Knowledge Center / LGPD
Brazil (ANPD) · Brazil

LGPD (Brazil)

Brazil’s General Data Protection Law for personal data.

Introduction: The LGPD Deep-Dive Guide

The Lei Geral de Protecao de Dados Pessoais (LGPD), formally Federal Law No. 13,709 of 14 August 2018, is Brazil's comprehensive personal data protection statute. It came into force on 18 September 2020, with the administrative sanctions provisions taking effect on 1 August 2021. Heavily inspired by the European Union's General Data Protection Regulation (GDPR), the LGPD establishes a unified, principles-based framework that governs the processing of personal data of natural persons located in Brazil, regardless of where the processing organisation (the controller or operator) is domiciled. It replaced a fragmented patchwork of more than 40 sectoral instruments with a single, horizontal law.

This guide is written from the perspective of an assessor conducting a readiness or conformity review against the LGPD. It walks through the legal bases, data subject rights, principles, governance obligations, security expectations, cross-border transfer rules, incident response duties, and the powers of the Autoridade Nacional de Protecao de Dados (ANPD). Crucially, it provides a master assessment checklist that enumerates every obligation area, so that an auditor, Data Protection Officer (Encarregado), or compliance lead can systematically verify posture and marshal defensible evidence. Throughout, we translate the abstract legal language of the statute into concrete 'what to verify' and 'typical evidence' pairings that stand up to regulatory scrutiny.

Legal source and copyright note
The LGPD (Law 13,709/2018), its amending instruments (notably Law 13,853/2019 which created the ANPD), and ANPD regulations and guidance (regulamentos, resolucoes) are published in the Diario Oficial da Uniao and are in the public domain as Brazilian legislative acts. This guide paraphrases and interprets those obligations in original wording for assessment purposes; it does not reproduce official statutory or regulatory text verbatim, nor any copyrighted commentary. Always consult the current consolidated text of the law and the latest ANPD resolutions, as the regulatory landscape continues to evolve. This guide is educational and does not constitute legal advice.

What is the LGPD?

The LGPD is an omnibus data protection law that regulates any operation involving personal data (tratamento) carried out by natural persons or by public and private legal entities. 'Processing' is defined expansively to include collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, control, modification, communication, transfer, dissemination and extraction. The law is deliberately technology-neutral and applies whether data is processed by automated or non-automated means.

The statute pursues a dual objective: protecting the fundamental rights of freedom, privacy and the free development of the personality of the natural person, while enabling economic and technological development and the free flow of data within a framework of trust. It rests on ten foundational principles (Article 6) and grants data subjects (titulares) a suite of enforceable rights (Article 18). Every act of processing must be anchored to at least one of ten legal bases for personal data (Article 7), or one of the specific legal bases for sensitive personal data (Article 11).

Two categories of processing agents bear obligations: the controller (controlador), who takes decisions regarding the processing, and the operator (operador), who processes data on behalf of the controller. The Encarregado (Data Protection Officer / DPO) is the individual appointed to act as the communication channel between the controller, data subjects, and the ANPD. Enforcement sits with the ANPD, a federal autarchy with regulatory, supervisory and sanctioning powers, empowered to impose fines of up to 2% of a company's revenue in Brazil, capped at BRL 50 million per infraction.

Key terminology (glossary)

Portuguese termEnglish meaningAssessment relevance
Dado pessoalPersonal dataAny information relating to an identified or identifiable natural person
Dado pessoal sensivelSensitive personal dataRacial/ethnic origin, religion, political opinion, health, sex life, genetic/biometric data, trade union membership
TitularData subjectThe natural person to whom the data relates; holder of the Article 18 rights
ControladorControllerParty who decides on processing; primary accountability
OperadorOperator (processor)Party who processes on behalf of and per instructions of the controller
EncarregadoDPO / person in chargeContact point for titulares and the ANPD
TratamentoProcessingAny operation performed on personal data
ANPDNational Data Protection AuthorityFederal supervisory and sanctioning body
ConsentimentoConsentFree, informed and unambiguous manifestation of will
AnonimizacaoAnonymisationIrreversible removal of identifiability; anonymised data falls outside the law

Who must comply?

The LGPD has broad, extraterritorial scope. Under Article 3, the law applies to any processing operation regardless of the medium, the country where the controller/operator is headquartered, or the country where the data is located, provided any one of three connecting factors is met: (i) the processing is carried out in Brazilian territory; (ii) the processing activity aims to offer or supply goods or services to, or process data of, individuals located in Brazil; or (iii) the personal data was collected in Brazilian territory (a data subject located in Brazil at the time of collection).

CategoryCompliance obligationNotes
Private companies in BrazilFull complianceAll sectors; obligations scale with risk and volume, not company size alone
Foreign companies targeting BrazilFull complianceOffering goods/services to, or monitoring, individuals in Brazil (extraterritorial reach)
Public sector bodiesFull compliance with specific rulesChapter IV imposes tailored obligations on public authorities
Operators (processors)Compliance with controller instructions and security dutiesJointly liable in certain circumstances (Article 42)
Small businesses / startupsSimplified regimeANPD Resolution CD/ANPD No. 2/2022 provides a lighter regime for agentes de tratamento de pequeno porte
Individuals for exclusively private/non-economic useExemptArticle 4: purely personal, non-economic processing is out of scope
Journalistic, artistic, academic processingPartial exemptionSubject to constitutional freedoms; Articles 7 and 11 apply for academic

Article 4 sets out express exclusions: processing done by a natural person for exclusively private and non-economic purposes; processing done exclusively for journalistic, artistic or academic purposes; and processing for purposes of public safety, national defence, State security, or investigation and prosecution of criminal offences (the latter reserved for separate specific legislation). Data whose provenance is entirely outside Brazil and which merely transits Brazil without being processed here (unless subject to international cooperation rules) is also excluded.

Structure of the LGPD

The LGPD is organised into ten chapters and 65 articles. Unlike a controls-based standard such as ISO 27001, the LGPD is a principles-and-rights statute; its 'control families' are best understood as the thematic obligation domains that flow from its chapters. The table below maps those domains for assessment purposes.

Obligation domainPrimary articlesFocus of the domain
Scope and definitionsArts. 1-5Material and territorial scope; key defined terms
PrinciplesArt. 6Ten binding principles governing all processing
Legal bases (personal data)Art. 7Ten lawful grounds for processing
Legal bases (sensitive data)Art. 11Restricted grounds for sensitive categories
Children and adolescentsArt. 14Best-interest standard; parental consent for children
Data subject rightsArts. 17-22Access, correction, deletion, portability, objection, review of automated decisions
ConsentArts. 8-9Requirements for valid, informed, revocable consent
Termination of processingArt. 15-16When processing ends; retention and elimination
Controller/operator dutiesArts. 37-40Records of processing; instructions; DPIA (RIPD)
Data Protection Officer (Encarregado)Art. 41Appointment, duties, publication of identity
Security and best practicesArts. 46-51Technical/administrative safeguards; governance programme
Security incidentsArt. 48Breach notification to ANPD and data subjects
International data transfersArts. 33-36Mechanisms for lawful cross-border transfer
Liability and redressArts. 42-45Joint/several liability; compensation for damage
ANPD and supervisionArts. 55-A to 59Authority structure and cooperation council
Administrative sanctionsArts. 52-54Graduated penalties; aggravating/mitigating factors

Master assessment checklist

This is the core of the guide. Each obligation domain below is presented with the specific items an assessor must verify and the evidence that typically demonstrates conformity. Work through every table; do not skip any domain, as ANPD enforcement and civil litigation both examine the totality of the accountability programme, not isolated controls.

1. The ten principles (Article 6)

Every processing activity must simultaneously satisfy all ten principles. These are not optional and are frequently the anchor of ANPD findings.

What to verifyTypical evidence
Finalidade (purpose): processing serves legitimate, specific, explicit and informed purposesPurpose statements in privacy notices; RoPA purpose column; DPIA purpose analysis
Adequacao (adequacy): processing is compatible with stated purposesData-mapping showing each field maps to a declared purpose
Necessidade (necessity/minimisation): limited to the minimum data neededData minimisation review; field-level justification; form audits
Livre acesso (free access): subjects can consult processing easily and free of chargeSelf-service access portal; DSAR procedure and logs
Qualidade dos dados (data quality): accuracy, clarity, relevance and currencyData-correction workflow; periodic accuracy reviews; error rates
Transparencia (transparency): clear, accurate, accessible informationLayered privacy notices; readability testing; publication of Encarregado identity
Seguranca (security): technical and administrative protective measuresISMS artefacts; encryption standards; access-control matrix
Prevencao (prevention): measures to prevent damageDPIAs; privacy-by-design records; change-management gates
Nao discriminacao (non-discrimination): no unlawful or abusive discriminatory processingAlgorithmic fairness review; automated-decision impact analysis
Responsabilizacao e prestacao de contas (accountability): demonstrable adoption of effective measuresGovernance programme documentation; audit trail; management sign-off

2. Legal bases for personal data (Article 7)

What to verifyTypical evidence
Each processing activity is mapped to exactly one valid legal basisRoPA legal-basis column; basis-selection rationale document
Consent (I) is free, informed, unambiguous and separable where relied uponConsent capture records with timestamp, text version, and withdrawal logs
Legal/regulatory obligation (II) is cited with the specific instrumentRegister linking processing to the mandating statute/regulation
Public administration bases (III) used only by public bodies for public policyPublic-purpose justification; legal mandate references
Research by study bodies (IV) applies anonymisation wherever possibleEthics approval; anonymisation methodology
Contract execution / pre-contractual steps (V) genuinely necessaryContract terms; necessity test documentation
Judicial/administrative/arbitration proceedings (VI) properly scopedCase references; legal-hold records
Protection of life or physical safety (VII) is time-boundIncident documentation; medical/emergency justification
Health protection (VIII) by health professionals or sanitary authoritiesClinical governance records; professional register
Legitimate interest (IX) supported by a balancing test and safeguardsLegitimate Interest Assessment (LIA); safeguards register; opt-out mechanism
Credit protection (X) complies with applicable credit legislationCredit-bureau agreements; sectoral compliance evidence

3. Legal bases for sensitive personal data (Article 11)

What to verifyTypical evidence
Sensitive data categories are identified and inventoriedSensitive-data inventory; classification tags in the RoPA
Specific and highlighted consent obtained where consent is relied uponGranular consent records referencing the specific sensitive purpose
Non-consent bases (legal obligation, public policy, research, rights exercise, life protection, health, fraud prevention) correctly appliedBasis-mapping table for each sensitive processing activity
Health/biometric/genetic processing subject to heightened safeguardsEncryption at rest; access restriction; DPIA for high-risk processing
No sharing of health data for economic advantage except in permitted casesData-sharing register; contractual prohibitions
Sensitive data processing avoids discrimination (Art. 11 and Art. 6 IX)Bias/impact assessment for profiling on sensitive attributes

4. Processing of children's and adolescents' data (Article 14)

What to verifyTypical evidence
Processing serves the best interests of the child/adolescentBest-interest assessment; age-appropriate design records
Specific and prominent parental/guardian consent for children (under 12)Verifiable parental consent mechanism and logs
Only necessary data collected; no conditioning participation on excess dataData-collection review for child-facing services
Information provided in simple, clear, accessible language suited to ageChild-friendly notice; readability evidence
No public disclosure or transfer to third parties without consentThird-party sharing controls; consent gating
Reasonable efforts made to verify consent is given by a legal guardianVerification method documentation

5. Consent management (Articles 8-9)

What to verifyTypical evidence
Consent is provided in writing or by another means demonstrating the will of the subjectConsent capture UI screenshots; stored consent strings
Consent requests are distinct from other clauses (not bundled)Consent form design; standalone checkboxes
Purposes are specified; generic authorisations are voidPurpose-specific consent copy
Burden of proving valid consent rests with and is met by the controllerConsent audit trail; version history of consent text
Withdrawal of consent is as easy as giving it, and free of chargeSelf-service withdrawal flow; withdrawal logs
Re-consent obtained when purpose or information materially changesChange-triggered re-consent records
Data subjects informed of consequences of refusalNotice language on refusal consequences

6. Data subject rights (Articles 17-22)

What to verifyTypical evidence
Confirmation of the existence of processing is provided on requestDSAR workflow; confirmation response templates
Access to data provided in simplified or complete (declaration) formatAccess-report generation; format options
Correction of incomplete, inaccurate or outdated data is actionedCorrection request logs; data-update audit trail
Anonymisation, blocking or elimination of unnecessary/excessive/non-compliant dataDeletion/anonymisation procedure and completion records
Data portability to another provider on requestPortability export in interoperable format; portability logs
Deletion of data processed with consent (subject to legal retention)Erasure workflow; retention-exception register
Information on public/private entities with which data was sharedData-sharing disclosure register
Information about the possibility of denying consent and its consequencesNotice content; consent-refusal explanation
Revocation of consent honouredWithdrawal processing evidence
Requests answered within statutory timeframes (immediate simplified / 15 days full)SLA metrics; response timestamp logs
Rights exercised free of chargeFee policy confirming no charge
Review of decisions taken solely on automated processing (Art. 20)Human-review procedure; profiling logic disclosure
Identity verification for requestors without excessive frictionIdentity-verification procedure balancing security and access

7. Transparency and information duties

What to verifyTypical evidence
Privacy notice discloses purpose, form, duration, controller identity and contactPublished privacy policy; version control
Information on shared processing and responsibilities of controllers/operatorsNotice sections on data sharing; joint-controller descriptions
Data subject rights and how to exercise them are clearly statedRights section of notice; contact for Encarregado
Notices are accessible, in Portuguese, and appropriate to audienceLocalisation evidence; accessibility testing
Just-in-time notices at point of collectionContextual notice screenshots on forms/apps

8. Controller and operator obligations (Articles 37-40)

What to verifyTypical evidence
Records of processing operations (RoPA) maintained, especially where legitimate interest relied uponComplete, current Register of Processing Operations
Operator processes strictly per controller instructionsData Processing Agreements (DPA) with instruction clauses
Operator maintains its own records of processing performed for the controllerOperator RoPA; sub-processor register
Controller/operator liability and roles are contractually definedExecuted DPAs; liability allocation clauses
ANPD interoperability/reporting standards adopted where issuedAdoption of ANPD-defined report formats
Sub-processor authorisation and flow-down of obligationsSub-processor approval register; back-to-back contracts

9. Data Protection Officer / Encarregado (Article 41)

What to verifyTypical evidence
An Encarregado is formally appointed (individual or entity per ANPD rules)Appointment letter; internal designation record
Encarregado identity and contact details are publicly disclosedWebsite/privacy-notice publication of contact
Encarregado accepts complaints and communications from data subjectsComplaint intake channel and case log
Encarregado receives communications from and cooperates with the ANPDRegulator-liaison records
Encarregado guides staff and provides guidance on data-protection practicesTraining records; internal advisory memos
Small-business exemption from mandatory Encarregado applied correctly (if claimed)Eligibility assessment under ANPD Resolution 2/2022

10. Security, technical and administrative measures (Articles 46-47)

What to verifyTypical evidence
Security measures protect data against unauthorised access, destruction, loss, alteration, communication or disseminationISMS policy suite; control catalogue
Measures applied from the design phase through to processing end (privacy by design)Security architecture docs; SDLC gates
Access control enforces least privilege and role segregationIAM policy; access-review reports; RBAC matrix
Encryption applied to data at rest and in transit as appropriateEncryption standard; key-management records; TLS config
Pseudonymisation/anonymisation used where feasibleDe-identification methodology and evidence
Logging and monitoring detect anomalous accessSIEM/log-retention configuration; alerting evidence
Measures maintained even after processing ends (retained/archived data)Archival security controls; retention policy
Vendor/operator security measures assessed and contractually requiredThird-party risk assessments; security schedules in DPAs

11. Good-practice and governance programme (Articles 50-51)

What to verifyTypical evidence
A privacy governance programme demonstrates the controller's commitmentDocumented privacy programme charter; management endorsement
Programme is adapted to the structure, scale and volume of operations and riskRisk-based programme scoping document
Programme establishes policies, safeguards and internal mechanismsPolicy library; internal controls register
Programme includes an incident response and remediation planIncident response plan; tabletop exercise records
Programme is continually reviewed and monitoredProgramme review minutes; metrics dashboard
Rules of good practice and governance are published where adoptedPublished code of conduct / good-practice rules
Certifications, seals and codes of conduct considered as evidence of complianceCertification records; adherence declarations

12. Data Protection Impact Assessment (RIPD, Article 38)

What to verifyTypical evidence
RIPD (relatorio de impacto a protecao de dados pessoais) prepared for high-risk processingCompleted RIPD reports
RIPD describes data types, methodology, and risk-mitigation measuresRIPD content covering data flows and safeguards
RIPD produced when requested by the ANPD, particularly for legitimate interest or sensitive dataTrigger register; ANPD-request handling
Mitigation measures identified are implemented and tracked to closureRemediation tracker linked to RIPD findings
RIPD reviewed on material change to processingVersion history of RIPDs

13. Security incident management and breach notification (Article 48)

What to verifyTypical evidence
A defined process detects, triages and classifies security incidentsIncident response plan; classification criteria
Incidents that may cause risk or relevant damage are notified to the ANPDBreach notification records; ANPD submission receipts
Affected data subjects are notified where relevant risk arisesData-subject notification templates and dispatch logs
Notification made within a reasonable timeframe (per ANPD Resolution 15/2024, generally 3 business days)Timeline evidence from detection to notification
Notification contains required content (nature of data, subjects affected, measures, risks)Notification content checklist
Post-incident measures to reverse or mitigate effects are documentedRemediation and lessons-learned reports
Incident register maintained for all events, including near-missesIncident log / register

14. International data transfers (Articles 33-36)

What to verifyTypical evidence
Every cross-border transfer relies on a valid Article 33 mechanismTransfer register mapping each flow to its mechanism
Adequacy: transfer to a country/entity with an adequate protection levelANPD adequacy determination reference (where applicable)
Standard contractual clauses (clausulas-padrao) adopted per ANPD modelExecuted SCCs aligned to ANPD Resolution 19/2024 templates
Specific contractual clauses, binding corporate rules (normas corporativas globais) or seals usedApproved BCRs; specific-clause approvals
Transfer for international legal cooperation or life protection properly justifiedLegal-basis documentation for exceptional transfers
Consent-based transfers obtain specific, prior and highlighted consentTransfer-specific consent records
Onward transfers and sub-processor locations are mappedData-flow map including geographic locations

15. Termination of processing and retention (Articles 15-16)

What to verifyTypical evidence
Processing terminates when purpose achieved, data no longer needed, or consent withdrawnRetention schedule; deletion triggers
Retention beyond termination only for permitted reasons (legal obligation, research, transfer, own use)Retention-exception register with legal basis
Data eliminated after processing ends, respecting permitted retentionSecure deletion records; certificates of destruction
Anonymised retention for own purposes protects re-identification riskAnonymisation validation evidence
Retention periods documented per data categoryRetention matrix in the RoPA

16. Liability, redress and accountability (Articles 42-45)

What to verifyTypical evidence
Mechanisms exist to compensate data subjects for patrimonial or moral damageComplaint/redress procedure; claims register
Roles of controller and operator for joint/several liability are clearDPA liability clauses; RACI for processing
Evidence demonstrating adopted measures is retained to support the accountability defenceAccountability evidence dossier
Consumer-relationship processing complies with the Consumer Defence Code where applicableCross-mapping to CDC obligations

Scoping the assessment

Accurate scoping prevents both under-assessment (which leaves regulatory exposure) and over-assessment (which wastes effort on out-of-scope activities). LGPD scoping is data-flow-driven rather than system-driven: begin from the personal data itself and follow it across people, processes, systems and third parties.

  • Determine territorial applicability: identify processing carried out in Brazil, processing offering goods/services to individuals in Brazil, and data collected while subjects were in Brazil.
  • Inventory all personal and sensitive data categories, sources and data subjects (customers, employees, prospects, minors, patients).
  • Map data flows end to end, including collection points, storage locations, internal transfers, operators, sub-operators and cross-border transfers.
  • Classify processing activities by risk to identify those requiring a RIPD (large-scale, sensitive, systematic monitoring, or novel technologies).
  • Identify all processing agents and their roles (controller, joint controllers, operator) and confirm contractual coverage.
  • Determine applicability of the simplified small-business regime (ANPD Resolution 2/2022) and any sectoral overlays (financial, health, telecom).
  • Exclude clearly out-of-scope activities under Article 4 (purely private, journalistic/artistic, public-safety/national-defence reserved processing).
  • Define the assessment boundary, in-scope systems, and the reporting period.

Implementation approach (phased)

A defensible LGPD programme is built in phases. Each phase produces deliverables that become the evidence base for both internal accountability and any ANPD interaction.

Phase 1: Discovery and data mapping

  • Activities: run data-discovery workshops, deploy discovery tooling, interview process owners, and inventory data categories, systems and flows.
  • Deliverables: personal-data inventory, data-flow maps, initial Register of Processing Operations (RoPA), and a preliminary applicability memo.

Phase 2: Gap assessment and legal-basis mapping

  • Activities: assess each processing activity against principles, legal bases, rights and security duties; perform Legitimate Interest Assessments; identify gaps.
  • Deliverables: gap-assessment report, legal-basis register, LIAs, and a prioritised remediation roadmap with risk ratings.

Phase 3: Governance and documentation

  • Activities: appoint the Encarregado, draft/update the privacy governance programme, policies, privacy notices, consent flows and DPAs.
  • Deliverables: appointment record, privacy programme charter, policy suite, layered privacy notices, consent-management design, and standard DPA templates.

Phase 4: Technical and security remediation

  • Activities: implement access controls, encryption, logging, pseudonymisation, retention automation and privacy-by-design gates in the SDLC.
  • Deliverables: security control implementation records, key-management procedures, retention schedules, and updated architecture documentation.

Phase 5: Rights, incidents and third-party operationalisation

  • Activities: stand up DSAR handling, breach detection and notification workflows, RIPD process, and third-party/operator due-diligence programme.
  • Deliverables: DSAR procedure and portal, incident response plan, breach-notification templates, RIPD methodology, and vendor risk register.

Phase 6: Embedding, monitoring and continuous improvement

  • Activities: deliver training and awareness, run tabletop exercises, establish KPI monitoring, and schedule periodic reassessment and internal audit.
  • Deliverables: training records, exercise reports, KPI dashboard, internal audit plan, and management review minutes.

Maturity and capability model

The LGPD does not prescribe a maturity model, but assessors commonly apply a five-level capability scale to communicate posture and prioritise investment. The scale below is calibrated to LGPD accountability expectations.

LevelNameCharacteristics against LGPD
1Initial / Ad hocNo RoPA; legal bases undocumented; reactive to incidents; no Encarregado; high exposure
2DevelopingPartial data mapping; some notices and consent; Encarregado named but under-resourced; inconsistent rights handling
3DefinedComplete RoPA; legal bases mapped; governance programme documented; DSAR and breach processes operational
4ManagedMetrics-driven; RIPDs for high-risk processing; automated retention and consent; regular internal audits; vendor programme mature
5OptimisedPrivacy-by-design embedded; continuous monitoring; proactive ANPD engagement; certifications/seals; culture of accountability

Assessment and audit approach

  1. Define objectives, scope and the reporting period; confirm applicability under Article 3 and any exclusions under Article 4.
  2. Request and review documentation: RoPA, privacy notices, policies, DPAs, consent records, RIPDs and incident logs.
  3. Conduct data-flow validation through interviews and system walkthroughs to confirm the RoPA reflects reality.
  4. Test legal bases: for each activity, verify a valid Article 7/11 basis and, for legitimate interest, a documented balancing test.
  5. Assess data subject rights operation by submitting or tracing test/real requests and measuring SLA adherence.
  6. Evaluate technical and administrative security measures against Articles 46-47, including access, encryption and logging.
  7. Review the incident and breach-notification process against Article 48 and ANPD Resolution 15/2024 timelines.
  8. Examine cross-border transfer mechanisms against Articles 33-36 and current ANPD SCC/BCR requirements.
  9. Assess the governance programme, Encarregado function and accountability evidence dossier.
  10. Rate findings by risk, assign a maturity level, and produce a remediation roadmap with owners and timelines.
  11. Validate remediation in a follow-up review and maintain the evidence base for ongoing accountability.

Evidence request list

The following categorised evidence set should be requested at the outset of any LGPD assessment.

  • Governance and accountability: privacy programme charter; Encarregado appointment and published contact; policy library; management review minutes.
  • Data mapping: Register of Processing Operations (RoPA); data-flow diagrams; personal and sensitive data inventory; retention schedules.
  • Legal bases and consent: legal-basis register; Legitimate Interest Assessments; consent capture and withdrawal logs; consent text version history.
  • Transparency: published privacy notices; just-in-time notices; cookie/tracking disclosures.
  • Data subject rights: DSAR procedure; request log with SLA metrics; response templates; automated-decision review process.
  • Security: ISMS policies; access-control matrix and access reviews; encryption and key-management standards; logging/monitoring configuration.
  • Impact assessments: completed RIPDs; RIPD methodology; remediation trackers.
  • Incidents: incident response plan; incident register; ANPD and data-subject notification records; post-incident reports.
  • Third parties and transfers: DPAs and sub-processor register; vendor risk assessments; cross-border transfer register and SCCs/BCRs/adequacy references.
  • Training and awareness: training curriculum and completion records; tabletop exercise reports.

Roles and responsibilities

RoleKey responsibilitiesLGPD anchor
Controlador (Controller)Decides on processing; ultimate accountability; maintains RoPA; ensures legal bases and rightsArts. 5, 37, 46, 50
Operador (Operator)Processes on controller instructions; maintains own records; implements securityArts. 5, 39, 47
Encarregado (DPO)Liaison with data subjects and ANPD; guidance to staff; complaint handlingArt. 41
Executive leadership / BoardEndorses governance programme; allocates resources; owns risk appetiteArts. 50-51 (accountability)
IT / Security teamImplements technical safeguards; monitoring; incident detectionArts. 46-48
Legal / ComplianceLegal-basis analysis; contracts and DPAs; regulatory interpretationArts. 7, 11, 33-36
Business process ownersAccurate data mapping; enforce minimisation; support DSARsArt. 6 (principles)
Internal auditIndependent assurance over the programme and controlsArts. 50-51

KPIs to track

  • Percentage of processing activities with a documented and valid legal basis.
  • Data subject request (DSAR) volume and percentage answered within statutory timeframes (immediate simplified / 15 days full).
  • Mean time to detect, contain and notify security incidents; percentage of breaches notified within the ANPD timeline.
  • Percentage of high-risk processing activities with a completed and current RIPD.
  • Consent withdrawal processing rate and average time to honour withdrawals.
  • Percentage of operators/sub-processors under an executed DPA and assessed for security.
  • RoPA completeness and freshness (percentage of activities reviewed within the review cycle).
  • Staff privacy-training completion rate and phishing/awareness scores.
  • Number of open versus closed remediation items and average time to closure.
  • Percentage of cross-border transfers covered by a valid Article 33 mechanism.

Readiness checklist

  • Territorial applicability under Article 3 confirmed and documented.
  • Complete personal and sensitive data inventory and data-flow maps produced.
  • Register of Processing Operations (RoPA) established and current.
  • A valid legal basis mapped to every processing activity, with LIAs where legitimate interest is used.
  • Layered, accurate privacy notices published in Portuguese.
  • Consent capture, granularity and withdrawal mechanisms operational and logged.
  • Data subject rights (access, correction, deletion, portability, objection, automated-decision review) handled within SLA.
  • Encarregado appointed and contact details publicly disclosed.
  • Privacy governance programme documented, endorsed and reviewed.
  • Technical and administrative security measures implemented per Articles 46-47.
  • RIPD process defined and applied to high-risk processing.
  • Security incident and breach-notification process aligned to Article 48 and ANPD Resolution 15/2024.
  • Cross-border transfer mechanisms in place per Articles 33-36 and current ANPD templates.
  • DPAs executed with all operators and sub-processors; vendor risk assessed.
  • Retention schedules and secure elimination procedures implemented.
  • Staff trained; tabletop exercises conducted; KPIs monitored.

Common gaps

  • Treating consent as the default legal basis when a more appropriate basis (legitimate interest, legal obligation, contract) applies, creating fragile compliance.
  • Incomplete or out-of-date RoPA that does not reflect actual data flows, undermining every downstream control.
  • Legitimate interest relied upon without a documented balancing test (LIA) or opt-out mechanism.
  • No formal Encarregado, or an appointed Encarregado whose contact details are not publicly disclosed.
  • Bundled consent that mixes marketing, profiling and service terms in a single non-granular acceptance.
  • Weak or absent breach-notification readiness, missing the ANPD three-business-day expectation.
  • Cross-border transfers made with no valid Article 33 mechanism, often to cloud/SaaS providers.
  • Sensitive data (health, biometric) processed without the specific Article 11 basis or heightened safeguards.
  • Data subject rights handled ad hoc, with no SLA tracking or identity-verification procedure.
  • Operators engaged without a DPA, leaving instructions and liability undefined.
  • Retention 'forever' with no schedule, breaching necessity and elimination duties.
  • No RIPD for high-risk or large-scale processing, weakening the accountability defence.
  • Privacy notices copied from GDPR templates without adaptation to LGPD terminology and Portuguese-language requirements.

LGPD mapped to other frameworks

Organisations rarely comply with the LGPD in isolation. The mapping below helps assessors reuse controls and evidence across frameworks, while noting that mappings are indicative and each framework retains distinct obligations.

LGPD conceptGDPR (EU)ISO/IEC 27701Notes
Principles (Art. 6)Art. 5 principlesClause 5 / PIMS objectivesHighly aligned; LGPD adds explicit non-discrimination and prevention
Legal bases (Art. 7)Art. 6 lawful basesA.7.2 / B.8.2 lawful basisTen LGPD bases vs six GDPR; credit protection is LGPD-specific
Sensitive data (Art. 11)Art. 9 special categoriesPII processing controlsCategories broadly similar
Data subject rights (Arts. 17-22)Arts. 15-22 rightsA.7.3 / B.8.3 obligations to PII principalsLGPD portability and automated-decision review align to GDPR
Encarregado (Art. 41)DPO (Arts. 37-39)Responsibility assignmentLGPD DPO not always mandatory in same triggers as GDPR
Security (Arts. 46-47)Art. 32 securityISO 27001 Annex A + 27701Directly reusable ISMS controls
RIPD (Art. 38)DPIA (Art. 35)A.7.2.5 PII impact assessmentLGPD RIPD often triggered by ANPD request
Breach notice (Art. 48)Arts. 33-34 (72 hours)Incident managementANPD ~3 business days vs GDPR 72 hours
Transfers (Arts. 33-36)Chapter V (Arts. 44-50)Transfer controlsSCCs, adequacy, BCRs analogous
Accountability (Arts. 50-51)Art. 5(2) / Art. 24PIMS management systemGovernance programme mirrors accountability principle

How CyberSigma helps

How CyberSigma accelerates LGPD conformity
CyberSigma provides end-to-end LGPD advisory and assurance: applicability and scoping analysis under Article 3, automated personal-data discovery and RoPA build-out, legal-basis and Legitimate Interest Assessment support, and privacy-notice and consent-flow design in Portuguese. Our CERT-In empanelled and QSA-qualified assessors run gap assessments, RIPDs (relatorios de impacto), and DPA/vendor due-diligence programmes, and stand up DSAR and breach-notification workflows aligned to ANPD Resolution 15/2024. We embed privacy-by-design in your SDLC, deliver Encarregado-as-a-service, and provide continuous monitoring with a KPI dashboard so your accountability evidence is always audit-ready. Because our methodology cross-maps LGPD to GDPR, ISO 27701 and PCI DSS, you reuse a single control set to satisfy multiple regimes and reduce total compliance cost. Talk to CyberSigma to move from ad hoc to optimised on the LGPD maturity scale.

Frequently asked questions

How is LGPD different from GDPR?
LGPD is closely modelled on GDPR with similar principles and rights, but has its own legal bases, authority (ANPD) and penalty structure specific to Brazil.
Official documents

Need help with LGPD?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.