Personal Data (Brazil)

‘Dados Pessoais’ is Portuguese for ‘Personal Data,’ a core legal concept in Brazil's General Data Protection Law (LGPD, Lei nº 13.709/2018). Defined in LGPD Article 5(I), it refers to any information related to an identified or identifiable natural person, such as name, ID number, location data, or online identifiers. This definition closely mirrors that of ‘personal data’ in GDPR Article 4(1). Within a risk management framework, organizations must treat dados pessoais as a critical asset. The ISO/IEC 27701 standard for Privacy Information Management Systems (PIMS) provides a comprehensive framework and controls to help organizations establish governance for processing such data in compliance with LGPD. It is distinct from anonymized data (dado anonimizado), which falls outside the scope of the law as it cannot be linked to an individual.

Applying dados pessoais management in enterprise risk management involves a systematic approach to ensure LGPD compliance. Key steps include: 1. Data Mapping and Process Analysis: Following ISO/IEC 27701 Annex A, identify all personal data processing activities and create a Record of Processing Activities (ROPA). 2. Data Protection Impact Assessment (DPIA): As required by LGPD Article 38, conduct DPIAs for high-risk processing activities to evaluate potential impacts on data subjects' rights and freedoms. 3. Implement Controls: Based on DPIA results, deploy technical and organizational controls from ISO/IEC 27001/27701, such as encryption, access control, and pseudonymization. For example, a global e-commerce firm used this process to increase its LGPD compliance rate to 98%, reducing potential fines from data breaches by an estimated 70% and passing its annual audits.

Taiwanese enterprises face three key challenges with LGPD's dados pessoais requirements. First, a lack of awareness of its extraterritorial scope; many assume only local laws apply, but LGPD governs any processing of data of individuals in Brazil. The solution is to establish a global regulatory monitoring process. Second, resource constraints, as SMEs often lack a dedicated Data Protection Officer (DPO) and budget. Outsourcing to expert consultants for a gap analysis and framework implementation is a viable solution. Third, technical gaps in legacy systems that lack Privacy by Design principles, making it difficult to fulfill data subject rights. The remedy is to integrate privacy requirements into the System Development Life Cycle (SDLC) and develop APIs for core systems to handle these requests.

Winners Consulting specializes in dados pessoais for Taiwan enterprises, delivering compliant management systems within 90 days. Free consultation: https://winners.com.tw/contact