliance with the recommendations and good practices of prevention and safety disclosed by the ANPD, including through guidance guides, will be considered as compliance with the provisions of Article 52(§1)(VIII) of the LGPD.
- As per Article 13 of these regulations, Small-Sized Processing Agents must establish a simplified information security policy, which includes essential and necessary requirements for the protection of processing of personal data, in order to protect it from unauthorized access and from accidental or illegal situations.
- The simplified information security policy must take into account the implementation costs, as well as the entity’s structure, scale and volume of operations.
- Finally, The ANPD will consider the existence of a simplified information security policy for the purposes of determining a fine for non-compliance as it is required to do in Article 6(X) and Article 52(§1),(VIII) and (IX) of the LGPD.
9. Extended Timelines
As per Article 14 of the new regulations, the following deadlines have been extended by granting Small-Sized Processing Agents a double period:
- For fulfilling the DSR requests regarding the processing of a data subject’s personal data, as provided for in Article 18(§3) and (§5) of the LGPD;
- For notifying the affected data subjects and the ANPD of the occurrence of a security incident that may cause significant risk or damage — unless, there is a potential compromise to the physical or moral integrity of the data subjects or to national security due to the breach;
- For providing a clear and complete declaration, as required by Article 19(II) of the LGPD.
- For presentation of information, documents, reports and records requested by the ANPD to other processing agents.
As per Article 15 of these regulations, Small-Sized Processing Agents may provide the simplified declaration referred to in Article 19(I) of the LGPD within a period of up to 15 days, counted from the date of the holder’s request.
Note: The regulations also state that those deadlines which are not provided for in these regulations for Small-Sized Processing Agents will be determined by specific regulation.
How Securiti Can Help
The worldwide dynamics of accessing, protecting, and sharing personal data are rapidly evolving, necessitating businesses to become more privacy-conscious of their processes and responsible guardians of their customers’ data, all while automating privacy and security operations for fulfilment of data subject rights and seamless compliance.
With an ever-growing database of users, businesses must embrace robotic automation to operationalize compliance and avoid falling behind in automating their processes.
Securiti is a renowned AI-powered data intelligence, data compliance, and governance solution. Owing to its PrivacyOps platform, organizations big or small can seamlessly comply with global data protection laws and regulations with a single click.
Request a demo today to discover how Securiti can operationalize compliance with LGPD.