Policy Briefing — Brazil LGPD Enters into Force
Brazil’s Lei Geral de Proteção de Dados (LGPD) entered into force, obligating controllers and processors to operationalise lawful bases, transparency notices, and data subject response protocols under ANPD oversight.
Executive briefing: Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados, LGPD) entered into effect on 18 September 2020, establishing comprehensive data protection obligations for organisations processing personal data in Brazil or offering goods and services to individuals in Brazil. Companies must finalise compliance programmes spanning governance, data mapping, rights management, security, and vendor oversight ahead of administrative sanctions enforceable from 1 August 2021 by the National Data Protection Authority (ANPD).
Applicability and key principles
LGPD applies to processing operations conducted in Brazil, involving data subjects located in Brazil, or intending to offer/market goods or services to individuals in Brazil. The law covers personal data across digital and physical formats and introduces ten legal bases, including consent, legitimate interest, contract performance, legal obligations, and credit protection. It sets out fundamental principles—purpose limitation, adequacy, necessity, free access, quality, transparency, security, prevention, non-discrimination, and accountability.
Penalties include fines up to 2% of a company’s Brazilian revenue (capped at 50 million reais per violation), daily fines, data processing suspension, and public disclosure of infractions. The ANPD, established in December 2020, will issue guidance, oversee enforcement, and coordinate with other regulators.
Governance and organisational structure
Designate a Data Protection Officer (Encarregado) responsible for receiving data subject requests and liaising with the ANPD. The DPO may be internal or external; document appointment details, contact information, and responsibilities in privacy notices. Establish a cross-functional governance structure involving legal, IT, security, marketing, HR, procurement, and business units.
Develop policies covering data protection, incident response, retention, and third-party management. Translate LGPD obligations into procedures, checklists, and control matrices. Ensure executive sponsorship—ideally at the C-suite or board level—to allocate resources and monitor compliance performance.
Data inventory and classification
Conduct a comprehensive data mapping exercise cataloguing processing activities, purposes, legal bases, data categories (including sensitive personal data and children’s data), retention periods, storage locations, and recipients. Use data discovery tools, surveys, and workshops to capture structured and unstructured data flows. Maintain records of processing activities (RoPAs) similar to GDPR Article 30, adjusted for LGPD requirements.
Classify data by sensitivity and criticality to prioritise controls. Identify cross-border data transfers and the mechanisms used (contracts, adequacy decisions, standard contractual clauses). Prepare to implement ANPD-approved standard clauses and Binding Corporate Rules once available.
Legal bases and consent management
Review processing activities to confirm appropriate legal bases. Document legitimate interest assessments considering necessity, balance of interests, and safeguards. For consent-based processing, implement mechanisms that capture explicit, informed consent with clear language in Portuguese. Provide granular choices and enable withdrawal through accessible channels.
Update privacy notices to include purposes, legal bases, data sharing details, retention periods, rights, and DPO contact information. Ensure notices cover offline collection points (retail stores, call centres) as well as digital interfaces.
Data subject rights operations
Implement processes to handle LGPD rights—confirmation of processing, access, correction, anonymisation, portability, deletion, and information on data sharing. Establish intake channels (web forms, email, call centre scripts) and verify requester identity. Define service-level targets (typically 15 days) and escalation procedures for complex requests.
Build workflows integrating relevant systems: CRM, ERP, marketing automation, HR platforms. Automate data retrieval where possible, and document manual steps when required. Maintain logs of requests, response timelines, and outcomes for audit purposes.
Security measures and incident response
LGPD requires technical and organisational measures proportionate to risks. Implement security frameworks aligned with ISO 27001, NIST CSF, or local Brazilian standards. Enforce access controls, encryption, network segmentation, vulnerability management, and monitoring. Conduct regular penetration tests and security assessments focusing on high-risk processing.
Update incident response plans to include LGPD breach notification requirements: the ANPD may require notification within a “reasonable time,” and communications to affected data subjects when risks are significant. Prepare templates, decision trees, and communication plans. Coordinate with sector regulators (Central Bank, SUSEP, ANS) and consumer protection agencies where applicable.
Vendor and partner management
Review contracts with processors and joint controllers to incorporate LGPD clauses covering data processing instructions, confidentiality, security measures, sub-processing, audits, and breach notification. Maintain a vendor inventory highlighting data categories processed, locations, and risk ratings. Conduct due diligence questionnaires and audits to assess vendor compliance.
Establish onboarding and offboarding procedures ensuring vendors only access necessary data and promptly delete or return data upon contract termination. Monitor vendor performance through KPIs, periodic assessments, and remediation plans.
Training and awareness
Develop tailored training for employees based on role. Provide foundational modules on LGPD principles, data handling, and incident reporting for all staff. Deliver advanced training for marketing, HR, security, and customer service teams addressing consent capture, rights handling, and breach escalation. Track completion rates and refresh training annually.
Promote a privacy-aware culture through internal communications, privacy champions networks, and recognition programmes. Encourage employees to report potential issues and provide feedback on process improvements.
Monitoring, audits, and continuous improvement
Set up compliance monitoring dashboards tracking metrics such as rights request volumes, breach incidents, vendor assessments, and training completion. Conduct internal audits examining policy adherence, control effectiveness, and documentation quality. Address findings through corrective action plans with clear ownership and timelines.
Stay informed about ANPD regulatory agendas, including guidance on international transfers, sandbox programmes, and sector-specific rules. Monitor court decisions and legislative amendments (e.g., LGPD criminal penalties, consumer law intersections) to adjust compliance strategies.
Implementation roadmap
Plan phased execution:
- Immediate: Finalise governance structures, appoint DPO, complete data mapping, and update privacy notices.
- 0–6 months: Deploy rights management workflows, enhance security controls, renegotiate vendor contracts, and deliver training.
- 6–12 months: Conduct internal audits, refine monitoring dashboards, and prepare for ANPD guidance and enforcement.
Align LGPD compliance with global privacy programmes (GDPR, CCPA) to leverage synergies while respecting Brazil-specific nuances, such as Portuguese-language transparency and local consumer protection coordination.
Leadership actions
Executives should integrate LGPD compliance into enterprise risk management, allocate budgets for privacy technology, and set key performance indicators for privacy teams. Regularly brief the board on compliance status, enforcement developments, and residual risks. Transparent communication with customers and employees regarding privacy commitments will enhance trust and support competitive differentiation in the Brazilian market.
Follow-up: Administrative sanctions began in August 2021, ANPD became an autonomous regulator in 2022, and 2023–2024 rulemakings introduced small-entity regimes and draft rules on high-risk processing and international data transfers.
Sources
- Lei Geral de Proteção de Dados Pessoais (LGPD) — Presidência da República do Brasil; Official text of Brazil's General Data Protection Law establishing comprehensive data protection requirements.
- ANPD — LGPD entra em vigor — Autoridade Nacional de Proteção de Dados; National Data Protection Authority announcement confirming LGPD effectiveness and enforcement timeline.