LGPD in practice: how to bring your company into compliance with Brazil's data protection law
Resposta direta
Bringing a company into LGPD compliance requires six fronts: mapping all data processing (RoPA), defining a legal basis for each operation, appointing a Data Protection Officer (DPO), publishing a privacy policy, implementing technical and organizational security, and setting up incident response with notification to the ANPD within 3 business days. Decripte implements this full cycle, uniting legal compliance with technical security controls (ISO 27001) and a 1-hour containment SLA for critical incidents.
Principais conclusões
- ›The LGPD (Law 13.709/2018) applies to any company that processes the data of people in Brazil, with no revenue or headcount threshold — including sole proprietors and startups.
- ›All processing requires one of the legal bases in Article 7 (ordinary data) or Article 11 (sensitive data); processing without a legal basis was the reason for the first fine applied by the ANPD.
- ›The simple fine reaches 2% of revenue in Brazil, capped at BRL 50 million per infraction, calculated under Resolution CD/ANPD No. 4/2023, with aggravating factors of 5% to 90%.
- ›Security incidents with relevant risk or harm must be reported to the ANPD and to data subjects within 3 business days (Resolution CD/ANPD No. 15/2024); the deadline is doubled for small processing agents.
- ›Legal compliance without effective information security (ISO 27001, encryption, MFA, pentest) is fragile: security measures act as a mitigating factor in fine calculation, and their absence aggravates the sanction.
- ›The DPO is mandatory as a general rule and can be outsourced; it is the hub that keeps the privacy program alive after the initial compliance effort.
What the LGPD requires: principles, legal bases and data subjects' rights
The LGPD (Law No. 13.709/2018, Brazil's General Data Protection Law, in force since September 2020) regulates any personal data processing operation carried out by an individual or company, online or offline, whenever the operation takes place in Brazil, is intended to offer goods or services to people in the country, or processes the data of people located in the national territory. There is no revenue threshold or minimum headcount: the law reaches everyone from the multinational to the sole proprietor who collects a customer's email address.
All processing must comply with the ten principles of Article 6: purpose, adequacy, necessity (minimization), free access, data quality, transparency, security, prevention, non-discrimination, and accountability. In practice, these principles mean collecting only the data strictly necessary for a declared and legitimate purpose, and being able to demonstrate compliance through documentation.
No personal data may be processed without one of the ten legal bases in Article 7 (ordinary data): consent, compliance with a legal or regulatory obligation, execution of public policies, research by a study body, performance of a contract, exercise of rights in legal proceedings, protection of life, protection of health, legitimate interest, and credit protection. Sensitive personal data (racial origin, health, biometrics, genetic data, sexual orientation, union or religious affiliation) is subject to a stricter regime under Article 11, without the legitimate-interest basis and with specific hypotheses.
Data subjects have rights that can be exercised at any time (Article 18): confirmation that processing exists, access to the data, correction, anonymization or deletion of unnecessary data, portability, deletion of data processed with consent, information about data sharing, and review of automated decisions. The company must respond to these requests within a reasonable time and keep a working channel to serve data subjects.
The role of the DPO in LGPD compliance
The Person in Charge of Personal Data Processing (Article 5, VIII, and Article 41) — equivalent to the Data Protection Officer (DPO) — is the person designated by the controller to act as the communication channel between the company, data subjects, and the ANPD (Brazil's National Data Protection Authority). The LGPD requires that their identity and contact information be publicly disclosed, clearly and objectively, preferably on the organization's website.
The DPO's legal duties are: to receive complaints and communications from data subjects and provide clarification; to receive communications from the ANPD and take action; to guide employees and contractors on data protection practices; and to carry out any other duties defined by the controller or in supplementary rules. The DPO acts as the governance hub that keeps the privacy program alive after the initial compliance effort.
The LGPD does not require the DPO to be an internal employee, a lawyer, or exclusive to the role: the position can be held by a legal entity, and the service can be outsourced (DPO as a Service), a model well suited to fintechs, startups, and e-commerce businesses that cannot support a dedicated privacy team. Small processing agents, under ANPD Resolution CD/ANPD No. 2/2022, are exempt from the mandatory appointment, but if they choose not to appoint a DPO, they must provide a communication channel for data subjects.
How to achieve LGPD compliance in practice
Compliance starts with data mapping and building the Record of Processing Activities (RoPA, provided for in Article 37). The RoPA inventories, for each business process, which personal data is collected, from whom, for what purpose, how long it is retained, with whom it is shared (including processors and sub-processors), and where it is stored. Without this inventory, there is no way to define legal bases or assess risk.
With the mapping complete, a legal basis is assigned to each operation and any processing without support is eliminated. High-risk activities — use of legitimate interest, processing of sensitive data or at large scale, systematic monitoring, or new technologies — require a Data Protection Impact Assessment (DPIA, Article 5, XVII, and Article 38), a document that describes the processing, the risks to data subjects, and the mitigation measures.
In parallel, the documentary and contractual layer is formalized: an external privacy policy in clear language, an internal data protection policy, consent management where applicable, data protection clauses in contracts with processors, and a review of international transfers. Every vendor that processes data on the company's behalf needs a contractual instrument that allocates responsibilities.
Compliance is only real when technical and organizational security controls (Article 46) accompany the legal work, and when there is an incident response plan ready to trigger notification to the ANPD. Documentary compliance without effective information security is vulnerable to breaches — and it is precisely the breach that triggers the law's sanctions.
ANPD fines and enforcement: sanctions, calculation and real cases
The ANPD may apply the sanctions in Article 52 of the LGPD: a warning; a simple fine of up to 2% of the legal entity's revenue in Brazil in the last fiscal year, excluding taxes, capped at BRL 50 million per infraction; a daily fine with the same ceiling; publicizing the infraction; blocking the personal data; deleting the data; partial or total suspension of the operation of the database or of the processing activity; and partial or total prohibition of processing activities.
Fines are calculated under Resolution CD/ANPD No. 4/2023 (the Fine-Calculation Regulation). Infractions are classified as minor, medium, or serious, and the base amount depends on the classification of the infraction, the offender's revenue, and the degree of harm caused, defined in a detailed methodology in Appendix I of the resolution. The amount may be increased by 5% to 90% in cases of recidivism, failure to comply with preventive or corrective measures, and other aggravating factors, and reduced by mitigating factors such as adopting a good-practices policy and cooperating with the authority.
Enforcement is no longer theoretical. The ANPD's first fine was applied to the micro-enterprise Telekall Infoservice (Administrative Proceeding No. 00261.000489/2022-62) for processing data without a legal basis and for the absence of a DPO — evidence that company size does not preclude a sanction. The authority has already notified and audited large operators and conducts thematic inspections in high-risk sectors such as finance, telecommunications, and healthcare.
Information security as a pillar of the LGPD: ISO 27001 and technical controls
Article 46 of the LGPD requires processing agents to adopt technical and administrative security measures capable of protecting personal data from unauthorized access and from accidental or unlawful destruction, loss, alteration, communication, or dissemination. The law does not list specific controls, but the ANPD recommends recognized standards, and ISO/IEC 27001 — an information security management system (ISMS) — is the reference framework for demonstrating this compliance.
In practice, the controls that underpin compliance include encryption of data in transit (TLS) and at rest, identity and access management with least privilege and multi-factor authentication (MFA), network segmentation, logging and log monitoring (audit trails), vulnerability and patch management, pseudonymization and anonymization where feasible, tested backups, and a secure retention and disposal policy. ISO/IEC 27701 extends 27001 with a privacy information management system (PIMS) aligned with the LGPD.
Technical controls are not optional in light of the fine-calculation rules: adopting effective security measures acts as a mitigating factor when setting the fine, while their absence aggravates the sanction and widens the breach surface. Periodic penetration testing is the mechanism that validates, with offensive evidence, whether these controls hold up against a real attacker — and not just on paper. Decripte implements the full cycle: risk assessment, hardening, ISO 27001, and penetration testing to close the gap between declared compliance and effective security.
Reporting a security incident to the ANPD: the 3-business-day deadline
Resolution CD/ANPD No. 15/2024 approved the Security Incident Communication Regulation (RCIS), which operationalizes Article 48 of the LGPD. The controller must notify the ANPD and the affected data subjects of any security incident that may result in relevant risk or harm to data subjects, within 3 (three) business days of confirming that the incident affected personal data.
An incident is considered to involve relevant risk or harm when it may significantly affect data subjects' fundamental rights and, cumulatively, involves at least one of these criteria: sensitive personal data, data of children or adolescents, financial data, authentication data for systems, data protected by legal or contractual secrecy, or data processed at large scale. Harms such as discrimination, financial fraud, identity theft, or damage to image and reputation characterize relevance.
The notification to the ANPD is made through an official electronic form and may be supplemented, with justification, within 20 (twenty) business days of the initial notification. For small processing agents, under Resolution CD/ANPD No. 2/2022, the deadlines are doubled. The notification to data subjects must describe the nature of the incident, the data affected, the risks involved, and the measures taken or recommended to mitigate the effects.
The 3-business-day deadline presupposes an incident response capability already in place before the event: detection, triage, containment, and the forensic investigation that determines scope and affected data. It is within this window that Decripte operates with a 1-hour containment SLA for critical incidents, conducting the technical response and guiding the regulatory notification within the legal deadline.
Passo a passo
- Map all personal data processing and build the RoPA (Record of Processing Activities), identifying which data is collected, its purpose, retention, data sharing, and storage location.
- Assign a legal basis (Article 7 or Article 11) to each processing operation and eliminate any processing without legal support; prepare a DPIA for high-risk activities.
- Appoint a DPO, internal or outsourced, and publish their name and contact on the company's website, creating a working channel to serve data subjects.
- Draft the external privacy policy in clear language, the internal data protection policy, and include data protection clauses in contracts with all processors and vendors.
- Implement technical and organizational security controls (Article 46): encryption in transit and at rest, MFA, least privilege, logging and monitoring, vulnerability management, and tested backups, ideally under an ISO/IEC 27001 ISMS.
- Validate the controls with periodic penetration testing, closing the gap between declared compliance and effective security against a real attacker.
- Set up an incident response plan with detection, containment, forensic investigation, and a procedure to notify the ANPD and data subjects within the 3-business-day deadline (Resolution CD/ANPD No. 15/2024).
Perguntas frequentes
How do I bring my company into LGPD compliance?
LGPD compliance follows six steps: (1) map all data processing and build the RoPA; (2) assign a legal basis from Article 7 or Article 11 to each operation; (3) appoint a DPO and publish their contact details; (4) draft a privacy policy and processor contracts; (5) implement technical security controls (encryption, MFA, logs, ISO 27001); and (6) set up incident response with notification to the ANPD within 3 business days. Decripte runs this cycle, uniting legal compliance with technical security.
How much is an LGPD fine?
The LGPD's simple fine is up to 2% of the company's revenue in Brazil in the last fiscal year, excluding taxes, capped at BRL 50 million per infraction (Article 52, II). There is also a daily fine with the same ceiling for continuing violations. The amount is calculated under Resolution CD/ANPD No. 4/2023, which classifies the infraction as minor, medium, or serious and applies aggravating factors of 5% to 90% for recidivism or failure to comply with corrective measures.
Do I need a DPO at my company?
Yes. The LGPD's general rule (Article 41) requires every controller to appoint a DPO and disclose their contact publicly. The DPO can be an individual or a legal entity, and the service can be outsourced (DPO as a Service). Small processing agents, under Resolution CD/ANPD No. 2/2022, are exempt from the mandatory appointment, but in that case they must keep a communication channel available to data subjects.
What is the deadline to notify the ANPD about a security incident?
The deadline is up to 3 (three) business days, counted from the date the controller confirms that the incident affected personal data, under Resolution CD/ANPD No. 15/2024. Notification is mandatory when the incident may create relevant risk or harm to data subjects and is made to the ANPD via an electronic form as well as to the affected data subjects. Information may be supplemented within 20 business days. For small processing agents, the deadlines are doubled.
Does the LGPD apply to small businesses and sole proprietors?
Yes. The LGPD sets no revenue or headcount threshold: it applies to any individual or company that processes personal data in Brazil, including sole proprietors, startups, and small e-commerce businesses. Small processing agents have a simplified regime (Resolution CD/ANPD No. 2/2022), with doubled deadlines and an exemption from the mandatory DPO appointment, but they remain required to have a legal basis, security, and to report relevant incidents. The ANPD's first fine was applied to a micro-enterprise.
What is the difference between a controller and a processor under the LGPD?
The controller is the one who makes decisions about data processing — defining purposes and means — and is responsible for notifying incidents to the ANPD and to data subjects. The processor handles the data on the controller's behalf, following its instructions (for example, a cloud provider or an email-marketing SaaS). Both are jointly liable for damages when they fail to comply with the law, and the relationship between them must be formalized in a contract with data protection clauses.
Want to comply with LGPD with real technical security?
Decripte implements LGPD and ISO 27001 compliance with auditable technical controls, from data mapping to incident response.
