General Data Protection Rule: What is it, how does it work, and how to adapt to it?

Luís Felipe Neiva Silveira
6 min readMay 1, 2020


“Warning: use of cookies!”. In the last months you must have noticed this message appearing on a pop-up window every time you visit a new website. This frequent warning is one more of the various changes we are going to see with the arrival of the General Data Protection Rule in Brazil, also known as LGPD (in Portuguese). We are entering the age of information as a consumer good.

This moment is part of the so-called 4.0 revolution. Considered the Fourth Industrial Revolution, this industry represents very well the moment we live in, when data are decisive for any business. The new data protection rule came to alter the functioning of every enterprise, in Brazil and the world, but it still seems unclear for many. A research made by Reclame Aqui in 2019, for example, showed that 41.6% of Brazilian enterprises do not know what the LGPD is.

But before understanding the rule, it is important to understand its context and why it is so important to invest in data protection from now on.

How did the LGPD appear?

The origin of all that arises from information, since it is the most valuable asset for the generation of business. One of the first to understand the value of data was a Psychology Professor, Aleksander Kogan, who collected data from more than 270 thousand users through a test on Facebook. He gathered information such as name, last name, location and web page likes on the social network and sold it for an enterprise called Cambridge Analytica.

In 2015 that fact became known to the creator of that network, Mark Zuckerberg, who accused the professor of data violation, since Facebook forbids transfer of information to third parties. The test was cancelled and the data were excluded — or at least it was thought so. From then on, discussion about data protection was raised even more forcefully.

That case fostered the creation of the General Data Protection Rules (GDPR), a set of rules of the European Union with a view to regulating data privacy. And from the GDPR the discussion about the LGPD appeared in Brazil, since our country also needs to adapt to those rules in order to take part in that economic bloc.

What is the LGPD?

But what does the LGPD mean in practice, after all? From the moment we turn on our computers or the screen of our cell phones we are supplying data. However, we have to understand that data are not only those which exist within the digital environment, as Welington Strutz, Pre-Sales Manager of Qriar Tecnologia explains.

“A building which collects data from people who come in and out of it is a very clear example of whom must adapt to the LGPD, even if it's only about paper and pen”, he declares. “If I’m the owner of that building, it's important to clarify for the visitors the reasons why the data are being collected, and not only state that ‘it's for the records’. The purpose of the law is to allow people to hold their data, understand the reasons why it is collected and allowing them to decide whether or not they want companies to have access to it ”, he says.

Like the example quoted in the beginning of this article, every user is bombarded with cookies warnings when visiting a news portal. Even if no financial transaction is being made in them, there is an exchange of data when portals redirect news. Those data were, until then, often being collected and used without the user’s consent.

“It is necessary to acknowledge the personal data that the company collects, whether from customers, employees and business partners, review the reasons for which this data is being collected, and find opportunities to simplify administration, reduce the number of registrations through data consolidation when it's possible, and improve the experience of individuals in accessing and managing their information on digital channels”, explains Welington. “Our job at Qriar is to enable digital businesses by balancing convenience and protection in access through solutions centered around identities and APIs that connect people, their devices and information in a practical and secure way”.

Who must adapt to the new data protection rule?

In other words, every enterprise which collects information from clients will need to adapt to the new data protection rule, no matter the size or use of those collected data. “It’s about giving power to holders of information to decide to keep, erase or manage which data will be used and how”, Welington explains. “And that goes for a building reception as well as the human resources sector of an enterprise which keeps resumes; for enterprises which have just a dozen registers or enterprises with a gigantic databank”.

According to a survey made by Capterra, only 40% of small and medium entrepreneurs are prepared for the arrival of the LGPD in Brazil. The rule will demand that enterprises make a continuous investment to protect data from clients. The LGPD will not be applied just in cases of journalistic use, academic use, public security use, or in case of data originated in other country and only transiting in Brazil.

Effect and penalties for non-compliance of the LGPD

The General Data Protection Rule was predicted to come into force in August, 2020, but recently the Senate voted for its postponement due to the COVID-19 crisis. That extends a little further the term for Brazilian enterprises to adapt to the new rule.

That voting of the Senate determines the date that the rule will come into force, but its supervisory organ, called National Data Protection Authority (ANPD, in Portuguese), is the one who will define the date that sanctions can apply. Approval is still necessary by the Chamber of Deputies, which shall even propose adjustments in the future.

The effect of the new rule from January 1st, 2021 implies that any individual, as data holder, will be able to request access to, exclusion of, or even revocation of consent previously given to the concerned data.

According to Leandro Avanço, Researcher at the Center for Information Technology, Automation and Mobility (CIAM) of the Institute of Technological Researches (IPT, in Portuguese), the relation between the enterprise and the supervisory organ of the LGPD must be established by a single data professional, the Data Protection Officer. The DPO will be responsible for supervising changes within the enterprise in order that it be in total accordance with the new data protection rule.

For those who do not comply with the LGPD, penalties will be as follows:

· A warning;

· Fine of up to 2% of the legal entity’s income in its last financial year (with limitation of 50 million reals per infringement);

· Daily fine observing the limitation above mentioned;

· Blocking of personal data;

· Elimination of those personal data from the database of the institution;

· Suspension or forbidding of activities for the handling of those data;

· Publicization of the infringement.

10 questions to measure how prepared your enterprise is for the LGPD

In order to help your enterprise to verify how prepared it is for the applying of the new General Data Protection Rule, we have selected a checklist.

1. Can you find your data?

2. Can you classify and protect your data?

3. Can you manage the access of employees to data?

4. Can you manage your test data?

5. Can you manage the applications which process your data?

6. Can you avoid misuses of privileged user accounts?

7. Can you safely balance easy access to data?

8. Can you manage data in directories?

9. Can you clean non-utilized user accounts?

10. Can you identify data leaks in real time?

For more information about the LGPD and how to make your enterprise avoid penalties, Qriar Tecnologia has a team of cybersecurity specialists to help your business. Contact them here!



Luís Felipe Neiva Silveira

2Future is a holdings company formed by enterprises focused on supporting future generations.