top of page

General Personal Data Protection Law in Brazil: next steps

Updated: May 3, 2021

Tablet mostra a tela do Google
Com a vigência da LGPD, quais rumos as empresas devem tomar para se adequar?

Published in August 2020, the General Data Personal Protection Law (LGPD) shall fully enter into force in August 2021. Understand here.

Current impact of LGPD on businesses

The LGPD provisions currently in force regard data-processing and liability arising from personal data misuse, but not penalties from noncompliance with the law. Those shall enter into force this August.

The part currently in effect – the carrot - enables businesses to begin LGPD compliance processes, to map internal personal data flows, and to draw adequacy or improvement strategies. The stick only becomes mandatory in August.

Who is responsible for keeping a business LGPD-compliant?

The LGPD created the Data Protection Officer (DPO) (yes, this portion is already in force). The DPO is a bridge between a business entity holding personal data of third parties (clients, employees, etc.) and the Data Protection National Authority (ANPD).

The DPO, appointed by every controller (the business), shall have full knowledge of the business' activities involving personal data processing and shall be responsible for the way the business deals with data flows.

The DPO shall thus be able to make decisions regarding the processing of personal data in each area of the business. The DPO is the person in charge of delivering the impact report to ANPD and of providing any clarification the authority requests.

The impact report, most known as DPIA (Data Protection Impact Assessment), is an instrument used by the business in cases where the data processing can cause damage to the civil freedom and fundamental rights of the third party. The document shall describe the business’ risk mitigation processes and measures.

What are the next steps for companies?

Personal data has increasingly circulated in this digital, post-pandemic world.

The next step for businesses facing LGPD is to adequate operations involving personal data, especially to demonstrate to the general public the business' concern on the a matter that remains relevant in 2021.

Here are some ways to make your business LGPD- compliant:

Despite the LGPD being only partially in force now, the ANPD is already being composed and has created and disclosed a channel for complaints. ANPD also created and published, on January 2, 2021, its strategic planning for 2021-2023, with the progresses the authority intends to achieve in this period, and the goals of strengthening the culture and establishing an effective normative environment for personal data protection.

To learn more about the effects of LGPD on your business, access our e-book.



Caterina Formigoni Carvalho


Post-graduated in Inovation Management and Digital Law Fundação Instituto de Administração (FIA).

Read other articles from the Digital area


bottom of page