On September 1, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Centro de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (“CEDIS-IDP”) released a new paper (“Paper”) on the Top Priorities for Public and Private Organizations to Effectively Implement the New Brazilian General Data Protection Law (“LGPD”). This paper is part of their joint-project on effective implementation and regulation under the LGPD.

The Paper was published shortly after the Brazilian Senate rejected a delay of the LGPD. The Senate’s rejection means that the LGPD will become applicable as soon as the law is signed by the Brazilian President.

The Paper outlines 12 priorities that public and private organizations that are subject to the LGPD should consider to effectively implement the law. It also includes a practical checklist with key steps for each of these priorities. The priorities are as follows:

  1. Understand the LGPD impact on the organization and obtain top management support for relevant implementation steps.
  2. Designate a person in charge of data protection and identify and engage key internal stakeholders.
  3. Identify the organization’s processing activities and the data the organization handles.
  4. Determine the organization’s role and obligations as a controller or operator.
  5. Assess the privacy risks associated with the organization’s data processing.
  6. Design and implement a data privacy management program covering the LGPD requirements.
  7. Define the legal bases for the organization’s data processing activities.
  8. Define technical and organizational measures for effective data security and internal reporting and management of security incidents.
  9. Identify all third parties with which the organization shares personal data and establish a third party management process.
  10. Identify the organization’s cross-border data flows (inbound and outbound) and put in place appropriate data transfer mechanisms and safeguards.
  11. Build effective processes for transparency and data subject rights.
  12. Train employees on LGPD requirements and create an awareness-raising program

Download the Paper in English. A Portuguese version of the paper will be available soon.