The Brazilian General Data Protection Law (Law No. 13,709 of August 14, 2018, as amended by Law No. 13,853 of July 8, 2019) or LGPD is Brazil’s first extensive data protection regulation and is largely aligned to the European Union’s General Data Protection Regulation (GDPR). The LGPD will take effect in August 2020. The LGPD applies to any processing operation of personal data (defined as information related to an identified or identifiable natural person) carried out by individuals or legal entities from the public or private sector, irrespective of the means used for the processing or the country where the controller or the data is located, provided that: 1) the processing operation is carried out in Brazil, 2) the purpose of the processing activity is to offer or provide goods or services to individuals in Brazil, or 3) the personal data was collected in Brazil. The LGPD established a data protection agency, the National Data Protection Authority (ANPD), which oversees the protection of personal data and issue regulations and procedures related to personal data protection. As of the date of issue of this document, the members of the ANPD have not yet been appointed. Changes the LGPD Introduces to Organizations Operating in Brazil The LGPD significantly transformed the data protection system in Brazil by establishing rules for the collection, use, processing, and storage of personal data. Organizations must be able to demonstrate on a continual basis the security of the data they are processing and their compliance with the LGPD by implementing and regularly reviewing robust technical and organizational measures. This requires the establishment and enforcement of compliant policies applicable to the processing of personal data. Those who commit violations under the LGPD may be subject to a range of penalties, including: warnings; suspension or the blocking of processing activities that violate the law; and fines up to 2% of violators gross revenue in Brazil in the previous year, which are limited to R$50 Million. Under the LGPD, controllers and processors (as defined under the LGPD) are required to adopt security measures, both technical and administrative, to protect personal data from unauthorized accesses, accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing. Additionally, the LGPD grants the ANPD authority to establi
