LGPD 'Right to Erasure' & How to Comply
4 Nov 2020 | Michael Waksman
The LGPD 'Right to Erasure' is part of the new Brazilian data protection law. Similar to GDPR’s 'Right to be Forgotten', the LGPD 'Right to Erasure' allows Brazilian citizens to request their personal data be removed from organization databases.
So, if your company handles personal data of Brazilian citizens, whether you're inside or outside of Brazil, you are subject to the 'Right to Erasure'.
Here we will look at the 'Right to Erasure' section of the regulation and share 3 steps on how to implement a successful LGPD compliance strategy.
LGPD in a Nutshell
- When?
The LGPD regulations were introduced in August 2018. While administrative sanctions do not come into effect until August 1, 2021, individuals and public prosecutors can already bring claims for damages and losses. - What?
LGPD, or the Lei Geral de Proteção de Dados Pessoais, can be translated as the General Law for the Protection of Personal Data. The main objective of the LGPD is to regulate the processing of personal data in order to protect the privacy of Brazilian citizens. Brazil’s National Data Protection Agency (ANPD) will be responsible for enforcing administrative sanctions. - Who?
The LGPD requires compliance for people, businesses, public institutions, and charities that process the data of Brazilian citizens, wherever they are based. The regulation applies to people and organizations that are processing:
- Personal data in Brazil
- Personal data that was collected in Brazil
- Personal data to offer goods or services in Brazil
What Is the LGPD 'Right to Erasure'?
The 'Right to Erasure' is covered in articles 5, 16, and 18 of the LGPD. The regulation requires companies to delete the personal data of an individual if it has been requested, even if the data has been collected based on consent.
The 'Right to Erasure' section of the LGPD is comparable to GDPR’s 'Right to be Forgotten'. Under the LGPD, both data controllers and processors must delete the subjects’ data for free if it has been requested. It’s also compulsory that data subjects (Brazilian citizens) are informed of their right to request for their data to be erased.
In addition, the LGPD states that data must be deleted if it was processed for reasons that are excessive, unnecessary, or unlawful.
LGPD 'Right to Erasure' & Exemptions
Article 16 of the LGPD includes some exemptions to the application of the 'Right to Erasure':
- "Compliance with legal or regulatory obligation by the controller"
- Personal data authorized for a "study by a research body"
In addition, the LGPD, including the 'Right to Erasure', generally doesn’t apply to processing of personal information done exclusively for:
- Public safety
- Academic purposes
- Journalistic and artistic purposes
Prepare for the LGPD 'Right to Erasure'
Follow these 3 steps to make sure your company or organization is ready to comply with the LGPD 'Right to Erasure'.
1. Find out where your data resides
Regardless of where your data is stored, you always have to be aware of its location. Keep track of where it’s saved, how it’s being accessed, and how it’s being shared. Having this information at hand will help you to locate the files that need to be erased much faster.
2. Put someone in charge of data protection
The LGPD requires businesses and organizations to appoint a Data Protection Officer (DPO), so make sure that you appoint someone to that role. Your DPO will serve as a link between your organization and its data subjects, which will also send a message to your customers (and compliance officers) that you are serious about protecting their data.
3. Equip the right tools
The software that you should use can be determined by the type of data that you need to erase. For example, if personal data is stored on a computer that’s no longer needed, then you should use software to completely wipe your hard drive. Alternatively, if you only have a few specific files or folders that need to be erased on an active system, then you could use a tool to wipe selected data and still continue using your computer.
How Data Wiping Works
Deleting files by normal means will not help your company or organization to comply with the LGPD’s ‘Right to Erasure’ requirements. That’s because information saved to a hard drive will always leave behind residual data, or data remanence. To prevent data being restored and accessed by third parties with widely available file recovery software, you should choose to wipe sensitive data and permanently erase the information. Using data wiping software to securely erase your information assets is the safest and most effective way to dispose of personal data.
Learn more about securely wiping your data by reading our ultimate guide. You can also find 3 reasons to erase and repurpose your hard drive.
Michael Waksman has been serving as CEO of Jetico since 2011, more than doubling the size of the company during his tenure. He brings more than 20 years of communications, technology and leadership experience.
At Jetico, Waksman has lead creation of the corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. Jetico has maintained a wide user base throughout the U.S. Defense community, in the global compliance market and for personal privacy.
Waksman served as vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As dual citizen, he is a native New Yorker and has been living in the Helsinki region for over 15 years.
