After several delays and lingering uncertainty around the effective date of Brazil’s General Data Protection law (LGPD), Brazil’s Congress approved a last-minute amendment on Wednesday 26 August that brings the LGPD into immediate effect as of August 27, 2020. Given that LGPD’s main provisions are now in effect, businesses in Brazil should expect to see privacy lawsuits and public prosecutor actions for violations of the LGPD under Brazil’s Internet Law, Consumer Rights Law, and/or Civil Code

It is important to note that administrative actions under LGPD are postponed until 1 August, 2021. Moreover, Brazil is still working on a regulation for the National Data Protection Authority, which will enforce administrative sanctions and issue opinions/regulations under the LGPD.

Requirements under the LGPD

The LGPD shares many features of the EU’s General Data Protection Regulation (GDPR) and other data protection laws. Some familiar terminology and provisions in the Brazilian law include the definition of personal data and the rights bestowed on data subjects.

The LGPD also introduces new and unfamiliar requirements on organisations. For instance, Article 41 states, “The controller shall appoint an officer to be in charge of the processing of data.” This suggests that any organisation that processes the data of Brazilians will need to appoint a data protection officer (DPO). As of yet, this provision is not fully understood, and will require further clarification. However, in its current wording, this provision may be one of the few areas where the LGPD is more stringent than the GDPR.

How to prepare 

The LGPD’s main provisions are now in force, which means private lawsuits and public prosecutor actions based on the LGPD are now possible. As such, companies should act quickly to prepare for the LGPD and its attendant compliance obligations. This includes:

  • Updating policies and procedures, including breach notifications, to meet LGPD standards;
  • Carry out impact assessment reports for high risk data processing;
  • Establishing a legal basis for data processing activities;[1]
  • Review security measures and implement new ones that meet LGPD standards; and
  • Identifying and updating any agreements that involve the transfer of Brazilian personal data out of Brazil.

It is important that companies work with experienced Data Protection Officers (DPO) to operationalise LGPD’s requirements. This is especially important now that LGPD has come into force. Building a strong data protection program does not only ensure good business practice and compliance, but also creates the foundation of trust with customers whose data businesses process.

[1] LGDP Art. 7 outlines ten (10) legal bases for data processing.