The LGPD requires Data Controllers to adopt technical and administrative practices that regulate how and why personal data can be processed (electronically or physically,) and to protect the personal data they process from unauthorized access, loss, alteration, and/or exposure.
It outlines ten rights of data subjects, which are the foundation for all the processing requirements made of businesses or organizations:
LGPD requires data controllers/organizations to:
There are ten bases under which companies can legally process personal data. Data can be processed:
The Autoridade Nacional de Proteção de Dados (ANPD) or National Data Protection Authority is the to-be-formed branch of the Brazillian federal government tasked with overseeing the regulation, compliance, and enforcement of LGPD. While under the direction of the president, the ANPD does have decision-making powers. It will consist of a 28 member advisory board broken into several groups: the Board of Directors, the National Council, an Internal Affairs Office, and other specialized units for legal and enforcement tasks.
They will be responsible for:
The law will become effective on January 1, 2021.
LGPD compliance violation sanctions have been postponed until August 1, 2021.
How is BR’s LGPD different than the EU’s GDPR?
Brazil’s General Data Protection Law (LGPD)
In their latest bid for order and progress, Brazil passed the Lei Geral de Proteção de Dados (LGPD) or the General Law for the Protection of Personal Data. The legislation is a way to protect Brazillian citizens' personal information and privacy by providing guidelines on how that data can be processed and collected by organizations. (Hint: Only with permission.) It helps standardize and clarify over 40 different previous, (sometimes conflicting) statutes that regulated personal data, and applies to both Brazillian and international businesses and organizations.