LGPD Compliance Guide for Businesses in Brazil
Brazil’s General Data Protection Law (LGPD — Law 13,709/2018) fundamentally transformed how Brazilian companies must handle personal data. With the ANPD (National Data Protection Authority) fully operational and enforcing sanctions since 2023, LGPD compliance has shifted from optional to an immediate business obligation.
This guide presents the essential compliance requirements, implementation steps, and practical considerations every business must observe.
What Is the LGPD and Why Does It Matter?
The LGPD is Brazil’s personal data protection law, inspired by Europe’s GDPR. It applies to any personal data processing operation performed by individuals or legal entities, public or private, that:
- Takes place in Brazilian territory
- Has the purpose of offering goods or services to individuals in Brazil
- Involves personal data collected in Brazil
The law covers the entire data lifecycle: collection, storage, processing, sharing, transfer, and deletion.
Fundamental Concepts
- Personal data: any information that identifies or makes identifiable a natural person (name, CPF, email, IP, geolocation)
- Sensitive data: racial origin, religious conviction, health data, biometric data, sexual orientation, union membership
- Data subject: the natural person to whom the data refers
- Controller: the person who decides on data processing
- Processor: the person who processes data on behalf of the controller
- DPO (Encarregado): person designated for communication between controller, data subjects, and ANPD
The 10 Legal Bases for Data Processing
The LGPD establishes that all personal data processing must have a valid legal basis. The 10 bases are:
- Data subject consent: free, informed, and unequivocal expression
- Legal or regulatory obligation compliance: e.g., tax returns, eSocial
- Public policy execution: by public administration
- Research by research bodies: with anonymization when possible
- Contract execution: necessary to fulfill a contract with the data subject
- Regular exercise of rights: in judicial, administrative, or arbitral proceedings
- Life protection: of the data subject or third party
- Health protection: by health professionals or health authority
- Legitimate interest: of the controller or third party, subject to proportionality test
- Credit protection: credit risk analysis
When to Use Each Legal Basis?
| Situation | Recommended Legal Basis |
|---|---|
| Customer registration for sale | Contract execution |
| Marketing newsletter | Consent |
| Employee eSocial registration | Legal obligation |
| Office security camera | Legitimate interest |
| Debt collection | Credit protection |
| Data analysis for product improvement | Legitimate interest |
| Patient data at clinic | Health protection |
| Defense in labor lawsuit | Regular exercise of rights |
LGPD Implementation Steps
1. Data Mapping
The first step is identifying all personal data processed by the company:
- What data is collected (name, CPF, email, address, bank details)
- Whose data (customers, employees, suppliers, prospects)
- Where it is stored (systems, spreadsheets, physical files, cloud)
- Who has access (departments, employees, third parties)
- How long it is retained
- With whom it is shared (partners, service providers, government)
- The legal basis for each processing activity
2. Record of Processing Activities (ROPA)
The ROPA formalizes the data mapping:
- Description of each processing activity
- Category of data processed
- Processing purpose
- Applicable legal basis
- Retention period
- Sharing performed
- Security measures adopted
3. DPO Appointment
The LGPD requires appointing a Data Protection Officer:
DPO functions:
- Receive complaints and communications from data subjects
- Receive communications from ANPD
- Guide employees on data protection practices
- Execute other duties determined by the controller
Who can be a DPO:
- Internal employee
- Outsourced professional (DPO as a Service)
- Legal entity
- Privacy committee (for small businesses)
4. Policy and Document Review
Essential documents for compliance:
- Privacy Policy: information about data processing on website/app
- Cookie Policy: detail of cookies used and their purposes
- Terms of Use: conditions for using digital services
- Internal Data Protection Policy: rules for employees
- Processor contracts: data protection clauses with suppliers and partners
- Consent forms: specific authorization forms
5. Data Protection Impact Assessment (DPIA)
The DPIA is mandatory when processing may generate significant risks:
- Large-scale sensitive data processing
- Systematic monitoring of public areas
- Automated decisions affecting data subjects
- International data transfer
The report must contain:
- Processing description
- Necessity and proportionality assessment
- Risk identification
- Mitigation measures
- DPO statement
6. Information Security Measures
The LGPD requires technical and administrative security measures:
Technical measures:
- Data encryption in transit and at rest
- Role-based access control (RBAC)
- Firewall and intrusion detection systems
- Regular backup with restoration testing
- Updated antivirus and antimalware
- Vulnerability and patch management
Administrative measures:
- Information security policy
- Periodic employee training
- Access management (on/offboarding)
- Incident response plan
- Periodic compliance audit
7. Incident Management
The LGPD requires communication of security incidents:
- Deadline: communication to ANPD and data subjects within a reasonable period (ANPD recommends 2 business days)
- Communication content: nature of affected data, data subjects involved, technical measures adopted, identified risks, mitigation measures
Sanctions and Penalties
The ANPD can apply the following sanctions:
| Sanction | Detail |
|---|---|
| Warning | With deadline for corrective measures |
| Simple fine | Up to 2% of revenue, capped at R$ 50 million per violation |
| Daily fine | To compel compliance with a determination |
| Public disclosure | Public announcement of the violation |
| Data blocking | Processing suspension until regularization |
| Data deletion | Obligation to delete irregular data |
| Database suspension | For up to 6 months, extendable |
Beyond administrative sanctions, companies may face:
- Lawsuits from data subjects (moral and material damages)
- Class actions from prosecutors or consumer associations
- Significant reputational damage
Data Subject Rights
The company must be prepared to fulfill data subject rights (art. 18 of the LGPD):
- Processing confirmation: inform whether data is being processed
- Data access: provide a copy of processed data
- Correction: rectify incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion: of unnecessary or excessive data
- Portability: transfer data to another provider
- Deletion: of data processed with consent
- Sharing information: identify with whom data is shared
- Information about non-consent: possibility and consequences
- Consent revocation: at any time
The response deadline is 15 days from the data subject’s request.
LGPD and Cookies
Cookie management is one of the most visible aspects of compliance:
Cookie Categories
- Essential: necessary for site functionality (no consent required)
- Functional: improve user experience (preferences, language)
- Analytics: collect browsing data (Google Analytics, Hotjar)
- Marketing: track users for targeted advertising
Compliance Requirements
- Cookie banner on first visit
- Clear option to accept or reject non-essential cookies
- Granular preference management (by category)
- Accessible and detailed cookie policy
- Consent record storage
- Consent revocation capability
LGPD for Micro and Small Businesses
Resolution CD/ANPD No. 2/2022 eases obligations for small-scale agents:
- DPO: can be a legal entity, committee, or not exclusively dedicated
- Processing record: simplified format
- Incident communication: differentiated deadline (double the regular period)
- Security policy: simplified, proportional to size
- International transfer: simplified procedures
Small-scale agents include: micro-enterprises, small businesses, startups, and individuals processing data for economic purposes.
International Data Transfer
The LGPD regulates transfer of personal data to other countries (art. 33):
- Countries with adequate protection level (recognized by ANPD)
- Standard contractual clauses
- Global corporate norms (BCR)
- Specific and informed consent from data subject
- Necessity for contract execution
- International legal cooperation
Conclusion
LGPD compliance is an ongoing process requiring organizational commitment, investment in information security, and permanent review of data processing practices. Sanctions are significant, but compliance benefits go beyond penalty avoidance — they include gaining trust from customers, partners, and investors.
For LGPD compliance advisory and data protection program implementation, consult our specialists in business law.
This article is for informational purposes only and does not constitute legal advice. Each case has specific circumstances that should be analyzed by a qualified attorney.
