What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's comprehensive data protection regulation. Enacted in 2018 and fully enforced since 2021, it governs personal data processing with extraterritorial scope, applying to any entity targeting Brazilian residents. Its risk-based approach emphasizes accountability, mirroring GDPR but with Brazil-specific adaptations like 10 principles.

Key Components

• **10 core principlespurpose limitation, necessity, transparency, security, prevention, non-discrimination, accountability.
• 10 legal bases for processing, including consent and legitimate interests.
• **Data subject rightsaccess, correction, deletion, portability, objection to automated decisions.
• **Governancemandatory DPO for controllers, DPIAs for high-risk processing, RoPAs.
• Enforcement by ANPD with graduated sanctions; no certification but compliance audits.

Why Organizations Use It

LGPD compliance avoids fines up to 2% Brazilian revenue (R$50M cap), operational suspensions, and litigation. It builds stakeholder trust, enables market access in Brazil's digital economy, reduces breach risks, and supports innovation via anonymization exemptions.

Implementation Overview

**Phased, risk-based methodologygovernance setup, data mapping/RoPAs, policies, technical controls (encryption, access), DSR/incident processes, vendor management with SCCs by 2025. Applies to all sizes/industries processing Brazilian data; ongoing ANPD monitoring required.

What It Is

K-PIPA, the Personal Information Protection Act, is South Korea's comprehensive data protection regulation, enacted in 2011 with major amendments in 2020, 2023, and 2024. It adopts a consent-centric, risk-based approach to protect personal information of Korean residents, applying broadly to domestic and foreign data handlers processing identifiable data, including pseudonymized and sensitive information like biometrics or health data.

Key Components

• **Core principlesTransparency, purpose limitation, data minimization, explicit granular consent.
• Obligations include mandatory Chief Privacy Officer (CPO) appointment, security measures (encryption, access controls), data subject rights (access, rectification, erasure, portability within 10 days), and 72-hour breach notifications.
• Enforced by PIPC with fines up to 3% of revenue; no formal certification but guidelines and audits.

Why Organizations Use It

• Ensures legal compliance amid extraterritorial scope and high penalties (e.g., Google's $50M fine).
• Mitigates breach risks, builds stakeholder trust, enables EU adequacy-aligned data flows.
• Provides competitive edge in Korea's privacy-sensitive market through robust governance.

Implementation Overview

• **Phased approachGap analysis, CPO governance, policy development, technical controls, training, audits.
• Targets all data handlers, especially large entities; requires Korean-language notices and ongoing monitoring.