An Overview of Brazil’s General Data Protection Law, LGPD

On September 18, 2020, Brazil’s Lei Geral de Proteção de Dados (LGPD), also known as the Brazilian General Data Protection Law (BGDP), came into effect. 

The LGPD modernized and merged forty different data privacy rules into one framework. Prior to the LGPD, data privacy was managed by a jumbled set of laws that created uncertainty and confusion for Brazilian residents. 

 Inspired by the EU’s General Data Protection Regulation (GDPR), the LGPD is considered one of the most comprehensive data privacy laws to date. While the LGPD is modeled after the GDPR, the two frameworks are not identical. To achieve and maintain compliance, companies and organizations should be knowledgeable of the differences between the GDPR and the LGPD.  

Points of Comparison between the LGPD and GDPR include but are not limited to:

·      The LGPD requires companies and organizations to respond to data access requests within 15 days while the GDPR requires a response within 30 days

·      In the case of a security breach, the GDPR requires companies and organizations to notify the relevant supervisory authorities within 72 hours. The LGPD does not set a notification deadline for security breaches and it requires companies and organizations to notify the supervisory authority and the data owners. 

·      The LGPD caps penalties at 2% of an entity’s annual revenue within Brazil while the GDPR caps penalties at 4% of an entity’s global annual revenue or €20 million (whichever is higher)

 Noncompliance penalties involving the LGPD are postponed until August 1, 2021, as companies and organizations have a grace period to work toward compliance before the August deadline. 

Once the grace period ends the Autoridade Nacional de Proteção de Dados (ANDP), also known as the Brazilian National Data Protection Authority will enforce the LGPD. The ANDP is linked to the Office of the President of Brazil. However, the ANDP will act as an independent entity, with jurisdiction to address issues concerning data privacy and to enforce the LGPD in Brazil.  

Responsibilities of the Autoridade Nacional de Proteção de Dados (ANDP) include but are not limited to:

·      Issuing rules and regulations regarding data protection and privacy

·      Exclusively interpreting the LGPD, including cases in which the law is silent 

·      Requesting information regarding the processing of personal data from data processors and controllers

·      Exclusively overseeing and imposing administrative sanctions for violations of the LGPD

It is unknown at this time the magnitude in which the ANDP will enforce noncompliance penalties on August 1, 2021; therefore it is paramount that all affected companies and organizations work diligently toward LGPD compliance before the deadline. Learn more about the LGPD and how to achieve compliance with Privaci Learning’s course Lei Geral de Proteção de Dados (LGPD) 101- The Key Components .

After completing this course you will easily be able to:

·      Explain the Lei Geral de Proteção de Dados (LGPD)

·      Explain the obligations of data controllers and the processors

·      Explain the key principles of this regulation

·      Discuss why there was a need for the LGPD

·      Discuss the similarities and differences between the LGPD and the GDPR

To learn more about critical data privacy matters including the main components of the GDPR, how to build a privacy program and the main components to include in a privacy program, visit our homepage www.privacilearning.com and visit the Privaci Learning Udemy GDPR and LGPD online courses.