What It Is

LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is Brazil's comprehensive data protection regulation. Enacted in 2018 and fully enforced since 2021, it safeguards personal data of Brazilian residents with extraterritorial scope. Its risk-based approach mandates principles like purpose limitation and accountability for all processing.

Key Components

• **10 core principlesPurpose limitation, necessity, transparency, security, prevention, non-discrimination, accountability.
• **Data subject rightsAccess, correction, deletion, portability, objection to automated decisions.
• **Legal bases10 options including consent, legitimate interests, contracts.
• **GovernanceMandatory DPO for controllers, records of processing, DPIAs for high-risk activities.
• **EnforcementANPD imposes graduated sanctions up to 2% Brazilian revenue (R$50M cap).

Why Organizations Use It

LGPD compliance avoids multimillion fines, operational halts, reputational damage. It builds trust, enables market access in Brazil's digital economy, supports AI innovation via anonymization exemptions, and aligns with GDPR for multinationals.

Implementation Overview

Phased risk-based methodology: governance setup, data mapping, policies, controls, DSR/incident processes, audits. Applies to all sizes/industries processing Brazilian data; no certification but ANPD audits required.

What It Is

The Privacy Act 1988 (Cth) is Australia's foundational federal regulation governing personal information handling. It establishes economy-wide privacy standards via the 13 Australian Privacy Principles (APPs), using a principles-based, contextual 'reasonable steps' approach balancing individual rights with data flows. Scope includes government agencies, private entities over AU$3M turnover, certain small businesses, and those with an Australian link.

Key Components

• **13 APPsCover transparency (APP 1), collection/use/disclosure (APPs 3-8), quality/security (APPs 10-11), and access/correction (APPs 12-13).
• **NDB schemeMandatory breach notifications for serious harm.
• **Special regimesCredit reporting, TFNs.
• **OAIC enforcementAudits, penalties up to AU$50M/30% turnover; no certification required.

Why Organizations Use It

• Mandatory compliance for in-scope entities avoids severe fines.
• Enhances risk management, security (APP 11), cross-border accountability (APP 8).
• Builds trust, enables data-driven innovation, reduces breach impacts.

Implementation Overview

• Phased: gap analysis, policy/design, controls/training, NDB readiness, audits.
• Applies broadly; scales by size/sensitivity; ongoing governance essential.