The new Brazilian Personal Data Protection Law is expected to become effective in September.
It affects not only Brazilian, but also foreign lenders, investors, insurers, and companies doing business in Brazil, as they may have access to personal data from Brazilian clients, partners, and employees, whose access, treatment, and storage are regulated by the new bill.
See below 3 steps for foreign entities to consider in order to comply with the new Brazilian Personal Data Protection Law:
1. Assessment of Current Data Treatment. Assessment of major areas that have access to and/or treat personal data from Brazilian clients, partners, and employees, and how such data is currently being treated, including by reviewing of documentation and interview with appointed officers of each such areas;
2. Gap Analysis. Preparation of memorandum appointing the gaps between the current form of access and treatment of personal data, and the new standards required by the new law;
3. Implementation of New Law Guidelines and Requirements. Based on the gap analysis, detail the actions to be performed and deadlines in order to comply with the requirements set forth in such new law, including (i) adapting how personal data is accessed, (ii) amending contracts with clients, suppliers, employees and contractors, (iii) creating policies on accessment, treatment and storage of personal data, and (iv) organizing a training calendar.
Although the penalties and fines to be imposed by the new Brazilian Personal Data Protection Law are be applied from August 2021 on, the events of potential default may occur since now.
Because of that, foreign entities need to immediately map and identify gaps and make the proper adaptations, in order to avoid unnecessary economic losses and brand exposures in the Brazilian market.