What is LGPD (Lei Geral de Protecao de Dados)?

The Lei Geral de Protecao de Dados (LGPD) is Brazil's comprehensive data protection legislation, enacted in 2018 and effective since September 2020. It applies to any processing of personal data carried out in Brazil, when the processing aims to offer goods or services to individuals in Brazil, or when the personal data was collected in Brazil.

The LGPD defines ten legal bases for processing personal data, which is broader than the GDPR's six bases. These include consent, compliance with a legal obligation, execution of public policies, research by research bodies, execution of a contract, exercise of rights in judicial or administrative proceedings, protection of life, health protection, legitimate interest, and credit protection. The law grants data subjects rights such as confirmation of processing, access, correction, anonymization, portability, deletion, and information about sharing.

The Autoridade Nacional de Protecao de Dados (ANPD) is the national data protection authority responsible for enforcement. Penalties include warnings, fines of up to 2% of the company's revenue in Brazil (capped at 50 million reais per infraction), and partial or total suspension of data processing activities. Organizations subject to the LGPD can use IQWorks to streamline compliance through ComplyIQ for regulatory management and ClassifyIQ for identifying and classifying personal data under LGPD categories.