AuditXYZ

Compliance Framework

Lei Geral de Proteção de Dados Pessoais (General Data Protection Law)

Brazil's LGPD is a comprehensive data protection law closely modeled on the GDPR, establishing rights for data subjects, obligations for controllers and processors, and enforcement by the ANPD. This guide covers legal bases, data subject rights, and practical compliance.

$8,000–$120,0003–10 months2018 (enforced September 18, 2020)
Request a ConsultationSee process
Issuing BodyNational Congress of Brazil / Autoridade Nacional de Proteção de Dados (ANPD)
First Published2018-08-14
Latest Version2018 (enforced September 18, 2020)
Typical Cost$8,000–$120,000
Typical Timeline3–10 months
Audit RequiredNo
Audit FrequencyNo mandatory periodic external audit. The ANPD may conduct audits and investigations. Data Protection Impact Reports may be required for high-risk processing.
Geographybrazil

LGPD: The Complete Guide

Brazil's Lei Geral de Proteção de Dados (LGPD) is Latin America's most comprehensive data protection law. Enacted in August 2018 and enforceable since September 2020, the LGPD applies to any processing of personal data carried out in Brazil, data collected in Brazil, or data used to offer goods and services to individuals in Brazil.

What the LGPD Covers

The LGPD establishes ten legal bases for processing personal data, going beyond the GDPR's six. These include consent, legitimate interest, contract performance, legal obligation, research, exercise of rights, health protection, credit protection, life protection, and public policy. Organizations must identify and document the applicable basis for each processing activity.

Data subjects (titulares) are granted extensive rights including confirmation of processing, access, correction, anonymization, portability, deletion, information about sharing with third parties, and the ability to revoke consent. Controllers must respond to requests within a reasonable timeframe.

The law categorizes certain data as sensitive personal data — including racial or ethnic origin, religious belief, political opinion, health and sexual data, genetic and biometric data — which requires explicit consent or must fall under specific statutory exceptions.

Who Needs to Comply

The LGPD's extraterritorial scope reaches any organization that processes personal data of individuals located in Brazil, processes data collected in Brazilian territory, or offers goods and services to the Brazilian market. This broad reach means global companies with Brazilian customers or operations must comply.

Enforcement and Penalties

The Autoridade Nacional de Proteção de Dados (ANPD) is responsible for enforcement. Penalties include warnings, fines of up to 2% of revenue in Brazil (capped at 50 million reais per violation), daily fines, public disclosure of violations, data blocking, and data deletion. The ANPD has been actively issuing guidance and enforcement actions since its establishment.

Practical Compliance Steps

  1. Legal basis mapping — Identify and document legal bases for each processing activity
  2. Data subject rights — Implement intake and response mechanisms for all ten rights
  3. DPO appointment — Designate a Data Protection Officer and publish contact information
  4. Vendor management — Execute processing agreements with all operators (processors)
  5. Breach notification — Establish procedures for reporting incidents to the ANPD and data subjects
  6. Cross-border transfers — Assess international transfer mechanisms including adequacy decisions, standard clauses, or binding corporate rules

Organizations already GDPR-compliant will find significant overlap, but must address LGPD-specific requirements such as additional legal bases and the distinct enforcement structure.

Get the LGPD starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

gdprccpapipedapopia

Get matched with a LGPD auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CCPA
Framework
The CCPA is California's landmark consumer privacy law granting residents the right to know, delete, and opt out of the sale of their personal information. This guide covers applicability thresholds, consumer rights, and practical compliance steps.
View
GDPR
Framework
The GDPR is the world's most influential data protection law, setting the standard for how organizations collect, process, and protect personal data of individuals in the EU and EEA. This guide covers lawful bases, data subject rights, breach notification, and practical compliance steps.
View
PIPEDA
Framework
PIPEDA is Canada's federal private-sector privacy law built on ten fair information principles. It governs how commercial organizations collect, use, and disclose personal information in the course of business activities.
View
POPIA
Framework
POPIA is South Africa's comprehensive data protection law modeled on European data protection principles. It establishes eight conditions for lawful processing, data subject rights, and the Information Regulator as the supervisory authority.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View