Brazil's Data Protection Law LGPD Effective Today
Today Brazil's new data protection law, the Lei Geral de Proteção de Dados, became effective. Keep in mind these key points about the LGPD:
It covers the processing of personal data by both private entities and the government.
The burden of proof is on the data controller to show that it has the consent of an individual to use their data.
A detailed response to a request for access to personal data is expected within 15 days.
Data breaches must be reported to effected individuals and to the National Authority for Data Protection (ANPD).
A case-by-case assessment is needed for transfers of data outside of Brazil, and transfers may only be made to countries deemed to be adequate by the data protection authority.
Data controllers and processors that do not comply with the LGPD can be fined up to 2% of their revenue in Brazil, with a maximum fine of 50 million reais.
While the LGPD has fewer requirements than the GDPR, it also places some duties on data controllers and processors which are not imposed by the GDPR. So, a GDPR compliant organization will not necessarily comply with the LGPD.