Close this search box.

General Data Protection Law and its impact on the financial sector

Recently approved by Congress, the General Data Protection Law (LGPD) aims to make companies more transparent. It also intends to expand data subjects’ privacy rights.

Basically, Brazilian legislation follows the General Data Protection Regulation (GDPR), which came into force in Europe in May 2018.

The LGPD is a very significant law when it comes to the confidentiality requirements governing financial services institutions and other types of business processes that must protect users’ personal data.

Learn more about the LGPD and its main impacts on the financial market.

The LGPD, a major change in data protection and privacy

The LGPD was conceived with the aim of defining data privacy guidelines throughout Brazil. In this way, it aims to protect and give Brazilians the right to data confidentiality.

The LGPD is the most important Internet bill since the regulatory framework. In addition, it must be followed by all companies that process the personal data of residents in Brazil. It defines the procedures for collecting information, storing it, securing it and how it is processed and used.

Following the presidential approval and sanction of PLC 53/2018, the General Data Protection Law is going through a period of awareness and adoption by companies and should come into force at the beginning of 2020.

According to the LGPD, data processing will only be allowed under the following conditions:

  • The express consent of the data subject is required for the processing of personal data;
  • For the performance of a contract with the data subject or to take steps to enter into a contract;
  • To fulfill a legal obligation;
  • To protect the vital interests of a data subject or another person;
  • The processing will be necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority;
  • For the legitimate interests of the controller or a third party. Except where such interests are overridden by the interests, rights or freedoms of the data subject.

After the LGPD comes into force, if any company fails to comply with the law, the legal consequences could include fines and the company could have its activities suspended, in whole or in part.

In addition, where appropriate, companies can be held liable for other violations provided for by law.

LGPD and its consequences for the financial market

Failure to comply with the new Brazilian legislation results in major regulatory penalties, reputational damage and loss of consumer confidence.

For this reason, the damage done to the prestige of companies in the market is of greater concern than the financial impact of non-compliance with the new legislation.

The solution for financial institutions is to address the LGPD as a priority. Thus, allocating the necessary resources and flexibility to comply with any new regulatory requirements or one-off issues.

A comprehensive approach provides the financial market with the visibility needed to establish a clear understanding of the personal data held by the company. It also guarantees the ability to respond to requests to completely delete data when it is no longer useful.

Considering the scope of data privacy, the LGPD prohibits the processing of personal data for the purpose of unlawful or abusive discrimination.

For the financial market, this type of scenario can happen when the cross-referencing of information on a specific person or group is used to support commercial decisions, such as the consumption profile for the dissemination of offers of goods or services.


The General Data Protection Law also applies to foreign companies

The LGDP applies to data processing operations carried out in Brazil or abroad. If the information is collected on national territory, it is subject to the law.

This means that if a financial company or even Google collects data from a user here, but sues them in the United States, for example, they will have to follow the General Data Protection Act.

According to the new legislation, the company can still transfer the data to a foreign subsidiary or headquarters. However, the destination country must also have comprehensive data protection and privacy laws. Another option is for the other government to guarantee treatment mechanisms equivalent to those required in Brazil.

Citizens’ rights are preserved

The LGPD was unquestionably created to protect every citizen and their right to the confidentiality of their personal information. But the law also guarantees two fundamental aspects regarding the use of information in financial and online transactions:

  • Obligation on companies to notify in the event of a data breach;
  • The right to be forgotten.

The aim of the legislation is to protect citizens’ right to confidentiality and data privacy. In this way, it gives consumers the right to request that their personal information be consulted by financial institutions and, likewise, to request its deletion without requiring external authorization.

These queries allow, for example, financial institutions to retain certain data if it is necessary for compliance purposes and other legislation. However, in the absence of a valid justification, the person’s right to be forgotten prevails.

This will be a major challenge for financial institutions and other companies focusing on the digital market.

For many organizations, the difficulty will be implementing the data management practices needed to respect the right to be forgotten and the demand for greater transparency and coordination in all market segments.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.  

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.  

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.  

Eval, segurança é valor. 

About the author

Other posts