Understand rules for sanctions of the LGPD published by the ANPD
Mar 1, 2023
The regulating administrative sanctions of the General Data Protection Law (LGPD) was published by the National Data Protection Authority (ANPD) last Monday (27). Resolution No. 4 establishes categories for light, medium, and severe infractions and presents the calculation method for fines for violations of the legislation, which can reach up to R$ 50 million.
This is the final step in holding offenders accountable. The formulation of the norm was carried out by the General Coordination of the ANPD, which sent it for reporting to Director Arthur Sabbat, who then took it for unanimous approval by the board of directors. The resolution was created after an extensive process that included a public hearing and the analysis of 2,504 suggestions from various sectors.
According to the document, there are nine types of administrative sanctions that can be applied to potential offenders of the LGPD, including warnings, simple fines, daily fines, public disclosure of the infraction, blocking of personal data related to the infraction, deletion of personal data related to the infraction, temporary suspension of the operation of the database related to the infraction, suspension of the exercise of data processing activities related to the infraction, and partial or total prohibition of the exercise of activities related to data processing.
Sanctions are defined based on various parameters and criteria, such as the severity and nature of the infractions, the economic condition of the offender, the degree of harm, the cooperation of the offender, and the prompt adoption of corrective measures, among others.
Severe Infractions
The case will be considered severe when it constitutes an obstruction to supervisory activity or affects the data subjects while:
Involving large-scale processing; or
The offender gains or intends to gain economic advantage; or
Involving risk to the lives of data subjects; or
Involving the processing of sensitive data or data from children, adolescents, or the elderly; or
Processing without legal support; or
Processing having illegal or abusive discriminatory effects; or
Systematic adoption of irregular practices is verified.
Medium Infractions
The infraction will be considered medium if it affects the fundamental rights of data subjects or prevents the use of a service, as well as causing material or moral damage to the subjects, such as financial fraud and discrimination.
Rates of Sanctions
For light infractions, the rates range from 0.08% to 0.15% of revenue. The established range for medium infractions is between 0.13% and 0.5%, while for severe infractions the values range from 0.45% to 1.5%. The resolution also describes the degree of harm, which will be used in a mathematical formula for calculating the fine. This can be accessed on the ANPD website.
How the technology team can assist?
Although the LGPD explicitly states the obligation for companies to adopt technical measures to protect citizens' personal data from unauthorized access, the legislation does not specify which actions need to be adopted.
Here are some suggestions for how the technology team can act:
Keep an eye on cloud configurations that impact the LGPD
Cloud environments are highly complex and present a myriad of configuration possibilities that can directly impact the level of security of this data. We published 6 configurations here to help increase your company's compliance level with the LGPD, based on several articles of the current legislation.
Automated cloud monitoring
Automating the continuous monitoring of your Cloud resources ensures that with each new deployment, the team remains aware of whether they are following the most secure configurations. The Unxpose solution allows for this to be done automatically and goes further by showing the Cloud's compliance level regarding the LGPD, what failures impact the indicator, which articles they refer to, and how the failure relates to the legislation. And the best part is, you can use it for free! :)