Does LGPD Require a Privacy Assessment?

Understanding LGPD and DPIA: Requirement, Process, and Compliance

The Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, LGPD) includes provisions similar to the GDPR, aimed at protecting the privacy and personal data of individuals. One of the important aspects of LGPD is the requirement for a Data Protection Impact Assessment (DPIA). This article explains whether LGPD requires a DPIA, how to conduct one, and what actions to take to ensure compliance.

Does LGPD Require a DPIA?

Yes, the LGPD requires a DPIA in certain circumstances. Article 38 of the LGPD mandates that data controllers must carry out a DPIA when processing activities are likely to result in a high risk to the rights and freedoms of data subjects. This assessment helps to identify and mitigate risks associated with data processing activities.

How to Conduct a DPIA under LGPD

1. Identify the Need for a DPIA
   • Determine whether your processing activities require a DPIA. Indicators include processing large volumes of sensitive data, systematic monitoring of publicly accessible areas, and data processing that could impact data subjects’ rights and freedoms.
2. Describe the Processing Activities
   • Provide a detailed description of the processing operations, including the purposes of the processing, the types of personal data involved, and the categories of data subjects.
3. Assess Necessity and Proportionality
   • Evaluate whether the data processing is necessary and proportional to achieve the intended purposes. Consider alternative methods that could achieve the same objectives with less impact on data privacy.
4. Identify and Assess Risks
   • Identify potential risks to data subjects’ rights and freedoms. Assess the likelihood and severity of these risks, taking into account factors such as the nature of the data, the scope of the processing, and the context in which it occurs.
5. Implement Measures to Mitigate Risks
   • Develop and implement measures to mitigate identified risks. These can include technical measures (e.g., encryption, anonymization) and organizational measures (e.g., policies, training, access controls).
6. Document the DPIA
   • Maintain detailed documentation of the DPIA process, including the identified risks, assessments, and mitigation measures. This documentation demonstrates compliance with LGPD requirements.
7. Consult with the Data Protection Officer (DPO)
   • Involve the DPO in the DPIA process. The DPO can provide valuable insights and ensure that the assessment complies with LGPD requirements.
8. Review and Update Regularly
   • Periodically review and update the DPIA to account for changes in processing activities, identified risks, or the legal environment. Continuous monitoring ensures ongoing compliance with the LGPD.

Filing a Complaint

If you believe an organization has failed to conduct a DPIA when required, or has inadequately addressed the risks, you can take the following steps:

1. Contact the Organization
   • Reach out to the organization’s data protection officer or privacy department to express your concerns. Provide details of your observations and any supporting evidence.
2. File a Complaint with the ANPD
   • If the organization does not address your concerns, you can file a complaint with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD). Provide all relevant information, including details of your concerns and any communication with the organization.
3. Seek Legal Action
   • In cases of significant non-compliance, you may consider seeking legal advice to explore further actions, such as filing a lawsuit for damages caused by the violation of your rights.

DPIA Process Chart

Step	Description
1. Identify the Need	Determine if processing requires a DPIA.
2. Describe Processing	Detail processing activities and purposes.
3. Assess Necessity	Evaluate necessity and proportionality of processing.
4. Identify Risks	Identify potential risks to data subjects.
5. Mitigate Risks	Implement measures to mitigate identified risks.
6. Document DPIA	Maintain detailed documentation of the DPIA process.
7. Consult with DPO	Involve the DPO in the DPIA process.
8. Review and Update	Periodically review and update the DPIA.

Are Your Processing Activities Considered High Risk?

The LGPD requires a Data Protection Impact Assessment (DPIA) for processing activities that pose high risks to individuals’ rights and freedoms. Conducting a thorough DPIA helps organizations identify and mitigate risks, ensuring compliance with LGPD and protecting data subjects’ privacy. If an organization fails to comply with DPIA requirements, there are steps a data subject can take to file a complaint and seek enforcement of their rights. At Captain Compliance we work to situate you and your company so that you will not have these issues and have compliant data privacy and protection policies, actions, and software in place.