By: Leonardo Neri

With the entry into force of the General Data Protection Law (LGPD), there has been a considerable increase in concerns regarding the viability and applicability of the legislation to micro and small businesses. This is also a topic that is in Phase 1 of the Regulatory Agenda of the National Data Protection Authority (ANPD) (see https://www.mazzuccoemello.com/autoridade-nacional-de-protecao-de-dados-publica-agenda-regulatoria/).

With this in mind, last week the Ministry of Economy presented to the ANPD a proposal to regulate the differentiated treatment of micro and small businesses within the scope of the LGPD, aiming to provide equal treatment.

The proposal was approved during the 1st Ordinary Meeting of the Permanent Forum of Micro and Small Enterprises (FPMPE), held on February 24, and provides for the exemption of certain obligations imposed on SMEs as data processing controllers. The main ones are:

• Maintenance of records of operations;
• Preparation of impact report;
• Appointment of the person responsible for data processing; and
• Disclosure of information about data processing.

In addition to the exemption from obligations, the proposal also provides for the extension of deadlines for responding to requests from holders, reporting incidents and resolving demands.

The benefits provided for in the proposal do not apply to companies that have data processing as a regular activity, that is, when this is their corporate purpose.

The proposal, which was prepared by SEBRAE (Brazilian Support Service for Micro and Small Businesses) after contributions from more than 15 entities in the class, provides for conditions very similar to the provisions of the GDPR, applied in the European Union, which also served as the basis for the LGPD itself.