← Back to all briefings
Policy 6 min read Published Updated Credibility 87/100

Compliance Briefing — September 18, 2020

In-depth LGPD go-live guide detailing enforcement scope, ANPD expectations, data subject rights operations, lawful bases, security controls, vendor oversight, and a pragmatic compliance roadmap for Brazil-focused organisations.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados, LGPD) entered into effect on 18 September 2020, establishing comprehensive data protection obligations for organisations processing personal data in Brazil or offering goods and services to individuals in Brazil. With administrative sanctions applicable from 1 August 2021, companies must operationalise governance, lawful bases, rights handling, security, and vendor management controls that stand up to National Data Protection Authority (ANPD) oversight.

Enforcement scope and penalties

LGPD applies to processing operations conducted in Brazil, to the processing of data subjects located in Brazil, or to activities aimed at offering goods or services to individuals in Brazil, irrespective of where the data processor is located. The law covers personal data in digital and physical formats and protects both identified and identifiable individuals. Ten legal bases are available (including consent, legitimate interest, contract performance, legal obligation, credit protection, and fraud prevention), but each must be tied to a specific purpose, recorded, and communicated to data subjects.

Article 52 penalties include fines up to 2% of a company’s Brazilian revenue capped at BRL 50 million per violation, daily fines, public disclosure of infractions, deletion or anonymisation orders, and partial or total prohibition of data processing. Sector regulators such as the Central Bank, SUSEP, and ANS may also issue complementary sanctions where sectoral regulations intersect with LGPD obligations.

ANPD oversight and guidance

The ANPD, formally operationalised in December 2020, is empowered to issue interpretative guidance, approve standard contractual clauses, authorise international transfers, and conduct investigations. Resolution CD/ANPD No. 1/2021 established its internal regulations and investigative procedures, including inspection requests and technical reports that can lead to sanctions or corrective determinations. Organisations should monitor ANPD consultations and guidance notes, because they clarify expectations on legitimate interest assessments, children’s data, and breach notification timing.

Maintain a formal liaison channel with the ANPD through the designated Data Protection Officer (Encarregado). Ensure DPO contact information is prominent in privacy notices and continuously updated, and keep evidence of responses to ANPD inquiries or data subject escalations.

Data subject rights and fulfillment

LGPD grants rights to confirmation of processing, access, correction, anonymisation, deletion of unnecessary or excessive data, portability, information on public and private sharing, and withdrawal of consent. Companies must respond “promptly” and often within 15 days. Establish authenticated intake channels (web forms, dedicated email, call centre scripts) and identity verification steps proportional to risk. Build workflows that connect CRM, ERP, HR, marketing automation, and ticketing systems to retrieve, correct, and delete data without breaking business records or statutory retention obligations.

Track metrics for response times, denial rationales, and remediation actions. When denying a request—for example, because deletion would impair legal or regulatory compliance—document the legal basis and communicate it clearly to the requester. Provide machine-readable outputs for portability that follow ANPD guidance once published.

Lawful bases and consent management

Review every processing activity and assign a primary legal basis. For legitimate interest, conduct a balancing test covering necessity, proportionality, safeguards, and reasonable expectations. For consent, ensure the request uses clear Portuguese language, is granular by purpose, and can be withdrawn through the same or easier channel. Avoid bundled consent for unrelated purposes and track timestamp, provenance, and version of consent wording for auditability. Children’s data (under 12) requires specific and highlighted consent from a parent or guardian, with age verification steps documented.

Update privacy notices to include purposes, legal bases, categories of data, recipients, retention periods, international transfer mechanisms, rights, and DPO contact details. Provide equivalent transparency at offline collection points such as retail stores and call centres, not just on digital interfaces.

Data inventory, minimisation, and retention

Conduct a data mapping exercise cataloguing processing purposes, systems, data elements (including sensitive personal data such as racial or ethnic origin, health data, biometric data, and children’s data), retention periods, storage locations, and recipients. Maintain Records of Processing Activities (RoPAs) similar to GDPR Article 30 but tailored to LGPD terminology and lawful bases. Use automated discovery tools where possible and validate with business process owners.

Apply data minimisation by pruning collection forms, disabling unused system fields, and deleting redundant datasets. Create a retention schedule that reconciles LGPD principles with Brazilian civil, tax, labour, and consumer protection retention mandates. Implement deletion and anonymisation routines with evidence logs, and periodically review archival storage to prevent silent retention creep.

Security controls and incident response

LGPD requires technical and organisational measures proportionate to processing risks. Align controls with ISO 27001, NIST CSF, or Brazil’s Complementary Law 105/2001 for financial secrecy where applicable. Enforce role-based access, strong authentication, encryption in transit and at rest, network segmentation, secure software development practices, vulnerability management, and continuous monitoring. Pay particular attention to systems handling sensitive personal data or large-scale profiling.

Update incident response plans to incorporate LGPD breach notification. While the statute refers to a “reasonable time,” ANPD and sector regulators may define shorter windows. Prepare decision trees to evaluate risk to data subjects, draft notice templates for ANPD and affected individuals, and coordinate with PROCON consumer agencies when consumer harm is plausible. Run tabletop exercises that include marketing, legal, and communications to avoid over- or under-reporting.

Vendor management and international transfers

Inventory processors, sub-processors, and joint controllers. Update contracts to include LGPD-required clauses: processing instructions, confidentiality, sub-processor approval, security standards, breach notification timelines, and audit rights. For multinational groups, map cross-border transfers and apply appropriate mechanisms—currently contractual clauses, global corporate rules, or specific consent—pending ANPD’s approval of standard contractual clauses and Binding Corporate Rules.

Assess vendors on their ability to honour data subject rights, delete or return data at contract termination, and provide incident cooperation. Maintain evidence of due diligence, including SOC 2/ISO 27001 reports, pen test summaries, and data flow diagrams.

Employment, marketing, and sector nuances

For HR data, balance legitimate interest with labour law obligations (e.g., CLT record-keeping, social security, tax). Provide candidate and employee notices that explain monitoring, background checks, and retention periods. For marketing, rely on consent or legitimate interest aligned with consumer expectations; provide straightforward opt-outs in Portuguese on email, SMS, and app channels.

Highly regulated sectors face overlapping rules. Financial institutions should align LGPD controls with Central Bank Resolution 4,658/2018 cybersecurity requirements. Health providers must reconcile LGPD with ANS and Ministry of Health data rules, and telecom operators should integrate LGPD with Anatel data retention obligations.

Compliance roadmap

Deliver a phased roadmap to achieve demonstrable compliance before sanction risk escalates. Phase 1 (0–60 days): assign DPO, establish steering committee, complete gap assessment, stabilise privacy notices, and halt high-risk processing lacking legal basis. Phase 2 (60–150 days): complete data inventory and RoPAs, implement consent and legitimate interest governance, publish rights intake channels, and update vendor contracts. Phase 3 (150–240 days): operationalise security enhancements, run privacy impact assessments for high-risk processing, and conduct training for engineering, marketing, HR, and customer support. Phase 4 (ongoing): monitor ANPD guidance, refresh RoPAs quarterly, audit vendors annually, and track key risk indicators (rights SLA performance, breach metrics, third-party findings).

Support the roadmap with a RACI matrix assigning accountable executives for each control domain, and integrate privacy checkpoints into change management so new projects cannot launch without legal basis, notice updates, and security review.

Documentation and accountability

LGPD’s accountability principle requires demonstrable evidence of compliance. Maintain a policy library covering data protection, data retention, incident response, and third-party management. Keep training records, DPIA templates, and audit logs for rights requests, consent changes, and vendor reviews. When relying on legitimate interest, archive the balancing assessments and mitigation steps taken (pseudonymisation, data minimisation, opt-outs).

Regularly brief executive leadership and the board on LGPD risk, enforcement developments, and remediation progress. Tie privacy metrics to business KPIs—customer trust scores, incident frequency, and time-to-fulfil rights requests—to sustain investment and oversight.

Action: Organisations that operate in Brazil or target Brazilian residents should lock in governance, lawful bases, rights operations, security controls, and vendor oversight now, ahead of escalating ANPD enforcement and sector regulator scrutiny. Treat LGPD as an ongoing programme rather than a one-time project to keep pace with emerging guidance and cross-border data transfer requirements.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Brazil
  • LGPD
  • Privacy
  • Data governance
  • Compliance
Back to curated briefings