Navigating Brazil's LGPD: Identity Data Retention Best Practices

LGPD Compliance is CriticalBrazil's Lei Geral de Proteção de Dados (LGPD) imposes stringent requirements on how organizations collect, process, and store personal data, including data collected during identity verification processes. Non-compliance can lead to significant fines and reputational damage.

Data Minimization and Purpose LimitationOrganizations must only collect data that is strictly necessary for a specified, legitimate purpose and retain it only for the period required to fulfill that purpose or legal obligations. This principle is fundamental to LGPD compliance.

Robust Data Retention PoliciesImplementing clear, configurable data retention policies is essential for managing identity verification data. This includes automated and manual deletion capabilities, ensuring data is purged once its legal or operational necessity expires.

Didit Simplifies ComplianceDidit's platform provides configurable data retention settings, manual session deletion, and a clear data processor role, empowering businesses to meet LGPD requirements efficiently while leveraging AI-native identity verification solutions.

Understanding LGPD and its Impact on Identity Data

Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD), effective since September 2020, significantly reshaped how personal data is handled in Brazil. Similar to Europe's GDPR, LGPD establishes a comprehensive framework for the protection of individuals' privacy, granting them greater control over their personal information. For businesses operating in or with connections to Brazil, this means a fundamental shift in data management practices, especially concerning identity verification data.

Identity verification processes, such as those utilizing Didit's ID Verification, Passive & Active Liveness, or 1:1 Face Match, inherently involve the collection and processing of sensitive personal data. This includes names, dates of birth, document numbers, biometric data, and more. Under LGPD, organizations must have a legal basis for processing this data, such as explicit consent, legitimate interest, or compliance with a legal obligation. Furthermore, the principles of data minimization and purpose limitation are paramount: only collect what is absolutely necessary for a defined purpose, and do not retain it longer than required.

Failure to comply with LGPD can result in severe penalties, including fines up to 2% of a company's revenue in Brazil, capped at R$50 million per infraction, along with other administrative sanctions. Beyond financial repercussions, non-compliance can severely damage customer trust and brand reputation, making robust data governance a business imperative.

Establishing Effective Data Retention Policies for LGPD

A cornerstone of LGPD compliance, particularly for identity data, is the implementation of sound data retention policies. These policies dictate how long personal data, once collected, can be stored. The goal is to balance business needs—like fraud prevention or compliance with anti-money laundering (AML) regulations, which Didit's AML Screening & Monitoring can help address—with the individual's right to privacy and data minimization.

When defining retention periods, businesses must consider several factors:

• Legal and Regulatory Obligations: Certain industries (e.g., financial services) may have specific laws dictating how long customer data, including KYC/AML records, must be kept.
• Contractual Requirements: Agreements with customers or partners might specify data retention periods.
• Business Needs: Data may be needed for dispute resolution, auditing, or to improve services. However, these needs must be justifiable and balanced against privacy concerns.
• Data Type: Different types of data (e.g., biometric data vs. transactional data) may warrant different retention periods.

Best practices suggest that data should be anonymized or securely deleted once its purpose has been fulfilled and all legal obligations have been met. Proactive data lifecycle management, rather than reactive deletion, is key to demonstrating compliance and minimizing risk. This includes regular reviews of data holdings and automated processes for purging data past its retention deadline.

The Role of Data Controller vs. Data Processor

Under LGPD, it's crucial to understand the distinction between a data controller and a data processor. The data controller is the entity that determines the purposes and means of processing personal data. This is typically the business directly engaging with the end-user (e.g., a bank, an e-commerce platform, or a gaming company using Age Estimation). The data processor, on the other hand, processes personal data on behalf of the controller. Identity verification providers like Didit typically act as data processors.

As a data processor, Didit is committed to supporting its customers in meeting their LGPD obligations. Didit processes identity verification data in accordance with the instructions of the data controller and implements robust security measures. By default, Didit processes data in the EU, supporting GDPR and local data-protection regimes. For enterprise accounts, in-country processing (local data residency) may be enabled, further assisting with specific regulatory requirements. This clear delineation of roles, combined with Didit's configurable retention settings, empowers businesses to maintain control over their data governance strategy.

Implementing Practical Data Management Strategies

To effectively manage identity data retention under LGPD, organizations should adopt a multi-faceted approach:

1. Inventory and Map Data: Understand what identity data is collected, where it's stored, and for what purpose. This includes data from ID Verification, Passive & Active Liveness, and other verification steps.
2. Define Retention Periods: For each category of identity data, establish clear and justifiable retention periods based on legal requirements and business necessity.
3. Automate Deletion: Where possible, implement automated systems to delete or anonymize data once its retention period expires. This reduces the risk of human error and ensures consistent compliance.
4. Enable Manual Deletion Capabilities: Provide mechanisms for manual deletion of specific records when necessary, such as in response to a data subject access request (DSAR) or an investigation.
5. Secure Data at Rest and in Transit: Ensure all identity data is protected with appropriate technical and organizational security measures, regardless of its retention status.
6. Regular Audits and Reviews: Periodically review data retention policies and practices to ensure they remain compliant with evolving regulations and business needs.

These strategies, when combined with a flexible and compliant identity verification platform, create a strong foundation for LGPD adherence. Didit's modular architecture allows businesses to integrate specific identity checks as needed, ensuring data minimization by only collecting relevant information for each verification workflow.

How Didit Helps

Didit, as an AI-native, developer-first identity platform, is designed to help businesses navigate the complexities of data privacy regulations like Brazil's LGPD. Our modular architecture and robust features empower you to implement best practices for identity data retention and compliance.

Didit acts as a data processor, giving you, the data controller, complete control over your data. Our platform allows you to configure data retention policies directly within the Business Console. You can select retention windows from 1 month to 10 years, or even set it to 'unlimited' if required by specific legal obligations, ensuring flexibility to meet diverse regulatory demands. These policies apply to all verification inputs, outputs, derived results, and operational metadata stored by Didit.

For situations requiring immediate data removal, Didit provides manual deletion capabilities. You can easily delete individual verification sessions and all associated data, including biometrics and documents, directly from the Console's Dashboard. This feature is crucial for responding promptly to data subject access requests or managing specific privacy concerns, directly supporting GDPR and LGPD compliance.

Our solutions, including ID Verification, Passive & Active Liveness, and 1:1 Face Match, are built with privacy by design. We offer Free Core KYC, allowing you to start verifying identities with robust, compliant tools. With no setup fees and a pay-per-successful-check model, Didit makes it easy to integrate secure and compliant identity verification into your operations, minimizing data exposure while maximizing trust and security.

Ready to Get Started?

Ready to see Didit in action? Get a free demo today.

Start verifying identities for free with Didit's free tier.