The Example of Brazil’s Lei Geral de Proteção de Dados (LGPD) – Why Compliance with Foreign Laws is Vital for Multi-Country Payroll and HRM Functions

For the past few years, personal data collection and privacy have been under scrutiny around the world, and companies operating in different countries are required to carefully protect all the sensitive data they hold if they don’t want to be penalized. Concerns about privacy and data protection have generated a series of legislations worldwide. The creation of those new data protection laws and privacy regulations will substantially reshape international human resources management and global payroll outsourcing markets for years to come. Instead of fearing change, industry leaders and their customers can turn this transformation and the associated challenges into opportunities.

Personal data collection and privacy regulations worldwide

Essential, the laws like the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), in the United States, are meant to prevent data misuse and protect privacy. Only the global mobility specialists, international payroll outsourcing companies, and HR outsourcing service providers, who can implement highly compliant and privacy-oriented strategies, are able to adapt the changes and stand out in the cluttered market of international HRO wannabe specialists. Only the real experts in compliance will achieve their clients’ globalization goals and help them respect global privacy and data protection regulations.

The latest Brazilian General Data Protection Law (LGPD) at a glance

In that context, Brazil – with more than 200 million ultra-connected citizens – is the latest country to introduce a data protection law regulating how local and foreign companies collect, use, disclose and process personal data. Strongly inspired by the European GDPR, the Brazilian LGPD – the abbreviation of Lei Geral de Proteção de Dados – applies to all legal entities that process personal data of persons operating in Brazil and to persons with a registered office outside Brazil. There are currently more than 40 independent data protection rules in Brazil, which the new data protection regulation aims to harmonize in a holistic framework.

A timeline for the Brazilian General Data Protection Law (LGPD)

In December 2018, Brazil created the Brazilian Council for the Protection of Personal Data and Privacy along with a legal supervisory authority, the Autoridade Nacional de Proteção de Dados (ANPD). The ANDP’s role is to monitor and enforce the LGPD. Adopted in August 2018, the LGPD was initially scheduled to become effective in July 2020. Due to the COVID-19 pandemic, its launch was postponed until May 2021, when a part of the law should go into effect. However, the provisional measure postponing the effective date of LGPD until May 2021 needs to be confirmed by the Brazilian Congress on 26 August 2020. Regardless, the ANPD’s administrative sanctions will begin in August 2021.

The field of the Brazilian General Data Protection Law (LGPD)

The LGPD will replace existing local regulations for personal data privacy and protection and supplement the Brazilian Civil Rights Framework for the Internet and the Consumer Defense Code. The LGPD differs from the GDPR in its interpretation and approach to data protection. This difference means that the GDPR is more direct in its objectives, whereas LGPD is subject to different interpretations. The LGPD contains a broad definition of “personal data,” which, depending on the interpretation of the law, allows almost all data to be interpreted as personal data subject to the law. Hence, sensitive data that could be used for discrimination will be highly protected; for example, data related to racial or ethnic origin, health conditions, religious belief, political opinion, or genetic data.

Application of the Brazilian General Data Protection Law (LGPD)

In short, the LGPD law applies to all the companies that have offices in Brazil, provide services in the Brazilian market, and use the data of Brazilian citizens. The LGPD applies if you have a branch in Brazil, provide services to someone based there, regardless of his nationality, and treat his personal data. This means that all data collected and processed in Brazil are protected. To be clear, it will apply to any business that processes personal data in the Brazilian market, even beyond the Brazilian borders. Employees moving to Brazil, for example, are therefore subject to LGPD’s privacy protection since they generate data. It is essential to understand, for example, that personal data like salaries – even sent or received directly by employees through third-party payroll providers – are covered by the LGPD.

What the Brazilian General Data Protection Law means for multinational companies

Actually, the LGPD applies to anyone whose data was collected while they were in Brazil, even if they are not residents. This means that if your company has operations in – or with – Brazil, you must be prepared to comply with the new rules, whether or not you ever set foot in the country. Just as with the GDPR, companies can’t stop doing business in Brazil or stop serving Brazilian customers just to circumvent the rules. LGPD does not include the data collected for personal uses; journalistic, academic, or artistic purposes; and national security, defense, criminal investigations, and public safety needs. To learn more, click here.

Compliance with LGPD Vs. Compliance with GDPR

Similar to the European GDPR rules, the LGPD requirements apply to international companies even when they are based abroad. In short, companies in all sectors must adapt over the next months, and a new culture of the appropriate use of data must emerge. While the LGPD is likely to present several compliance challenges for local businesses, those who see personal data protection as a critical part of their business model are likely to use it as a differentiator. Compliance with clear and transparent rules will increase consumer confidence in businesses and the market since it allows them to provide the same level of protection for personal data as in other countries.

The nine fundamental rights granted by Brazil’s LGPD

Article 18 of the Brazilian’s LGPD grants a list of nine fundamental rights to those who share their personal data. They must confirm having the knowledge that their data are being treated and give consent to their treatment. They must be informed of their right to deny consent and that their consent can be revoked at any time. They must have the possibility to access their data any time and are granted the right to correct missing, wrong, or old data. They are allowed to anonymize, redact, or delete all unnecessary data or data that do not match the LGPD requirements. They can remove or delete sensitive data at any time. They are authorized to know with whom the data have been shared.

How to comply with the Brazilian LGPD

If your company is already GDPR compliant, it will probably quickly become LGPD compliant. But here are a few steps to help you get there, and we recommend asking for Mercans’ support to ensure a smooth process. We suggest you hire a Data Protection Officer (DPO) to take care of the transition on your behalf and liaise with Brazilian authorities before August 2021. We strongly recommend that you collect in Brazil only the data you need and avoid collecting sensitive data related to ethnic origin, race, religion, and political associations.

Mercans can help you establish a data governance program and determine the kind of data you have already collected, including data in motion and at rest, structured and unstructured data, and known and unknown data. Finally, make sure that your business partners and your third party suppliers are compliant, as this can become a liability for your organization. Remember that companies – regardless of their size – that do not comply with the LGPD could be fined up to 2% of their revenue or up to BRL 50M, i.e., around USD 9.5M. This is less than the fines for non-compliance under GDPR, but small businesses cannot survive such penalties. Although there are a few months to go until the entry into force of the Brazilian General Data Protection Law, human resources departments, payroll managers, and companies at large, must prepare as soon as possible for the new rules.

What Mercans can do for you – Local Statutory Compliance Solutions

Companies with business in or with Brazil will definitely benefit from the Mercans expertise in compliance. Whereas most of the companies still prepare to adapt to Brazil’s new data protection law, Mercans is already all set for the LGPD compliance challenges facing its clients and their teams in Brazil. For example, to help your company comply with these changes, Mercans can become your Data Controller (DC) or your Data Protection Officer (DPO) and liaise with local law enforcement authorities in Brazil.

Complying with the LGPD, GDPR, and CCPA – and of course, all similar regulations and, more broadly, any foreign labor laws, employment regulations and local rules, like WPS – allows you to mitigate risks throughout the implementation of your global expansion. Not only will you avoid nasty fines with appropriate data governance, but it will help you build trust-based relationships with your employees and your clients as you will show that you have their best interests in mind. Don’t wait, be ready, and ensure that your organization is fully compliant abroad. Contact us to learn more.