Brazil's Data Protection Law: HR's Perspective

Author:Ms Renata Neeser
Profession:Littler Mendelson

With less than a year remaining before Brazil's General Data Protection Law (referred to as the LGPD) takes effect, HR professionals should start preparing.

The LGPD—which regulates how companies, including employers, must process personal data such as employees' identification numbers—takes effect Aug. 15, 2020, except for the provisions giving authority to create the National Data Privacy Agency (ANPD), which took effect Dec. 28, 2018.

The ANPD, however, still isn't created. The government is optimistic that the directors will be chosen and vetted by the end of this year, but even if that occurs, it still won't leave much time for the agency to create the many regulations needed to implement the law. As a result, it's possible there will be delays in the law's implementation.

Nonetheless, HR should consider taking the following steps.

Create a Human Capital Team

Companies should build a team to help implement changes required by the law. The team should include HR professionals responsible for global and Brazilian workforce management, preferably with some experience in data privacy compliance. The law will apply to any organization—including foreign ones—collecting or transmitting personal data in Brazil.

Brazil's LGPD requires all companies to appoint an officer to be the "channel of communication" between the financial controller, the data subjects (e.g., employees) and the ANPD. One of the officer's main responsibilities is to guide employees and contractors on transmitting personal data. Therefore, the company should start assessing who should fill this role.

The ANPD may issue regulations about the definition and duties of such officers—including waiving the need to appoint one, depending on the nature and size of the company or on the volume of data handled. One of the proposed changes to the law was to waive this requirement for small companies, but the National Congress of Brazil left it for the ANPD to decide.

Train Key Stakeholders

It will take time and perseverance to educate and train workers not only on how to transmit and collect the data, but also on why the company is justified in collecting it.

Identify All Systems Used to Process Employees' Personal Data

Multinational companies often rely on cloud-based HR information systems to manage their workforces, including their Brazilian workforces. Often, such companies use a multinational vendor that in turn uses local subcontractors to provide payroll and HR services, without...

To continue reading