How to Prepare for the Brazil Data Protection Law

Lori Tripoli

With the new August 2020 effective date of the Brazil data protection law moving ever closer, organizations subject to its requirements may want to implement changes now, so they will be fully ready. After all, the law — known as Lei Geral de Proteção de Dados — carries with it some serious repercussions for noncompliance: fines of up to 2% of an organization’s revenue, up to 50 million reals (about $12 million).

Understandably, postponing compliance efforts can be tempting, what with the expense and planning needed to comply with any new requirements successfully. Nevertheless, easing into compliance with the Brazil data protection law now can help organizations ensure that data protection measures will function effectively once it really counts.

Latest Update on the Brazil Data Protection Law

The regulated community has already been given a reprieve in the form of six additional months to comply. When Brazil’s Congress first passed the Brazil data protection law, it came with a February 2020 effective date.

The Brazil data protection law now has more teeth, too. Although the president of Brazil initially vetoed the establishment of a data protection authority to enforce the new law, the Brazilian government has since OK’d the creation of one. It’s known as the Autoridade Nacional de Proteção de Dados (ANPD).

Who Is Affected by the New Law?

Modeled in some measure after the European Union’s General Data Protection Regulation, the Brazil data protection law governs the collection, storage, processing and retention of personal data by organizations that control or process it. More stringent requirements apply to sensitive personal data such as information about one’s health, political affiliation, ethnic or racial origin, religion and the like.

An organization doesn’t need to be physically based within Brazil to be subject to the new law’s requirements. Generally, the Brazil data protection law applies if data collection or processing occurs in Brazil, if the data of individuals in Brazil is collected or processed, or if an entity plans to offer goods or services to individuals in the country.

Tips for Compliance

Organizations that may be subject to the Brazil data protection law should take a closer look at its precise statutory language to ascertain whether they are subject to its requirements, and if so, to what extent.

As a practical matter, companies subject to the Brazil data protection law should define the applicable data they handle to confirm they have the legal right to do so, and make sure their policies and procedures are in line with the new law’s collection, storage, processing and retention requirements. Undertaking a data-mapping exercise can help filter out the data that is not subject to the law’s requirements, such as B2B data.

Perhaps most pressingly, organizations that do not already have a data protection officer will need to appoint one, as required under the new law. The data protection officer’s role is to liaise with the Brazil Data Protection Authority and with data subjects who have complaints about the handling of their information. Organizations subject to the law’s requirements also must adhere to cybersecurity, breach notification and more. An organization’s internal training may need to be updated to reflect the law’s additional requirements.

Of course, dealing with complicated and varied data protection requirements around the globe poses challenges even for organizations with the best intentions. To that end, getting some outside help from an information management services company can go a long way toward both easing the strains caused by layered and overlapping requirements, and convincing regulators about good-faith efforts to comply with applicable laws.

More in IG, Regulations & Compliance