Brazilian General Data Protection Law (LGPD)

Brazil’s General Data Protection Law (or LGPD) brings sorely needed clarification to the Brazilian legal framework. The LGPD attempts to unify the over 40 different statutes that currently govern personal data, both online and offline, by replacing certain regulations and supplementing others. This unification of previously disparate and oftentimes contradictory regulations is only one similarity it shares with the EU’s General Data Protection Regulation.

Unlike its predecessors, such as the GDPR and California Consumer Privacy Act, the LGPD’s applicability is not limited only to businesses and organizations above a particular size. Rather, the law is applicable to businesses of all sizes and provides exceptions only in a few enumerated instances, such as where data are collected exclusively for journalistic, artistic and academic purposes, or public safety and national defense.

The LGPD is important because it is a privacy law with “extraterritorial application” which means that organizations that process personal data of Brazilians will be bound to comply with the LGPD regardless of where they are owned or operated from just like GDPR or CCPA. 

As Brazil has over 138 million internet users, making it the largest Internet market in Latin America and the fourth largest in the world, there is a high chance that your organization will need to comply with the LGPD. 

The Brazilian government designed the LGPD to achieve adequacy agreement with the EU to ensure a free flow of data between the two. 

Our approach is mentioned below: 

Phase 1: Governance & Planning
Phase 2: Gap Analysis
Phase 3: Implementation 
Phase 4: Privacy Compliance, Risk Management Framework & Audit