Corporate and financial transactions involving Brazil must include in the Legal Due Diligence’s checklist the assessment of target/borrower’s compliance risks under the new Brazilian General Data Protection Law (known as LGPD).
In effect since 9/2020, the LGPD affects all organizations that deal with personal information from customers, suppliers, employees and service providers, and it is already public knowledge that lawsuits are popping up all over Brazil against companies for their violation.
Below are 3 steps that should be included in the LGPD Due Diligence of targets or borrowers:
1. Assess how the organization currently handles personal data. Assess and map the areas of the company that receive and store information, data and personal documents from customers, suppliers, employees, contractors, and how they currently treat them. Conduct interviews with the team in each area, analyze flowcharts and review existing contracts, policies and existing codes, among relevant items according to the nature, segment and size of the organization;
2. Gap Analysis. Add a gap analysis to the Due Diligence Report pointing out (i) any gaps and inconsistencies between how personal data are currently being accessed and stored and the new standards established by the LGPD and (ii) the possible economic quantification of the risks raised;
3. Implementation of LGPD Guidances. If the finance or equity transaction is closed, include in the transaction contracts the affirmative covenants of immediate implementation of LGPD compliance by the target or borrower.
The covenant may include (i) adapting to personal data sharing access flowcharts, (ii) adding contracts with customers, suppliers, employees and third parties, (iii) creating policies for accessing, processing and storing personal data and (iv) training with employees.
The assessment of the current stage of compliance and risks arising from LGPD has become another relevant item in considering corporate and finance transactions in Brazil, given that the facts that generated potential contingencies started in 9/2020.