How to comply with Lei Geral de Proteção de Dados, Brazil’s data protection law

Brazil’s Lei Geral de Proteção de Dados (LGPD) is the country’s first comprehensive personal data protection law. It entered into force in September 2020 and and aligns closely with the EU’s sweeping data privacy act, the General Data Protection Regulation (GDPR).

Before LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian legislation. The aim of the LGPD was to unify the 40 different Brazilian laws that regulated the processing of personal data.

LGPD sets forth Brazil’s conception of personal data and when its use is authorised. Comprising 65 articles, it deals with the rights of data subjects and has 10 legal bases for the processing of personal data, which is four more than GDPR.

LGPD’s focus is on promoting transparency and accountability in how personal data is managed by businesses. The law governs how businesses collect, process, store and use personal data. It applies to any business, no matter where they are located, that processes the personal data of anyone in Brazil. It makes no difference whether the data processing happens within Brazilian territory or not. The only relevant point is that the data subject is in Brazil.

Complying with LGPD is crucial for businesses handling the personal data of Brazilians. There are legal implications as well issues of consumer trust, data security, corporate responsibility, and preserving your business’ reputation. We recognise that understanding LGPD is vital for Brazilian companies as well as companies that want to facilitate cross border operations. We created this guide to ensure that companies have the information they need to do that.