← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — February 8, 2024

Brazil’s ANPD approved its 2024–2025 regulatory agenda on 8 February 2024, locking in LGPD rulemakings on children’s data, high-risk processing, DPO obligations, and cross-border transfers that demand proactive compliance roadmaps and board oversight.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On Brazil’s National Data Protection Authority (Autoridade Nacional de Proteção de Dados—ANPD) approved its 2024–2025 Regulatory Agenda. The agenda crystalises seventeen priority projects that will shape enforcement of the Lei Geral de Proteção de Dados (LGPD) over the next two years, including new rules for children’s data, sensitive data processing, automated decision-making, data protection officer obligations, and international data transfer mechanisms. It also schedules reviews of administrative sanctioning procedures and sector-specific guidance for health, credit, and public-sector controllers. For global organisations operating in Brazil—or processing Brazilian personal data elsewhere—the agenda provides an unambiguous compliance roadmap and a warning: ANPD expects boards and senior leadership to demonstrate proactive governance rather than wait for enforcement orders.

The agenda is divided into three phases spanning 2024 and 2025. Phase 1 prioritises foundational issues such as a new resolution on children and adolescents’ data processing, complementary guidance on data subject rights fulfilment, and a long-awaited rule on Data Protection Impact Assessments (DPIAs) for high-risk processing. It also kicks off studies on criteria for high-risk processing classification—particularly relevant for AI-driven profiling and biometric systems. Phase 2 (beginning in the second half of 2024) tackles international transfer mechanisms, clarification of controller and processor obligations, and a review of LGPD enforcement procedures to align with the agency’s sanctioning regulation (Resolution 04/2023). Phase 3 extends into 2025 with sector guidance for credit bureaus, health providers, and digital government services, plus an evaluation of anonymisation standards and the LGPD’s impact on micro and small enterprises.

Why it matters for compliance leaders

The agenda demonstrates ANPD’s shift from establishing its internal capacity to tightening substantive obligations. Multinational organisations must reassess whether policies built around the original 2021–2022 regulatory cycle remain fit for purpose. For example, the planned rule on high-risk processing will likely specify criteria that trigger DPIAs, prior consultation with ANPD, or heightened record-keeping. Companies running large-scale behavioural advertising, biometric authentication, credit scoring, or health-data analytics in Brazil should prepare for mandatory risk assessments and documentation similar to the EU’s GDPR. Failure to anticipate those requirements could expose programmes to disruption if ANPD imposes corrective measures or fines.

The agenda’s focus on children’s data is particularly pressing. Brazil’s Statute of the Child and Adolescent already requires special safeguards, but ANPD intends to define explicit consent requirements, transparency expectations, and parental verification standards. Streaming platforms, gaming companies, edtech providers, and advertisers must examine their age-assurance methods, profiling rules, and data minimisation controls. Boards should request readiness assessments demonstrating how product teams will align user journeys, privacy notices, and automated moderation systems with the forthcoming rulemaking.

The roadmap also signals stepped-up enforcement coordination with other regulators. ANPD has memoranda of understanding with consumer protection agency SENACON, the Central Bank, and telecommunications regulator Anatel. As ANPD refines sanctioning procedures and sector guidance, cross-regulator sweeps are likely—particularly for financial institutions and digital platforms. Compliance teams must ensure that responses to ANPD inquiries align with obligations under consumer and financial regulations to avoid contradictory positions or admissions that could expand liability.

Governance checkpoints

  • Board briefing and oversight: Present the regulatory agenda to the audit or risk committee, highlighting which agenda items intersect with strategic projects (AI, children’s platforms, cross-border expansion). Assign executive sponsors for each topic and integrate them into enterprise risk registers with defined mitigation plans.
  • DPIA framework uplift: Inventory existing DPIA procedures and benchmark them against GDPR best practices. Identify processing operations that would likely meet ANPD’s “high-risk” criteria—such as large-scale processing of sensitive data, automated decision-making that affects legal rights, or deployment of intrusive monitoring technologies. Ensure DPIAs include consultation with stakeholders, mitigation strategies, residual risk documentation, and approval workflows traceable to senior management.
  • Children’s data programme: Map products and services that interact with minors. Evaluate age verification methods, parental consent capture, data retention schedules, and advertising policies. Document default settings and “best interests of the child” assessments, anticipating that ANPD may mandate independent audits or reporting.
  • International transfers readiness: Catalogue cross-border data flows from Brazil, including onward transfers by processors and sub-processors. Determine which LGPD mechanisms are currently used (contractual clauses, adequacy decisions, intra-group rules). Prepare to update clauses and risk assessments as ANPD issues model clauses or adequacy criteria.
  • DPO empowerment: The agenda’s review of Data Protection Officer requirements should prompt organisations to confirm that their DPO has sufficient independence, budget, and board access. Document training, reporting cadence, and mechanisms for escalating conflicts of interest.

Each checkpoint should culminate in actionable artefacts: a consolidated project tracker, updated policies, revised vendor contracts, and training curricula tailored to Brazilian operations. Boards should receive quarterly updates summarising progress, blockers, and regulatory engagement.

Implementation sequencing

Q1 2024: Communicate the agenda to leadership, legal, product, and regional teams. Update compliance calendars with public consultation timelines and identify subject-matter experts who will draft comment submissions. Engage industry associations—such as ABES or Brasscom—to coordinate sector positions on high-risk processing and international transfers.

Q2 2024: Run tabletop exercises simulating ANPD information requests tied to children’s services or automated decision-making. Stress-test consent records, transparency notices, and ability to suspend processing swiftly. Begin updating customer and employee privacy notices to incorporate language expected under the forthcoming guidance (e.g., clearer explanations of profiling logic or parental rights).

Q3 2024: Launch remediation projects to close high-risk gaps identified in DPIAs. For instance, deploy differential privacy techniques, adopt privacy-enhancing technologies (federated learning, synthetic data for testing), or refine access controls. Implement metrics to track completion rates, such as percentage of high-risk processing inventories reviewed or number of cross-border contracts updated with supplementary measures.

2025: Integrate sector guidance once published. Health providers should align LGPD obligations with Brazil’s General Health Law and National Health Data Network (RNDS) requirements, ensuring interoperability without compromising privacy. Credit institutions must synchronise ANPD expectations with Central Bank Circular 3,909 obligations on credit bureau data. Public-sector controllers should prepare for oversight of digital ID systems and citizen service portals.

Risk watch

Monitor ANPD’s enforcement docket for signals on priority themes. Recent cases have targeted geolocation misuse, unsecured databases, and transparency failures. Expect higher penalties as ANPD refines its sanctioning methodology and begins calculating fines based on revenue percentages. Also track legislative proposals in Congress that could expand ANPD’s funding or powers, as these will influence audit frequency and investigative resources.

Finally, treat the agenda as a catalyst to mature LGPD governance globally. Brazilian regulators coordinate with European and Latin American counterparts through the Global Privacy Assembly. Aligning early with ANPD’s expectations will position organisations to respond to harmonised enforcement waves across jurisdictions. Demonstrating proactive compliance—through documented DPIAs, child-protection controls, cross-border safeguards, and empowered DPOs—will not only mitigate enforcement risk but also build trust with Brazilian customers and partners navigating an increasingly complex privacy landscape.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • ANPD regulatory agenda
  • LGPD compliance
  • High-risk processing
  • Cross-border data transfers
  • Brazil data protection
Back to curated briefings