The Brazilian government must establish the ANPDimmediately, regardless of the applicability date of the LGPD.The ANPD should become operational as quickly as possibleand prioritize its activities in the most effective manner.

The case for an effectiveBrazil DPA - the ANPD

The ANPD should be established immediately. It should prioritise its activitiesto provide interpretation of the LGPD and guidance to organisations to enable

proper implementation and compliance.

WHAT IS THE ANPD ANDWHY BRAZIL NEEDS IT

The ANPD, or Autoridade Nacional de Proteção de Dados, will be the first dataprotection authority to be established in Brazil. The ANPD will have a key role ininterpreting, applying and enforcing the new Brazilian data protection law – Lei Geral deProteção de Dados Pessoais (LGPD). 

The ANPD will be of central importance to:

Ensure the effectiveness and success of the LGPDGuarantee that personal data of Brazilians is used in a responsible wayBring legal certainty and clarity to regulated organizations

Regardless of the applicability date of the LGPD, its provisions concerning the ANPD arealready in force. Because much of the regulatory guidance of which the ANPD isresponsible must be provided to organizations well before the effective date of theLGPD to ensure proper implementation and compliance, the ANPD should beestablished immediately. Additionally, in times of crisis such as the COVID-19 pandemic,it is even more important that Brazil has a technical data protection authority equippedto provide guidance on how personal  data can be used for the public good.

THE ANPD PRIORITIES

Effective regulation depends oneffective strategies to make the

best possible use of availableresources. This includes

prioritizing and concentrating onregulatory activities that promisethe best outcomes for individuals

and society.

At this initial stage, the ANPDshould prioritize its activities

relating to responsive regulationand constructive engagement,

rather than deterrence andpunishment.

Defining its strategyPreparing the NationalPolicy for the Protection ofPersonal Data and Privacy

Acknowledging goodpractice Recognizing best in classexamples of accountableprivacy governance programs

Providing guidanceOn topics such as datasharing, portability,timeframes for respondingto data subject rights, etc.

Interpreting the LGPDTo clarify provisions relatingto its scope, consent,processing of children's data,etc.

Providing technicalstandardsAnd encouraging theadoption of industrystandards that will enableLGPD implementation

Enabling internationaldata transfersThrough recognizingadequacy of third countriesand establishing the variousdata transfer mechanisms

Educating on dataprotectionEducating individuals abouttheir data protection rights,and organizations abouttheir obligations

Preparing for LGPDenforcementBy establishing enforcementprocedures andimplementing mechanismsto receive complaints

To access the full paper and more information about the CIPL-CEDIS LGPD project, click here.