The Brazilian Data Protection Authority (known as ANPD) published on January 28 its Resolution nº 2 regarding the application of the LGPD requirements for small size processing agents, which includes small businesses and startups that process personal data.
The Resolution intends to simplify the obligations provided for in the LGPD in order to make them compatible with the reality of small size processing agents. However, the benefits foreseen in the Resolution nº 2 are not applicable to all small size processing agents, and the ANPD excluded those who (i) perform high-risk personal data processing or (ii) earn, individually or within the sum with its economic group, gross revenue above R$ 4.8 million/year (or R$ 16 million/year in the case of startups).
The new resolution also presents a methodology for the assessment of the existence of high-risk processing of personal data, which contains general and specific criteria.
Some of the main differences applicable to small-scale processing agents provided for in the Resolution are:
- Small size processing agents are not obliged to appoint a Data Protection Officer (DPO), provided that a communication channel with the data subject is stablished;
- Simplified Record of Processing Activities (ROPA). Subsequently, ANPD will provide a simplified ROPA template;
- Adoption of a simplified information security policy, provided that protection is guaranteed against unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or illicit treatment.
- Small size processing agents will have a double the period established in the LGPD to practice some acts like respond to data subject’s requests; communication to the ANPD and the data subject about the occurrence of security incidents; presentation of information requested by the ANPD to other processing agents; and providing a clear and complete statement confirming the existence or access to personal data.
The ANPD may order the small size processing agent to comply with the obligations waived or made more flexible in Resolution nº 2, considering the relevant circumstances of the situation, such as the nature or volume of operations, as well as the risks for the data subjects.