Policy Briefing — Brazil’s LGPD enters into force with immediate controller obligations

Executive briefing: With Law No. 13.709/2018 now in effect, controllers must establish legal bases for processing, update privacy notices, respond to access and deletion requests, and monitor processors under Articles 37–39. While ANPD fines begin 1 August 2021, civil actions and public prosecutor scrutiny started immediately, making evidence of governance controls essential.^{Articles 7–10, 18, 37–41}

Compliance actions

• Record keeping. Stand up Article 37 processing records and contract clauses covering security, breach notification, and sub-processor approvals.
• Rights response. Build intake and response playbooks for access, correction, deletion, portability, and revocation requests within statutory deadlines.
• Data protection officer. Designate a DPO, publish contact details, and set escalation routes to the ANPD for high-risk processing.

Sources

• Lei Geral de Proteção de Dados (Law No. 13.709/2018)
• ANPD announcement on LGPD commencement

Related briefings

Curated signals from the same pillar or overlapping topics.

Policy · Credibility 87/100 · September 18, 2020

Compliance Briefing — September 18, 2020

In-depth LGPD go-live guide detailing enforcement scope, ANPD expectations, data subject rights operations, lawful bases, security controls, vendor oversight, and a pragmatic compliance roadmap for Brazil-focused…

Policy · Credibility 94/100 · July 16, 2020

Policy Briefing — Schrems II voids Privacy Shield and tightens SCC due diligence

The CJEU’s Schrems II judgment invalidated the EU–U.S. Privacy Shield and reaffirmed Standard Contractual Clauses while requiring exporters to assess destination surveillance regimes and apply supplementary safeguards…

Policy · Credibility 91/100 · July 1, 2020

Policy Briefing — California begins CCPA enforcement on July 1, 2020

The California Department of Justice started enforcing the California Consumer Privacy Act on July 1, requiring businesses to honor access, deletion, opt-out, and notice obligations despite pending regulation approvals.

Policy · Credibility 92/100 · June 4, 2021

Policy Briefing — EU Updates Standard Contractual Clauses

The European Commission adopted new modular Standard Contractual Clauses for GDPR-compliant international data transfers following Schrems II.

Policy · Credibility 88/100 · January 2, 2022

Policy Briefing — UAE Personal Data Protection Law Commences

The UAE Personal Data Protection Law entered into force on 2 January 2022, triggering enterprise-wide data governance, board oversight, and vendor sourcing programmes ahead of Executive Regulation enforcement.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Semiconductor Industrial Strategy Policy Guide — Zeph Tech

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

• Digital Markets Compliance Guide — Zeph Tech

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Export Controls and Sanctions Policy Guide — Zeph Tech

  Integrate U.S. Export Control Reform Act, International Emergency Economic Powers Act, and EU Dual-Use Regulation requirements into trade compliance, engineering, and supplier…