LGPD Accountability Handbook

LGPD Accountability Handbook

On 15 August 2020, the new Brazilian Data Protection Law, the Lei Geral de Proteção de
Dados Pessoais (LGPD), will start to apply. The law was signed into force on 14 August
2018, and amended on 27 December 2018. This is yet another big law to comply with, so
soon after the EU General Data Protection Regulation (GDPR) has entered into application
as well as the California Consumer Privacy Act (CCPA) coming into effect on January 1,

This may seem daunting to many, but it doesn’t need to be. If you have put in place
the right accountability mechanisms (or even a more comprehensive privacy program
infrastructure to maintain compliance with the GPDR), it may be relatively easy to leverage
your work to deal with LGPD compliance, as well as with other laws. In this Handbook, we
will show how an accountability approach to privacy management can produce compliance
outcomes for both the GDPR and LGPD, and a multitude of other laws with similar
compliance obligations, including the CCPA.


When looking at GDPR and LGPD, it is immediately clear that there is a fair amount of
overlap between the two laws as both have an omnibus character. When identifying the
overlap between the legal frameworks, it also becomes possible to identify the so-called
outliers: the elements of the law that are specific to a single jurisdiction, for example
specific deadlines or time constraints, or privacy management activities that are specific to
a single law.

These elements are the likely areas where your focus during implementation
could be. For the areas that do overlap, it is likely possible to largely re-use existing
policies and procedures to deal with data protection requirements in new jurisdictions,
especially if your program is based on a framework like Nymity’s Privacy Management
Accountability Framework™.