On Tuesday, July 13th, our most recent online event in the Privacy Above All series took place, specifically addressing the sanctions and fines of the LGPD (General Data Protection Law).

The chat was streamed on YouTube and lasted one hour. The participants were Paula Chiesa (Legal Counsel at PrivacyTools), Christian Perrone (Lawyer, Fulbright researcher (Georgetown University, USA)), José Antonio Milagre (Director of CyberExperts), and Denise Tavares (Lawyer and consultant and Founding Partner of the law firm Denise Tavares Advocacia & Consultoria and DT3Class Desenvolvimento e Treinamento em Direito e Tecnologia).

Here are the key insights from the speakers at the event:

1 – We cannot compare LGPD with GDPR.

Denise Tavares, during the conversation, mentioned that many compare Brazilian data protection law with European law. She argues that this is not ideal, but the privacy culture in Brazil is more outdated. 

“When we talk about how European data protection authorities take an educational approach before imposing fines, we are talking about a topic that has been regulated in Europe since the 1990s,” Denise explained.

2 – Controls are necessary for compliance.

According to José Milagre, there is no way to prove that a company is in compliance with the LGPD (Brazilian General Data Protection Law) without it adopting controls and technical measures. The director of CyberExperts also reinforced that the LGPD is not only about the correct use of data, but also about the adoption of measures to protect that information.

“The connection between information security and data protection is evident,” José emphasized. “The law tells us what we need to control, but it doesn’t say how we’re going to control it, what measures to take.” Backups, access control, and accurate logs are some examples of control measures mentioned in the conversation.

3 – Choosing the Data Protection Officer is crucial.

“This is the most important choice a company will have to make in the entire compliance process,” says Christian Perrone. It is the Data Protection Officer (DPO) who will assist data subjects before they seek legal recourse to assert their rights.

“You should provide almost immediate access to the data. After 15 days, you have to deliver a series of other elements to satisfy that right. If the person asks to delete the data and you don't even know where it is, you have an extremely complex situation,” Christian emphasized.

4 – The LGPD (Brazilian General Data Protection Law) added an extra layer to the CDC (Consumer Protection Code).

Denise emphasizes that the LGPD (Brazilian General Data Protection Law) is a general law that reinforces the Consumer Protection Code (CDC). "The CDC had a rule against including consumers in databases without their consent. The LGPD introduced a series of other rules. Companies need to consider both and comply with everything. A joint interpretation is necessary." 

To watch the event in its entirety, go to [link]. PrivacyTools YouTube channel.