Introduction: The LGPD Deep-Dive Guide
The Lei Geral de Protecao de Dados Pessoais (LGPD), formally Federal Law No. 13,709 of 14 August 2018, is Brazil's comprehensive personal data protection statute. It came into force on 18 September 2020, with the administrative sanctions provisions taking effect on 1 August 2021. Heavily inspired by the European Union's General Data Protection Regulation (GDPR), the LGPD establishes a unified, principles-based framework that governs the processing of personal data of natural persons located in Brazil, regardless of where the processing organisation (the controller or operator) is domiciled. It replaced a fragmented patchwork of more than 40 sectoral instruments with a single, horizontal law.
This guide is written from the perspective of an assessor conducting a readiness or conformity review against the LGPD. It walks through the legal bases, data subject rights, principles, governance obligations, security expectations, cross-border transfer rules, incident response duties, and the powers of the Autoridade Nacional de Protecao de Dados (ANPD). Crucially, it provides a master assessment checklist that enumerates every obligation area, so that an auditor, Data Protection Officer (Encarregado), or compliance lead can systematically verify posture and marshal defensible evidence. Throughout, we translate the abstract legal language of the statute into concrete 'what to verify' and 'typical evidence' pairings that stand up to regulatory scrutiny.
Legal source and copyright note
The LGPD (Law 13,709/2018), its amending instruments (notably Law 13,853/2019 which created the ANPD), and ANPD regulations and guidance (regulamentos, resolucoes) are published in the Diario Oficial da Uniao and are in the public domain as Brazilian legislative acts. This guide paraphrases and interprets those obligations in original wording for assessment purposes; it does not reproduce official statutory or regulatory text verbatim, nor any copyrighted commentary. Always consult the current consolidated text of the law and the latest ANPD resolutions, as the regulatory landscape continues to evolve. This guide is educational and does not constitute legal advice.
What is the LGPD?
The LGPD is an omnibus data protection law that regulates any operation involving personal data (tratamento) carried out by natural persons or by public and private legal entities. 'Processing' is defined expansively to include collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, elimination, evaluation, control, modification, communication, transfer, dissemination and extraction. The law is deliberately technology-neutral and applies whether data is processed by automated or non-automated means.
The statute pursues a dual objective: protecting the fundamental rights of freedom, privacy and the free development of the personality of the natural person, while enabling economic and technological development and the free flow of data within a framework of trust. It rests on ten foundational principles (Article 6) and grants data subjects (titulares) a suite of enforceable rights (Article 18). Every act of processing must be anchored to at least one of ten legal bases for personal data (Article 7), or one of the specific legal bases for sensitive personal data (Article 11).
Two categories of processing agents bear obligations: the controller (controlador), who takes decisions regarding the processing, and the operator (operador), who processes data on behalf of the controller. The Encarregado (Data Protection Officer / DPO) is the individual appointed to act as the communication channel between the controller, data subjects, and the ANPD. Enforcement sits with the ANPD, a federal autarchy with regulatory, supervisory and sanctioning powers, empowered to impose fines of up to 2% of a company's revenue in Brazil, capped at BRL 50 million per infraction.
Key terminology (glossary)
| Portuguese term | English meaning | Assessment relevance |
|---|
| Dado pessoal | Personal data | Any information relating to an identified or identifiable natural person |
| Dado pessoal sensivel | Sensitive personal data | Racial/ethnic origin, religion, political opinion, health, sex life, genetic/biometric data, trade union membership |
| Titular | Data subject | The natural person to whom the data relates; holder of the Article 18 rights |
| Controlador | Controller | Party who decides on processing; primary accountability |
| Operador | Operator (processor) | Party who processes on behalf of and per instructions of the controller |
| Encarregado | DPO / person in charge | Contact point for titulares and the ANPD |
| Tratamento | Processing | Any operation performed on personal data |
| ANPD | National Data Protection Authority | Federal supervisory and sanctioning body |
| Consentimento | Consent | Free, informed and unambiguous manifestation of will |
| Anonimizacao | Anonymisation | Irreversible removal of identifiability; anonymised data falls outside the law |
Who must comply?
The LGPD has broad, extraterritorial scope. Under Article 3, the law applies to any processing operation regardless of the medium, the country where the controller/operator is headquartered, or the country where the data is located, provided any one of three connecting factors is met: (i) the processing is carried out in Brazilian territory; (ii) the processing activity aims to offer or supply goods or services to, or process data of, individuals located in Brazil; or (iii) the personal data was collected in Brazilian territory (a data subject located in Brazil at the time of collection).
| Category | Compliance obligation | Notes |
|---|
| Private companies in Brazil | Full compliance | All sectors; obligations scale with risk and volume, not company size alone |
| Foreign companies targeting Brazil | Full compliance | Offering goods/services to, or monitoring, individuals in Brazil (extraterritorial reach) |
| Public sector bodies | Full compliance with specific rules | Chapter IV imposes tailored obligations on public authorities |
| Operators (processors) | Compliance with controller instructions and security duties | Jointly liable in certain circumstances (Article 42) |
| Small businesses / startups | Simplified regime | ANPD Resolution CD/ANPD No. 2/2022 provides a lighter regime for agentes de tratamento de pequeno porte |
| Individuals for exclusively private/non-economic use | Exempt | Article 4: purely personal, non-economic processing is out of scope |
| Journalistic, artistic, academic processing | Partial exemption | Subject to constitutional freedoms; Articles 7 and 11 apply for academic |
Article 4 sets out express exclusions: processing done by a natural person for exclusively private and non-economic purposes; processing done exclusively for journalistic, artistic or academic purposes; and processing for purposes of public safety, national defence, State security, or investigation and prosecution of criminal offences (the latter reserved for separate specific legislation). Data whose provenance is entirely outside Brazil and which merely transits Brazil without being processed here (unless subject to international cooperation rules) is also excluded.
Structure of the LGPD
The LGPD is organised into ten chapters and 65 articles. Unlike a controls-based standard such as ISO 27001, the LGPD is a principles-and-rights statute; its 'control families' are best understood as the thematic obligation domains that flow from its chapters. The table below maps those domains for assessment purposes.
| Obligation domain | Primary articles | Focus of the domain |
|---|
| Scope and definitions | Arts. 1-5 | Material and territorial scope; key defined terms |
| Principles | Art. 6 | Ten binding principles governing all processing |
| Legal bases (personal data) | Art. 7 | Ten lawful grounds for processing |
| Legal bases (sensitive data) | Art. 11 | Restricted grounds for sensitive categories |
| Children and adolescents | Art. 14 | Best-interest standard; parental consent for children |
| Data subject rights | Arts. 17-22 | Access, correction, deletion, portability, objection, review of automated decisions |
| Consent | Arts. 8-9 | Requirements for valid, informed, revocable consent |
| Termination of processing | Art. 15-16 | When processing ends; retention and elimination |
| Controller/operator duties | Arts. 37-40 | Records of processing; instructions; DPIA (RIPD) |
| Data Protection Officer (Encarregado) | Art. 41 | Appointment, duties, publication of identity |
| Security and best practices | Arts. 46-51 | Technical/administrative safeguards; governance programme |
| Security incidents | Art. 48 | Breach notification to ANPD and data subjects |
| International data transfers | Arts. 33-36 | Mechanisms for lawful cross-border transfer |
| Liability and redress | Arts. 42-45 | Joint/several liability; compensation for damage |
| ANPD and supervision | Arts. 55-A to 59 | Authority structure and cooperation council |
| Administrative sanctions | Arts. 52-54 | Graduated penalties; aggravating/mitigating factors |
Master assessment checklist
This is the core of the guide. Each obligation domain below is presented with the specific items an assessor must verify and the evidence that typically demonstrates conformity. Work through every table; do not skip any domain, as ANPD enforcement and civil litigation both examine the totality of the accountability programme, not isolated controls.
1. The ten principles (Article 6)
Every processing activity must simultaneously satisfy all ten principles. These are not optional and are frequently the anchor of ANPD findings.
| What to verify | Typical evidence |
|---|
| Finalidade (purpose): processing serves legitimate, specific, explicit and informed purposes | Purpose statements in privacy notices; RoPA purpose column; DPIA purpose analysis |
| Adequacao (adequacy): processing is compatible with stated purposes | Data-mapping showing each field maps to a declared purpose |
| Necessidade (necessity/minimisation): limited to the minimum data needed | Data minimisation review; field-level justification; form audits |
| Livre acesso (free access): subjects can consult processing easily and free of charge | Self-service access portal; DSAR procedure and logs |
| Qualidade dos dados (data quality): accuracy, clarity, relevance and currency | Data-correction workflow; periodic accuracy reviews; error rates |
| Transparencia (transparency): clear, accurate, accessible information | Layered privacy notices; readability testing; publication of Encarregado identity |
| Seguranca (security): technical and administrative protective measures | ISMS artefacts; encryption standards; access-control matrix |
| Prevencao (prevention): measures to prevent damage | DPIAs; privacy-by-design records; change-management gates |
| Nao discriminacao (non-discrimination): no unlawful or abusive discriminatory processing | Algorithmic fairness review; automated-decision impact analysis |
| Responsabilizacao e prestacao de contas (accountability): demonstrable adoption of effective measures | Governance programme documentation; audit trail; management sign-off |
2. Legal bases for personal data (Article 7)
| What to verify | Typical evidence |
|---|
| Each processing activity is mapped to exactly one valid legal basis | RoPA legal-basis column; basis-selection rationale document |
| Consent (I) is free, informed, unambiguous and separable where relied upon | Consent capture records with timestamp, text version, and withdrawal logs |
| Legal/regulatory obligation (II) is cited with the specific instrument | Register linking processing to the mandating statute/regulation |
| Public administration bases (III) used only by public bodies for public policy | Public-purpose justification; legal mandate references |
| Research by study bodies (IV) applies anonymisation wherever possible | Ethics approval; anonymisation methodology |
| Contract execution / pre-contractual steps (V) genuinely necessary | Contract terms; necessity test documentation |
| Judicial/administrative/arbitration proceedings (VI) properly scoped | Case references; legal-hold records |
| Protection of life or physical safety (VII) is time-bound | Incident documentation; medical/emergency justification |
| Health protection (VIII) by health professionals or sanitary authorities | Clinical governance records; professional register |
| Legitimate interest (IX) supported by a balancing test and safeguards | Legitimate Interest Assessment (LIA); safeguards register; opt-out mechanism |
| Credit protection (X) complies with applicable credit legislation | Credit-bureau agreements; sectoral compliance evidence |
3. Legal bases for sensitive personal data (Article 11)
| What to verify | Typical evidence |
|---|
| Sensitive data categories are identified and inventoried | Sensitive-data inventory; classification tags in the RoPA |
| Specific and highlighted consent obtained where consent is relied upon | Granular consent records referencing the specific sensitive purpose |
| Non-consent bases (legal obligation, public policy, research, rights exercise, life protection, health, fraud prevention) correctly applied | Basis-mapping table for each sensitive processing activity |
| Health/biometric/genetic processing subject to heightened safeguards | Encryption at rest; access restriction; DPIA for high-risk processing |
| No sharing of health data for economic advantage except in permitted cases | Data-sharing register; contractual prohibitions |
| Sensitive data processing avoids discrimination (Art. 11 and Art. 6 IX) | Bias/impact assessment for profiling on sensitive attributes |
4. Processing of children's and adolescents' data (Article 14)
| What to verify | Typical evidence |
|---|
| Processing serves the best interests of the child/adolescent | Best-interest assessment; age-appropriate design records |
| Specific and prominent parental/guardian consent for children (under 12) | Verifiable parental consent mechanism and logs |
| Only necessary data collected; no conditioning participation on excess data | Data-collection review for child-facing services |
| Information provided in simple, clear, accessible language suited to age | Child-friendly notice; readability evidence |
| No public disclosure or transfer to third parties without consent | Third-party sharing controls; consent gating |
| Reasonable efforts made to verify consent is given by a legal guardian | Verification method documentation |
5. Consent management (Articles 8-9)
| What to verify | Typical evidence |
|---|
| Consent is provided in writing or by another means demonstrating the will of the subject | Consent capture UI screenshots; stored consent strings |
| Consent requests are distinct from other clauses (not bundled) | Consent form design; standalone checkboxes |
| Purposes are specified; generic authorisations are void | Purpose-specific consent copy |
| Burden of proving valid consent rests with and is met by the controller | Consent audit trail; version history of consent text |
| Withdrawal of consent is as easy as giving it, and free of charge | Self-service withdrawal flow; withdrawal logs |
| Re-consent obtained when purpose or information materially changes | Change-triggered re-consent records |
| Data subjects informed of consequences of refusal | Notice language on refusal consequences |
6. Data subject rights (Articles 17-22)
| What to verify | Typical evidence |
|---|
| Confirmation of the existence of processing is provided on request | DSAR workflow; confirmation response templates |
| Access to data provided in simplified or complete (declaration) format | Access-report generation; format options |
| Correction of incomplete, inaccurate or outdated data is actioned | Correction request logs; data-update audit trail |
| Anonymisation, blocking or elimination of unnecessary/excessive/non-compliant data | Deletion/anonymisation procedure and completion records |
| Data portability to another provider on request | Portability export in interoperable format; portability logs |
| Deletion of data processed with consent (subject to legal retention) | Erasure workflow; retention-exception register |
| Information on public/private entities with which data was shared | Data-sharing disclosure register |
| Information about the possibility of denying consent and its consequences | Notice content; consent-refusal explanation |
| Revocation of consent honoured | Withdrawal processing evidence |
| Requests answered within statutory timeframes (immediate simplified / 15 days full) | SLA metrics; response timestamp logs |
| Rights exercised free of charge | Fee policy confirming no charge |
| Review of decisions taken solely on automated processing (Art. 20) | Human-review procedure; profiling logic disclosure |
| Identity verification for requestors without excessive friction | Identity-verification procedure balancing security and access |
7. Transparency and information duties
| What to verify | Typical evidence |
|---|
| Privacy notice discloses purpose, form, duration, controller identity and contact | Published privacy policy; version control |
| Information on shared processing and responsibilities of controllers/operators | Notice sections on data sharing; joint-controller descriptions |
| Data subject rights and how to exercise them are clearly stated | Rights section of notice; contact for Encarregado |
| Notices are accessible, in Portuguese, and appropriate to audience | Localisation evidence; accessibility testing |
| Just-in-time notices at point of collection | Contextual notice screenshots on forms/apps |
8. Controller and operator obligations (Articles 37-40)
| What to verify | Typical evidence |
|---|
| Records of processing operations (RoPA) maintained, especially where legitimate interest relied upon | Complete, current Register of Processing Operations |
| Operator processes strictly per controller instructions | Data Processing Agreements (DPA) with instruction clauses |
| Operator maintains its own records of processing performed for the controller | Operator RoPA; sub-processor register |
| Controller/operator liability and roles are contractually defined | Executed DPAs; liability allocation clauses |
| ANPD interoperability/reporting standards adopted where issued | Adoption of ANPD-defined report formats |
| Sub-processor authorisation and flow-down of obligations | Sub-processor approval register; back-to-back contracts |
9. Data Protection Officer / Encarregado (Article 41)
| What to verify | Typical evidence |
|---|
| An Encarregado is formally appointed (individual or entity per ANPD rules) | Appointment letter; internal designation record |
| Encarregado identity and contact details are publicly disclosed | Website/privacy-notice publication of contact |
| Encarregado accepts complaints and communications from data subjects | Complaint intake channel and case log |
| Encarregado receives communications from and cooperates with the ANPD | Regulator-liaison records |
| Encarregado guides staff and provides guidance on data-protection practices | Training records; internal advisory memos |
| Small-business exemption from mandatory Encarregado applied correctly (if claimed) | Eligibility assessment under ANPD Resolution 2/2022 |
10. Security, technical and administrative measures (Articles 46-47)
| What to verify | Typical evidence |
|---|
| Security measures protect data against unauthorised access, destruction, loss, alteration, communication or dissemination | ISMS policy suite; control catalogue |
| Measures applied from the design phase through to processing end (privacy by design) | Security architecture docs; SDLC gates |
| Access control enforces least privilege and role segregation | IAM policy; access-review reports; RBAC matrix |
| Encryption applied to data at rest and in transit as appropriate | Encryption standard; key-management records; TLS config |
| Pseudonymisation/anonymisation used where feasible | De-identification methodology and evidence |
| Logging and monitoring detect anomalous access | SIEM/log-retention configuration; alerting evidence |
| Measures maintained even after processing ends (retained/archived data) | Archival security controls; retention policy |
| Vendor/operator security measures assessed and contractually required | Third-party risk assessments; security schedules in DPAs |
11. Good-practice and governance programme (Articles 50-51)
| What to verify | Typical evidence |
|---|
| A privacy governance programme demonstrates the controller's commitment | Documented privacy programme charter; management endorsement |
| Programme is adapted to the structure, scale and volume of operations and risk | Risk-based programme scoping document |
| Programme establishes policies, safeguards and internal mechanisms | Policy library; internal controls register |
| Programme includes an incident response and remediation plan | Incident response plan; tabletop exercise records |
| Programme is continually reviewed and monitored | Programme review minutes; metrics dashboard |
| Rules of good practice and governance are published where adopted | Published code of conduct / good-practice rules |
| Certifications, seals and codes of conduct considered as evidence of compliance | Certification records; adherence declarations |
12. Data Protection Impact Assessment (RIPD, Article 38)
| What to verify | Typical evidence |
|---|
| RIPD (relatorio de impacto a protecao de dados pessoais) prepared for high-risk processing | Completed RIPD reports |
| RIPD describes data types, methodology, and risk-mitigation measures | RIPD content covering data flows and safeguards |
| RIPD produced when requested by the ANPD, particularly for legitimate interest or sensitive data | Trigger register; ANPD-request handling |
| Mitigation measures identified are implemented and tracked to closure | Remediation tracker linked to RIPD findings |
| RIPD reviewed on material change to processing | Version history of RIPDs |
13. Security incident management and breach notification (Article 48)
| What to verify | Typical evidence |
|---|
| A defined process detects, triages and classifies security incidents | Incident response plan; classification criteria |
| Incidents that may cause risk or relevant damage are notified to the ANPD | Breach notification records; ANPD submission receipts |
| Affected data subjects are notified where relevant risk arises | Data-subject notification templates and dispatch logs |
| Notification made within a reasonable timeframe (per ANPD Resolution 15/2024, generally 3 business days) | Timeline evidence from detection to notification |
| Notification contains required content (nature of data, subjects affected, measures, risks) | Notification content checklist |
| Post-incident measures to reverse or mitigate effects are documented | Remediation and lessons-learned reports |
| Incident register maintained for all events, including near-misses | Incident log / register |
14. International data transfers (Articles 33-36)
| What to verify | Typical evidence |
|---|
| Every cross-border transfer relies on a valid Article 33 mechanism | Transfer register mapping each flow to its mechanism |
| Adequacy: transfer to a country/entity with an adequate protection level | ANPD adequacy determination reference (where applicable) |
| Standard contractual clauses (clausulas-padrao) adopted per ANPD model | Executed SCCs aligned to ANPD Resolution 19/2024 templates |
| Specific contractual clauses, binding corporate rules (normas corporativas globais) or seals used | Approved BCRs; specific-clause approvals |
| Transfer for international legal cooperation or life protection properly justified | Legal-basis documentation for exceptional transfers |
| Consent-based transfers obtain specific, prior and highlighted consent | Transfer-specific consent records |
| Onward transfers and sub-processor locations are mapped | Data-flow map including geographic locations |
15. Termination of processing and retention (Articles 15-16)
| What to verify | Typical evidence |
|---|
| Processing terminates when purpose achieved, data no longer needed, or consent withdrawn | Retention schedule; deletion triggers |
| Retention beyond termination only for permitted reasons (legal obligation, research, transfer, own use) | Retention-exception register with legal basis |
| Data eliminated after processing ends, respecting permitted retention | Secure deletion records; certificates of destruction |
| Anonymised retention for own purposes protects re-identification risk | Anonymisation validation evidence |
| Retention periods documented per data category | Retention matrix in the RoPA |
16. Liability, redress and accountability (Articles 42-45)
| What to verify | Typical evidence |
|---|
| Mechanisms exist to compensate data subjects for patrimonial or moral damage | Complaint/redress procedure; claims register |
| Roles of controller and operator for joint/several liability are clear | DPA liability clauses; RACI for processing |
| Evidence demonstrating adopted measures is retained to support the accountability defence | Accountability evidence dossier |
| Consumer-relationship processing complies with the Consumer Defence Code where applicable | Cross-mapping to CDC obligations |
Scoping the assessment
Accurate scoping prevents both under-assessment (which leaves regulatory exposure) and over-assessment (which wastes effort on out-of-scope activities). LGPD scoping is data-flow-driven rather than system-driven: begin from the personal data itself and follow it across people, processes, systems and third parties.
- Determine territorial applicability: identify processing carried out in Brazil, processing offering goods/services to individuals in Brazil, and data collected while subjects were in Brazil.
- Inventory all personal and sensitive data categories, sources and data subjects (customers, employees, prospects, minors, patients).
- Map data flows end to end, including collection points, storage locations, internal transfers, operators, sub-operators and cross-border transfers.
- Classify processing activities by risk to identify those requiring a RIPD (large-scale, sensitive, systematic monitoring, or novel technologies).
- Identify all processing agents and their roles (controller, joint controllers, operator) and confirm contractual coverage.
- Determine applicability of the simplified small-business regime (ANPD Resolution 2/2022) and any sectoral overlays (financial, health, telecom).
- Exclude clearly out-of-scope activities under Article 4 (purely private, journalistic/artistic, public-safety/national-defence reserved processing).
- Define the assessment boundary, in-scope systems, and the reporting period.
Implementation approach (phased)
A defensible LGPD programme is built in phases. Each phase produces deliverables that become the evidence base for both internal accountability and any ANPD interaction.
Phase 1: Discovery and data mapping
- Activities: run data-discovery workshops, deploy discovery tooling, interview process owners, and inventory data categories, systems and flows.
- Deliverables: personal-data inventory, data-flow maps, initial Register of Processing Operations (RoPA), and a preliminary applicability memo.
Phase 2: Gap assessment and legal-basis mapping
- Activities: assess each processing activity against principles, legal bases, rights and security duties; perform Legitimate Interest Assessments; identify gaps.
- Deliverables: gap-assessment report, legal-basis register, LIAs, and a prioritised remediation roadmap with risk ratings.
Phase 3: Governance and documentation
- Activities: appoint the Encarregado, draft/update the privacy governance programme, policies, privacy notices, consent flows and DPAs.
- Deliverables: appointment record, privacy programme charter, policy suite, layered privacy notices, consent-management design, and standard DPA templates.
Phase 4: Technical and security remediation
- Activities: implement access controls, encryption, logging, pseudonymisation, retention automation and privacy-by-design gates in the SDLC.
- Deliverables: security control implementation records, key-management procedures, retention schedules, and updated architecture documentation.
Phase 5: Rights, incidents and third-party operationalisation
- Activities: stand up DSAR handling, breach detection and notification workflows, RIPD process, and third-party/operator due-diligence programme.
- Deliverables: DSAR procedure and portal, incident response plan, breach-notification templates, RIPD methodology, and vendor risk register.
Phase 6: Embedding, monitoring and continuous improvement
- Activities: deliver training and awareness, run tabletop exercises, establish KPI monitoring, and schedule periodic reassessment and internal audit.
- Deliverables: training records, exercise reports, KPI dashboard, internal audit plan, and management review minutes.
Maturity and capability model
The LGPD does not prescribe a maturity model, but assessors commonly apply a five-level capability scale to communicate posture and prioritise investment. The scale below is calibrated to LGPD accountability expectations.
| Level | Name | Characteristics against LGPD |
|---|
| 1 | Initial / Ad hoc | No RoPA; legal bases undocumented; reactive to incidents; no Encarregado; high exposure |
| 2 | Developing | Partial data mapping; some notices and consent; Encarregado named but under-resourced; inconsistent rights handling |
| 3 | Defined | Complete RoPA; legal bases mapped; governance programme documented; DSAR and breach processes operational |
| 4 | Managed | Metrics-driven; RIPDs for high-risk processing; automated retention and consent; regular internal audits; vendor programme mature |
| 5 | Optimised | Privacy-by-design embedded; continuous monitoring; proactive ANPD engagement; certifications/seals; culture of accountability |
Assessment and audit approach
- Define objectives, scope and the reporting period; confirm applicability under Article 3 and any exclusions under Article 4.
- Request and review documentation: RoPA, privacy notices, policies, DPAs, consent records, RIPDs and incident logs.
- Conduct data-flow validation through interviews and system walkthroughs to confirm the RoPA reflects reality.
- Test legal bases: for each activity, verify a valid Article 7/11 basis and, for legitimate interest, a documented balancing test.
- Assess data subject rights operation by submitting or tracing test/real requests and measuring SLA adherence.
- Evaluate technical and administrative security measures against Articles 46-47, including access, encryption and logging.
- Review the incident and breach-notification process against Article 48 and ANPD Resolution 15/2024 timelines.
- Examine cross-border transfer mechanisms against Articles 33-36 and current ANPD SCC/BCR requirements.
- Assess the governance programme, Encarregado function and accountability evidence dossier.
- Rate findings by risk, assign a maturity level, and produce a remediation roadmap with owners and timelines.
- Validate remediation in a follow-up review and maintain the evidence base for ongoing accountability.
Evidence request list
The following categorised evidence set should be requested at the outset of any LGPD assessment.
- Governance and accountability: privacy programme charter; Encarregado appointment and published contact; policy library; management review minutes.
- Data mapping: Register of Processing Operations (RoPA); data-flow diagrams; personal and sensitive data inventory; retention schedules.
- Legal bases and consent: legal-basis register; Legitimate Interest Assessments; consent capture and withdrawal logs; consent text version history.
- Transparency: published privacy notices; just-in-time notices; cookie/tracking disclosures.
- Data subject rights: DSAR procedure; request log with SLA metrics; response templates; automated-decision review process.
- Security: ISMS policies; access-control matrix and access reviews; encryption and key-management standards; logging/monitoring configuration.
- Impact assessments: completed RIPDs; RIPD methodology; remediation trackers.
- Incidents: incident response plan; incident register; ANPD and data-subject notification records; post-incident reports.
- Third parties and transfers: DPAs and sub-processor register; vendor risk assessments; cross-border transfer register and SCCs/BCRs/adequacy references.
- Training and awareness: training curriculum and completion records; tabletop exercise reports.
Roles and responsibilities
| Role | Key responsibilities | LGPD anchor |
|---|
| Controlador (Controller) | Decides on processing; ultimate accountability; maintains RoPA; ensures legal bases and rights | Arts. 5, 37, 46, 50 |
| Operador (Operator) | Processes on controller instructions; maintains own records; implements security | Arts. 5, 39, 47 |
| Encarregado (DPO) | Liaison with data subjects and ANPD; guidance to staff; complaint handling | Art. 41 |
| Executive leadership / Board | Endorses governance programme; allocates resources; owns risk appetite | Arts. 50-51 (accountability) |
| IT / Security team | Implements technical safeguards; monitoring; incident detection | Arts. 46-48 |
| Legal / Compliance | Legal-basis analysis; contracts and DPAs; regulatory interpretation | Arts. 7, 11, 33-36 |
| Business process owners | Accurate data mapping; enforce minimisation; support DSARs | Art. 6 (principles) |
| Internal audit | Independent assurance over the programme and controls | Arts. 50-51 |
KPIs to track
- Percentage of processing activities with a documented and valid legal basis.
- Data subject request (DSAR) volume and percentage answered within statutory timeframes (immediate simplified / 15 days full).
- Mean time to detect, contain and notify security incidents; percentage of breaches notified within the ANPD timeline.
- Percentage of high-risk processing activities with a completed and current RIPD.
- Consent withdrawal processing rate and average time to honour withdrawals.
- Percentage of operators/sub-processors under an executed DPA and assessed for security.
- RoPA completeness and freshness (percentage of activities reviewed within the review cycle).
- Staff privacy-training completion rate and phishing/awareness scores.
- Number of open versus closed remediation items and average time to closure.
- Percentage of cross-border transfers covered by a valid Article 33 mechanism.
Readiness checklist
- Territorial applicability under Article 3 confirmed and documented.
- Complete personal and sensitive data inventory and data-flow maps produced.
- Register of Processing Operations (RoPA) established and current.
- A valid legal basis mapped to every processing activity, with LIAs where legitimate interest is used.
- Layered, accurate privacy notices published in Portuguese.
- Consent capture, granularity and withdrawal mechanisms operational and logged.
- Data subject rights (access, correction, deletion, portability, objection, automated-decision review) handled within SLA.
- Encarregado appointed and contact details publicly disclosed.
- Privacy governance programme documented, endorsed and reviewed.
- Technical and administrative security measures implemented per Articles 46-47.
- RIPD process defined and applied to high-risk processing.
- Security incident and breach-notification process aligned to Article 48 and ANPD Resolution 15/2024.
- Cross-border transfer mechanisms in place per Articles 33-36 and current ANPD templates.
- DPAs executed with all operators and sub-processors; vendor risk assessed.
- Retention schedules and secure elimination procedures implemented.
- Staff trained; tabletop exercises conducted; KPIs monitored.
Common gaps
- Treating consent as the default legal basis when a more appropriate basis (legitimate interest, legal obligation, contract) applies, creating fragile compliance.
- Incomplete or out-of-date RoPA that does not reflect actual data flows, undermining every downstream control.
- Legitimate interest relied upon without a documented balancing test (LIA) or opt-out mechanism.
- No formal Encarregado, or an appointed Encarregado whose contact details are not publicly disclosed.
- Bundled consent that mixes marketing, profiling and service terms in a single non-granular acceptance.
- Weak or absent breach-notification readiness, missing the ANPD three-business-day expectation.
- Cross-border transfers made with no valid Article 33 mechanism, often to cloud/SaaS providers.
- Sensitive data (health, biometric) processed without the specific Article 11 basis or heightened safeguards.
- Data subject rights handled ad hoc, with no SLA tracking or identity-verification procedure.
- Operators engaged without a DPA, leaving instructions and liability undefined.
- Retention 'forever' with no schedule, breaching necessity and elimination duties.
- No RIPD for high-risk or large-scale processing, weakening the accountability defence.
- Privacy notices copied from GDPR templates without adaptation to LGPD terminology and Portuguese-language requirements.
LGPD mapped to other frameworks
Organisations rarely comply with the LGPD in isolation. The mapping below helps assessors reuse controls and evidence across frameworks, while noting that mappings are indicative and each framework retains distinct obligations.
| LGPD concept | GDPR (EU) | ISO/IEC 27701 | Notes |
|---|
| Principles (Art. 6) | Art. 5 principles | Clause 5 / PIMS objectives | Highly aligned; LGPD adds explicit non-discrimination and prevention |
| Legal bases (Art. 7) | Art. 6 lawful bases | A.7.2 / B.8.2 lawful basis | Ten LGPD bases vs six GDPR; credit protection is LGPD-specific |
| Sensitive data (Art. 11) | Art. 9 special categories | PII processing controls | Categories broadly similar |
| Data subject rights (Arts. 17-22) | Arts. 15-22 rights | A.7.3 / B.8.3 obligations to PII principals | LGPD portability and automated-decision review align to GDPR |
| Encarregado (Art. 41) | DPO (Arts. 37-39) | Responsibility assignment | LGPD DPO not always mandatory in same triggers as GDPR |
| Security (Arts. 46-47) | Art. 32 security | ISO 27001 Annex A + 27701 | Directly reusable ISMS controls |
| RIPD (Art. 38) | DPIA (Art. 35) | A.7.2.5 PII impact assessment | LGPD RIPD often triggered by ANPD request |
| Breach notice (Art. 48) | Arts. 33-34 (72 hours) | Incident management | ANPD ~3 business days vs GDPR 72 hours |
| Transfers (Arts. 33-36) | Chapter V (Arts. 44-50) | Transfer controls | SCCs, adequacy, BCRs analogous |
| Accountability (Arts. 50-51) | Art. 5(2) / Art. 24 | PIMS management system | Governance programme mirrors accountability principle |
How CyberSigma helps
How CyberSigma accelerates LGPD conformity
CyberSigma provides end-to-end LGPD advisory and assurance: applicability and scoping analysis under Article 3, automated personal-data discovery and RoPA build-out, legal-basis and Legitimate Interest Assessment support, and privacy-notice and consent-flow design in Portuguese. Our CERT-In empanelled and QSA-qualified assessors run gap assessments, RIPDs (relatorios de impacto), and DPA/vendor due-diligence programmes, and stand up DSAR and breach-notification workflows aligned to ANPD Resolution 15/2024. We embed privacy-by-design in your SDLC, deliver Encarregado-as-a-service, and provide continuous monitoring with a KPI dashboard so your accountability evidence is always audit-ready. Because our methodology cross-maps LGPD to GDPR, ISO 27701 and PCI DSS, you reuse a single control set to satisfy multiple regimes and reduce total compliance cost. Talk to CyberSigma to move from ad hoc to optimised on the LGPD maturity scale.