Hello everyone, it's Chris Stevens. I am the INFOSEC Institute's instructor for its information privacy essentials for cybersecurity professionals learning path. In this course, we're going to continue our discussion on several of those important international information privacy and data protection laws that have been enacted over the recent decades. Specifically, we're going to look at Brazil's General Data Protection Law of 2018, the LGPD. Now, interested in the law, the United States Army had paid money to train me as a Portuguese linguist. But however, when I was trying to read the law in Portuguese, I found out quickly how perishable language skills are. This law is important because, again, it reflects the passage of another law that takes some of the essence of the GDPR and incorporates it into its own national laws. Now, the LGPD is not the first law passed in South America. You have Argentina and Uruguay that our two countries that have been designated by the European Commission as being adequate, a term that we've talked about often in this course. But Brazil's law reflects the needs of the Brazilian government, the Brazilian people. It is not a mirror image of the GDPR. It takes some of the essence of the GDPR, incorporates it into this important law. Now, this law itself is interesting enough because, again, it faced several presidential vetoes. Again, the Brazilian government itself overrode those and then it was in August of 2018 that this law was enacted, but it was phased in over three separate phases. Now, the first phase was to create a term which we refer to as supervisory authority, that national entity responsible for enforcing the law. And also working with data controllers, data processors to understand what their obligations are under the law. And so the first phase dealt with establishing the Brazilian National Data Protection Agency. Now, the acronym in Portuguese breaks out to be ANPD. And defining what its role is, and it became effective in December of 2018, but it didn't become operational until recently, November of 2020. Now, the individual rights and freedoms enjoyed by Brazilians and the obligations imposed on data control of data processors and the requirement for privacy officers didn't take place until 2020, September. And then the third phase was, again, authorizing the ANPD, the supervisory authority for Brazil, to actually fully enforce the law which occurred on August 1st of 2021. Now, the ANPD took a two-year approach to rarely address some of the nuances of this law through guidelines and regulations. It's been actively working on those guidelines but it's also starting to look at the enforcement aspect of the law. Looking on major data breaches, looking at some mass distribution of personal data. So we're going to start seeing much like we saw with the GDPR, we didn't see, although the law was fully enforced on 25 May of 2018. It took the supervisory authorities about a year to really look at these organizations that might be in violation of the law. And then we start seeing the first set of administrative penalties assessed against these companies for noncompliance. This law itself says that if you're noncompliant, you need to do so now, since again, this law is going to be full enforced after August 1st. And it's our job as cybersecurity professionals and other professionals to assist our organization's remaining compliant with laws such as the LGPD. We're going to talk more about the LGPD throughout this video. So what are some of our objectives? I don't want you to get sticker shock because, again, we're going to talk about a number of issues. We're going to talk about its purpose, its disciplines, again, every good information on privacy law, data protection law, is going to have grounded guiding principles. We're going to talk about consent and some of the legitimate legal basis under which data controllers can process Brazilian personal data. We're going to talk about the use of anonymization, pseudonymization, especially as it applies to public health research. We're going to talk about, again, requirements for terminating data protection and unleashing PAM requests, verified requests, for personal data. Much like we talked about in the proceeding laws, we're going to talk about some of those requirements for international transfers of personal data outside of Brazil. We're going to talk about some of the data protection with officer requirements. It's security provisions, those administrative sanctions that you're faced for noncompliance. We're going to talk about, again, when the law isn't applicable. We'll talk about, like we talked about on the GDPR, sensitive personal data, which we refer to in the GDPR as special categories of data. Like many of these laws, they look to protect the rights and freedom of children. So we'll talk about that from the standpoint of how you can legally and lawfully process a child or an adolescence personal data. We'll look at some of those data subject rights protections. Again, some of the data controller and data processing requirements, liability and loss compensation. And then we'll conclude with best good practices and governance requirements. Like I told you before, buckle your seats and get ready for this ride. So let's look at the purpose of this law itself. Much like we saw up to 2018, we saw a number of countries across the globe really modify or implement new data protection laws that took certain aspects of the GDPR. And so when we talk about this LGPD, it looked at really providing guidance to those covered entities, those data controllers. Those data processors that were collecting, using, disclose, retain, disposing of a Brazilian data subject's personal data by, and we're talking, like we said, these laws apply to living and breathing people. Natural data subjects or persons, don't necessarily extend protection to the deceased. And in this case, we're talking about a individual or a legal entity or a public or private entity that kind of has to comply with Brazilian law. It's also there to protect the fundamental rights and freedoms of those Brazilian data subjects. Which is a theme that we've seen has been continued across these different laws, regardless of where they are jurisdictionally and geographically. Let's talk about some of the disciplines. First starts with respect for privacy, respecting the rights and freedoms. Now this continued discussion or belief that privacy is a fundamental right that's supposed to be embraced and protected at all times. Making sure that again, we account for freedom of expression, information, communications and opinions that we look and consider because as I said before technology will always outpaced the law and so looking at the impacts of economic and technological development and innovation. Repecting the human rights, the dignity and persons of Brazilian data subjects, ensuring that we have to inform self determination, allowing individuals to have some modicum of success over how their information is processed, personal data is processed. Making sure that we're not violating the intimacy, the honor and image of these Brazilian data subjects, But also making sure that we're promoting the the use of free enterprise, free competition while also protecting the rights and freedoms of consumers. Let's talk about applicability and non-applicability. So when did this law apply, and when doesn't it apply? It applies to any processing operation carried out by either a living person, a natural person or legal entity of public or private law that has complied with those regardless of the method with your process and information, the country in which is headquarters is located or the country where the data is located. Now again, that means that say for instance, if I were a company in the US is processing the personal data of a Brazilian and I'm headquartered in the US, I still may find myself having to comply with the LGPD. Now there are things that we have to consider, the processing operation is carried out in within the geographical boundaries territory of Brazil. You're doing this processing because as it will offer a good or service or processing that data to individuals that are physically located in Brazil, if you remember the GDPR, we were talking about the territorial scope, the LGPD takes some of these applicable conditions from the Article three of the GDPR. And then the personal data man process was collected in the national territory. This is where Devers and so we're talking about, again we're talking about your processing Brazilian personal data within Brazil, the individuals, the Brazilian data subjects are physically located in Brazil regardless of where that company is headquartered. And then you collected and processed that information within the geographical boundaries of Brazil. Now when isn't the LGPD applicable? Much like we saw under Article two of the GDPR If you're doing it for your own private non-economic purposes, you have your own household directory, then you don't have to comply. If the process is done for journalistic or artistic purposes, for academic educational purposes, if it's done explicitly for the purpose of maintaining public safety, national defense law, law enforcement, state security. Now these are continuations of discussions that we had in the GDPR under, its Article two and we talked about some of those exemptions to the material scope, or if the processing originates outside of Brazil, then again, this law doesn't apply. These are the principles. They're 10, purpose, suitability, necessity, free access to your data, data quality, transparency, security, prevention, nondiscrimination and accountability. Let's talk about some of those requirements for the processing of personal data. If you're going to be an entity that has complied with the LGPD that you can do that with the consent of the data subject. Much like we've talked about before, it can't be cohurst has to be freely given, has to be clear and conspicuous should have the same method in which that consent is granted, it's the data subject to be able to withdraw it Or the ability to have to comply with a legal or regulatory obligation that's been levied on the controller In support of execution of contracts or similar agreements, For carrying out studies for research entities, but ensuring that again, you're using anonymity when processing personal data, removing all of those personal data identifiers to comply with the Brazilian arbitration law. Again, exercising those rights and judicial, administrative or arbitration procedures, legal procedures. When someone is incapacitated in cases of vital interest to the individual. In cases when we're talking about again to protect the health, sex, sexual orientation, health of the individual. To maintain the legitimate interests of that control or a third party, but again here you have to make sure that you're doing the same balancing act that we talked about under the GDPR, you have to make sure that the legitimate interests of that data controller processor can't override the rights and freedoms of that data subject and you have to do that balancing test. And then for the protection of credit as is protected under the law of Brazilian law. Let's talk about consent, access control of legitimate interests. You're a data subject should give that consent in writing or by another means that demonstrates that the data subject is willingly and voluntarily providing consent for the processing of this personal data. If it's a contained in contractual instruments, you gotta make sure that it stands out, that is clearly identified from other contractual clauses. The burden of proof is placed on that controller to show how it obtained that consent freely, transparently and lawfully, If that consent is achieved in violation of the LGPD then it's not violent. Much like we've seen across the globe and enforcement by in other jurisdictions, the consent must be specific, you can't use bundle consent trying to use one consent to provide multiple opportunities to process and individuals personal information. If it's ambiguous, broadly stated, then again, it's non compliant with the LGPD. I as a Brazilian, data subject should be able to withdraw my consent at any time free of charge. And then if there are any changes in the way that information is processed or the conditions for consent, then that control them must notify that data subject. Let's talk about access just like we talked about in these proceedings laws. A Brazilian data subject has the right to request access to their information, to know when information has been collected by the data controller. Know of that information how it's being used, and be able to request that free of charge in a reasonably acceptable format. So you as a data controller, you have to tell that Brazilian data subject, why are you collecting this information? What's the legal basis for collecting my personal data? The type of of personal data collecting, how long you're going to the process is going to take place? You have to identify yourself, provide contact information on yourself as a controller. You gotta make sure that you gotta provide information on additional uses and sharing of that data by the controller with other entities and the purpose of that sharing. You have to identify the responsibilities of those agents that will carry out the processing whether it's a processor, data processor or additional third party sub processors. You have to state what those individuals, those ten rights we talked about where the data subject rights. And there are explicit right to request information on the processing activities that are occurring or conducted by the controller. Let's talk about legitimate interests. I want you to remember one thing and I would say the same thing on the GD PR. If you are a data controller processes claiming legitimate interest, you need to ensure that your legitimate interests don't supersede or override the rights of that data subject. If they do and you can't justify that legitimate interest, you may find yourself noncompliant with this law and facing the scrutiny of the ANPD. So what the law says that you can only claim as a control of your legitimate interest based on the situation, is in support and promotion of your activities as a controller. You've demonstrated the protection of that data subject rights and their right to exercise those and ensure that the provision of these products and services benefits the controller. You can only process that information for the necessary purpose and for proportionate reasons to process that information. You gotta make sure you include transparency, to make sure that the data subject understands what you're processing activities now and processes are. And then the ANPD can request at any time an impact report on your processing activities as they might impact that data subjects based on its legitimate interest. Let's talk about the processing of sensitive personal information which is extremely important. We talked about this term. We've used other terms like special categories of data when we talk about sensitive personal information. Information because of its origin, risks and activity poses high risks, significant risks to the data center. And so if you are a data controller and you're going to be processing sensitive personal information, you have to meet certain conditions. We talked about without consent from the data subject when it is required for the controller to comply with a legal or regulatory obligation, the law says you have to do it. When it's shared in support of national laws that are stated, public laws. When that research entity has applied anonymization removed all the sensitive personal information from that record or data set. In support of a contract under contract law, judicial administrative arbitration procedures as they apply to contracts to sustain the life of an individual for vital interests. Protecting the health of an individual. As again, we talked about sustaining life. And in cases from a company standpoint or data controller standpoint, to prevent fraud. And also to respect the safety of that data subjects when it applies to using an identification association with certain electronic systems. Let's talk about anonymized data, public health research and pseudonymized data. We use the term pseudonymized in our discussion on the GDPR. And we said that, again, it's really the substitution of data for original values to really provide another layer of security to separate the original values from the individual. And so you use that pseudonymized data to really provide that another modicum of security. Much like many of these laws and the laws anonymized. If the data is anonymized, if it's been deidentified, then again, it doesn't fall under the context of the law. Again, when we talk about public health research. In the cases when we're carrying out these public health studies, then researchers can access personal information solely for the purpose of the study and a conducting research. But they have to ensure they have the administrative, physical and technical safeguards in place to do so. Pseudonymity is one of those processes embraced and espoused by the GDPR is also espoused by the LGPD. It says that again by using substitutional data, then you can no longer directly or indirectly reidentify that data subject. But one of the key provision is to make sure that you keep your pseudonymized table or rip all data repositories separate from the original values. Processing of children and adolescents personal data extremely important. When I worked at the Department of Homeland Security in its office of Intelligence and Analysis. I provided intelligence analysts to the departments immigration and customs enforcement operational entity. And it was ice that operates the human smuggling and trafficking center. There specifically looked at, interdict against cases of human smuggling in sex trafficking. And in there, we saw that, approximately 40% of all children that are targeted for the sex trade are targeted When they have the ability to do something online. That's why in the United States we have laws like the Children's Online Privacy Protection Act of 1998 that says that you can't operate or advertise online to children under the age of 13. The GPR provisions range from under the age of 16 but no younger than 13. And so if you're under the LGPD if you're going to be processing a child or an adolescence personal data you have to consider these things. You have to make sure that as a data controller data processor that you're doing this processing in the best interests of the child. You're going to make sure that you have the consent of least one of the parents or the legal guardian or representative. You gotta make public and you notice about the types of data you're collecting from these children. How are you using it and how you're protecting the rights and freedom of the child. Now the cases where you can collect that data when it's necessary to contact their parents or legal guardians. Say for instance we know children are very inquisitive and also very smart and so what they'll do is sometimes applying to use some of these social media outlets or other content online. And so if you believe that you have a child that's engaging those practices under the LGPD. You have the ability to make use of that child's personal information to contact the parent or legal guardian or representative, let them know. You have to make sure that again you can do it at one time, you're not storing any information nor are you sharing that information with third parties without the legal guardians or the parents consent. You can't use controllers like again content owners and operators themselves, companies that advertise to children, you can't make consent or access to those games, internet applications, others contingent upon them providing a child's personal data. They have a lessons personal data. You gotta do everything you can using generally accepted technologies and approaches to try to reasonably attempt to verify the age of that child or adolescent. You gotta give notice, it's gotta be in clear conspicuous language written to the language of the individual. Considering the aptitude and abilities of that child, so they can understand exactly what they're consenting to. Let's talk about termination data processing and personal data deletion. And so again these are the conditions in which a data subject and request that you terminate the processing of his or her personal data. First of all, before you do so you gotta make sure that again there is no longer a legal lawful purpose, specific purpose for processing that information and verify that. It can occur when again, contractually at the end of the processing period there's no longer a need to process that data. You gotta make sure in your notice is that you notify the data subject that he or she has the right to revoke their consent at any times. And that's subject to compliance with national laws themselves that are applicable. When the ANPD determines that that data controller data processor has violated this LGPD. Then there can be a cessation in the processing of that personal data. When we talk about personal data deletion we're talking about again, like terms like we used before under the GDPR, the right to erasure. And so again, if you're going to delete that information, you need to make sure that you're using the appropriate abilities, processes to do that, delete that information. I don't know from your active holdings but your backup holdings and all other hope for these purposes. You're told to do that, you gotta legal or regulatory obligation to where they direct the controller to do so. When you're engaging in conducting studies research. And to ensure that the anonymized data has been appropriately handled. When you're transferring data to third parties through required contingent upon being compliant with the law. And when used by the controller, when there is access granted third party has been prohibited and the data has been anonymized. Data subject rights. We're seeing them written across the globe. You look across the globe, now these data subject rights are enforceable. And so you have again starts with you have the right as a data subject, defense of your own interest for privacy and privacy protection. For personal data subject rights in relation to the controller. For personal data subject requests. The right to review decisions based on automated processing the personal data. We talked about that in our proceeding laws under the UKDPA of 2018 as well as the GDPR. To where you don't have to be subject to decisions made derived from the automated processing your data when they will negatively or adversely impact the data subject without having some human intervening. And then basically the regular exercise of a data subjects right as defined under the LGPD. When we talk about international transfer of personal data, this is extremely important. No because the LGPD much like the other laws we've talked about it's really considerate and really scrutinizes the international transfer of the data subject's data outside of the territory in this case outside of Brazil. So there are conditions that you have to meet as a controller or processor if you're going to be transferring Brazilian personal data outside of Brazil. Much like we saw in other laws, if you're transferring this personal data to a country or an organization that has meets or exceeds the data protection provisions of the LGPD, that is one condition. When the controller uses generally accepted processes for the transfer of this personal data internationally. Using like we talked about the standard contractual clauses that's binding corporate rules, the ad hoc contracts, other derogations under the law. When we're sharing this information for intelligence and law enforcement purposes. With the enactment of the LGPD, it doesn't have a compliment like we saw with the GDPR or even some of the provisions under the UKs DPA of 2018 that accounted for law enforcement processing of personal data as well as by its intelligence services. And so here this is just a mechanism that really looks at Mutual legal assistance and other requirements and mechanisms in place for sharing Brazilians personal data in support of those law enforcement national security initiatives. For life saving purpose, to transfer that information about third party we see these with these endemics, these pandemics that were again to save a person's life, then again that information has to be provided. When the MPD authorizes the transfer, when this is done, it's a part of an international treaty or an international agreement. When it's in support of public law, national law, when you have the explicit express the firm consent of the individual, the data subject. And he or she has given her consent, and you've given them the explicit information that details the purpose of the processing and transfer this data internationally. And then the catch all is when you have to comply with items two, five, and six. It's still we're continuing our discussion, what are some of those international transfer data protection requirements? He had to go and look at those data protection practices and other laws other receiving international organization. Or the receiving country to ensure that it meets succeeds those data protection provisions as stated in the LGPD. You gotta ook at the nature of the data, you gotta look at the entity that's receiving it, their respect for the rights of law, and the rule of law. Human rights, the rights of the data subjects, making sure that you have the appropriate security, safeguards in place. Yeah, again security in place when you're transferring that data internationally, when you're meeting judicial or institutional guarantees. Respecting the rights of the data protection and processes, and then for other reasons. Now, what are some of those other acceptable international personal data transfer methods under the LGPD? Means that again, you have to go back and ensure that you respect the rights and freedom to these individuals. And state that again, you have the security practice in place to protect that data. You can go back and look at your contractual instruments, other legal requirements, your binding corporate rules, standard contractual clauses. That have been submitted to the ANPD for approval to make sure that you verify that process, and make sure that you're complying with the law. Now, like we've seen with the GDPR, and with the UKDP at 2018, again, these laws themselves are also trying to encourage self regulatory entities, to adopt their own certification practices. To ensure that again, that data controllers and data processes are complying with the law. We also talked about again, making sure that the data controller, data processor can state explicitly, again, what are those guiding principles they're using from a data protection perspective to protect this information. And making sure that those processes are compared against my data subject rights as a Brazilian natural person, to ensure that you have the appropriate military. I mean, I'm sorry administrative, physical technical safeguards, or technical and organization measures in place that are adopted not only by the controller but also by the processor. What do you have to do as a controller or a processor? We've used these terms in our discussions on the GDPR, our discussions on the UK, at GPA of 2018, so what do you have to do? You gotta maintain records of your processing activities. And you also have to state the legitimate interest. When you're using legitimate interests, state and demonstrate again how that legitimate interest does not override the rights and freedoms of that data subject. You got to document the who, what, when, where, and why, and how, of your processing activities, upon request by the NPD. You may have to prepare an impact report equivalent to data process and impact assessment, that shows your assessment of the risk associated with processing this data. Especially when you talk about processing sensitive personal data, you gotta detail how you process that information and make sure that it's compliant with the law. Make sure also respecting the proprietary nature of that processing. That impact report has to tell again, what type of personal data has been collected, the means that you collected that data, your method of protecting that data, the security control mechanisms. And then your own analysis of the risk associated with your processing activities, and how you mitigated that inherent risk which exists before you apply any mitigation strategies. And then again, how you've mitigated that risk down to residual risk. Processors have to comply with the contractual obligation stated in their contractual vehicle. And then again, they will comply fully and not process that personal data and means outside the confines of that contract. We continue to talk about rice like data portability. Now, the NPD can establish standards for interoperability to make sure that you have requirements met for the interoperability of these systems for sharing and transferring it into an individual's personal data. You got to build in mechanisms for them to be able to access their personal data. You've got to account for the security. You gotta account for how long the retention of records. You have to be transparent in your data processing activities. You gotta have a data protection officer like we talked about under other laws and that data protection officer has certain requirements. Like I said when I think of a data protection officer regardless of where he or she is working across the globe. I see that person as rolling through the hallways of an organization and a cape and tights with a big DPO and blazing on their chest. Because the implications are high for these officials and some jurisdictions. I read one article where I think it was South Korea to where a DPO was arrested and convicted. Because the organization to which he was supporting was noncompliant with that national law. So, under Brazil's LGPD, what does that DPO have to do a privacy officer? It's got to be there to accept and respond to complaints from data subjects, provide them with information on. Again, the complaint itself, the nature of the complaint, and how that organization will address it. They have to be able to communicate with the NPD. And when complying with consent orders and others to be able to do so. Got to make sure that providing guidance is not only to the data controller, data processors, employees but also those contractors that are supporting this processing activity to ensure that they're complying with those requirements. And then any other duties that are determined as applicable then again, they have to do that also. Now the NPD always has the right to establish supplementary or complementary rules that further define the roles and responsibilities of that privacy officer. And also conditions where exemptions to where you don't have to requirement have a requirement to have that privacy officer has stated under the LGPD. Let's talk about liability and loss compensation. Again, controllers or processors have to be able to respond to questions of liability and also provide loss compensation. Because of their processing of a Brazilian data subject personal data, if that results in some type of individual moral material, collective damage to them and it's in violation of this law, then they're required to address it. We talked about processing agents, we're talking about those controllers and processors. They're going to be liable when they weren't compliant with the law. They didn't process this personal data appropriately. That again the damage itself, they didn't again directly cause this harm itself. It was done by the data subject or the third party. They didn't do the processing itself. They didn't violate the law, but they have to make sure that they have the appropriate administrative security, technical and physical safeguards in place to protect that information from unauthorized access. Data breaches, security incidents that allows someone to either acquire or access the information and then process it unlawfully. Now, if you are a controller or a processor that doesn't adopt and implement these appropriate security protocols, privacy protocols and you're going to be held liable. And when there's a violation of my rights as a Brazilian data subject, as it applies to consumer relations, then liability will be applied as is applicable to those Brazilian laws. Let's talk about security and secrets of the data. I mentioned this earlier. The edge is that some people believe that you can have security without privacy and privacy without security. You're not going to encounter or find one of these laws that doesn't have a security provision. For those of you that are not familiar with the term security technical administrative safeguards, controls. In the information security realm, we also refer to those as administrative, physical and technical safeguards. And when we're talking about processing agents we're talking about those data controllers, data processors, sub processors and others that might be processing an individual's personal information to make sure that we don't have those unauthorized accesses or acquisitions of that data that might expose that personal data to cyber adversaries, cybercriminals and others. Again, when you look at your security requirements and you incur a security incident or a data breach, then you have to be able to provide this data plum request to the NPD and others. You have to talk about again, what was the nature of the compromised personal data? How many individuals the data subjects were impacted? What type of records are we talking about? What type of data? What type of security measures that you use, technical, administrative, physical to protect that data? Ensuring that you're maintaining the commercial and industrial secure a sequence of that data. What are the risks related to that incident? What are those reasons that you delayed and didn't communicate that security incident data breach immediately? Again, you might have had law enforcement requests that you delay notification until time is such that again they completed their investigation. What are you going to do short term and long term to mitigate the impact of that incident or event on the data subject? Now you got to make sure that you're always considered and addressing as a controller or a data processor that you're satisfying the LGPD's security requirements, those stated standards of good practice and governance and compliance with these general principles of which they were 10. We're going to talk about good practice and governance. So you can develop your policies, procedures, guidelines and standards based on these good practices and governance. And to do so, you got to consider your processing, gotta processing activities, the conduct a risk assessment to determine the nature scope purpose and probability that a event might happen. And look at and define those benefits that a data subject will derive from your process of that information. So to have a good privacy and data protection government this program, you each demonstrate your, the controllers commitment to implement these policies procedures, guidelines and standards that ensure that is compliant with the GDPR and other generally accepted good practices and governance principles. That implies to all of the personal data under his control given the nature, scope, costs associated, sensitivity of the data and scope of the processing activities. Make sure you have the appropriate data protection information privacy policy safeguards in place that allow you to be able to do comprehensive impact assessments to identify the risk and develop risk mitigation strategies. Make sure that you have the ability to communicate with the data subject, ensure he or she that again you have good data protection practices in play. Making sure that you have the ability to have good oversight of those practices. Have an incident response plan, your data breach application plan, your business continuity and disaster recovery plans to demonstrate how when faced with these incidents, these events themselves that you can respond appropriately and quickly. And then making sure and we're going to see these consistent across all lives. That again, once you've applied the applicable controls and safeguards that you have processes to have continuous monitoring to make sure they're working as intended that your processes or information systems that are processing personal data, working as intended, implementing strategies and how winter control is not working as intended. How again you're going to address those shortfalls, and conducting you know periodic impact assessments to ensure that from the time that you place that system in operation to the time you reply it retirement that you have ended in a good data protection processes and controls in place. It's going to be the NPD that provides that guidance to the data controllers and data processes that have to comply with it, just like we talked about with the U K D P at 2018 and the U S GDP are there penalties for noncompliance? And when I talked about noncompliance always use the word pain, because they're always going to be some pain that the controller or processor has to face. Now again, just like we said the NPD, much like other supervisor authorities just as they're going to jump to the high end of these penalties. Now there is a cure phase under here too where you know those data controllers and data processes are provided with a warning. That gives them a set time in which they have to, there's a you know the statement of the proceed violation or non compliance and then it gives them appearing in which they can address those issues. At the low end it can be a simple fine up to two of that company's revenues in brazil for the prior financial year for max of 20 men realize, that accounts for I think $10 million dollars U S dollars. There's going to be a daily fine subject to that total maximum that we've stated under section two. The NPD is going to tell on you, so it's going to publicize that infraction once the NPD has looked at and evaluated the violation has been confirmed. And really it's going to do to like other supervisors do really to drive you know good trends of data protection and privacy, and then you also could have an order to temporarily cease the processing of that personal data and to which you address that noncompliance and you become complying with the law. It's going to be the NPD that determines the process by which is going to collect, calculate those fines. And again the daily fines are based on the severity of the fine. If you're a repeat offender, you're always in violation. This of this magnitude of the impact on the data subject himself or herself. And then when we talk about the notice of that fine. Again it's going to talk about the description of the obligations being imposed. What are you required to do to fix this problem as a data controller data processor, the time that you have to really become compliant again and the amount of the daily fine is going to be assessed for noncompliance. No other things that, that the NPD is going to consider is going to consider, you know, the seriousness of infraction, the size and economic means of the violator. Big companies may have to pay more than small companies. The impact or damage caused, how willing you are to work with the NPD, and what are in a review of your policy procedures, guidelines and standards. You know, your security provisions that you know, we're used to safeguard the safety process, Brazilian data subject personal data. Now the scope of this law also says that, you know if you don't work with directly with individual customers themselves, you're going to have a business to business B two B a relationship with those those customers, you may still have to comply with the NPD. You know if you're processing employees personal data in brazil, if you're internationally transferring that data to companies that are located outside of brazil but the data subject's physically located in brazil, you may find yourself having to comply with this law. So let's talk about it, first and foremost. The L G P D is not the G D P R. Although it takes certain aspects of the law because one of the requirements on the G D P R is that you know if you're going to be exporting Eu data subjects data to a third party or international organization that it has out, either as adequate has to have the appropriate data protection laws in place. Regulations in place must have a respect for the rule of law. Fundamental human rights redress for data subjects. So in many ways instances the L G P D is similar to the G D P R but it has its own nuances. You know, it has his applicability and non applicability requirements. Who has to comply with it, who doesn't. It states that rights and freedoms of individuals has a requirement for us to do impact assessments and impact reports has a requirement for us to have data processing. I mean data protection officers protects the rights and freedoms of children, establishes the legal basis under which controllers and processors can process a Brazilian data subject data, levy's responsibilities both on the controller and the processor. Talks about liability and loss compensation requirement to maintain the secret security and secrecy of data requirements, provides for visions on how and when you can internationally transfer a Brazilian data subject data outside of the country of brazil. Establishes a requirement for you to demonstrate your good practices and governance practices. Has administrative fines for noncompliance. At this time that concludes our discussion on the L G P D. I hope you've enjoyed it. I hope you enjoyed the course up to this point. I hope you, your family members and significant others are safe and well, and the privacy gremlin chris stevens looks forward to seeing you into our next video and when we'll continue our discussion on important or several international data protection and privacy laws regulations as they exist across the globe. Thank you. Take care.
