On March 1, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the new Brazilian data protection authority’s (Agência Nacional de Proteção de Dados, the “ANPD’s”) public consultation (in Portuguese) on the impact of the Brazilian data protection law (Lei Geral de Proteção de Dados, the “LGPD”) on small and medium-sized enterprises (“SMEs”), which will inform the ANPD’s upcoming special rules for SMEs.

This call for public input is the first step of ANPD’s public consultation process. The second step will be drafting rules on SMEs that also will be submitted for review and comment by the public. This is the first public consultation undertaken by the ANPD, which was established only four months ago.

CIPL welcomed ANPD’s willingness to engage with multiple stakeholders by obtaining feedback and input ahead of drafting the rules and guidance. In its response, CIPL observed that the ANPD’s main challenge in relation to the impact of the LGPD on SMEs is two-fold, i.e., to:

  • Provide flexible and scalable rules to SMEs that (1) enable compliance with the LGPD; (2) encourage them to become accountable; and (3) facilitate their effective functioning in a data-driven Brazilian economy post-COVID-19; while
  • Avoiding excessive exemptions to compliance and enforcement rules that could lead to SMEs (1) not complying with other applicable LGPD rules and (2) not being concerned about enforcement by the ANPD.

CIPL recommended that the ANPD should focus on the following activities:

  • Providing guidance to SMEs to clarify the many applicable LGPD provisions and help them understand the importance of protecting personal data and becoming accountable;
  • Developing and promoting accountability and compliance tools and templates for SMEs;
  • Encouraging the development of industry codes of conduct;
  • Enabling the development of certifications, seals and marks;
  • Encouraging sharing of best practices in data protection, data management and data hygiene among Brazilian professional organizations;
  • Driving SME-focused education and awareness programs;
  • Providing opportunities for SMEs to engage with the ANPD and share their compliance experience;
  • Taking organizational accountability efforts into account when enforcing the LGPD rules against SMEs and being transparent about this in connection with relevant enforcement criteria;
  • Enabling international transfers of personal data to enable Brazilian SMEs participate in the global digital economy; and
  • Working with public authorities of other regulated areas, as well as industry associations, to identify cross-sectoral initiatives to support SMEs’ LGPD compliance (e.g., regulatory sandboxes and policy roundtables).

CIPL also highlighted that (1) when providing guidance and tools to SMEs, the ANPD should prioritize promoting the principle of accountability as the enabler of effective data protection, responsible uses of personal data, economic growth and innovation; and (2) frameworks, such as the CIPL Accountability Framework (see figure below), that could be used as a baseline for LGPD compliance. CIPL explained that accountability is a scalable and sector-agnostic concept that may be applied by organizations of all types (including SMEs), sizes, sectors (including the public sector), geographical footprints and varying corporate cultures, as demonstrated in CIPL’s Accountability Mapping report.

Figure: CIPL Accountability Framework

In addition to the consultation on SMEs, the ANPD has already opened a new call for preliminary input on the topic of notification of data breaches (in Portuguese) to the ANPD as well as data subjects. The ANPD is planning to finalize their rules on data breach notification within one year. Comments must be submitted by March 24, 2021 to consultapublica@anpd.gov.br with the subject of “Tomada de Subsídios 2/2021”.

Download CIPL’s response in English or in Portuguese.