LGPD compliance requires more than understanding legal text. You must implement operational systems capturing legal basis choices, documenting consent mechanisms, maintaining processing records, fulfilling data subject requests within 15 days, and notifying breaches within 72 hours.

Recent enforcement against Meta and X Corp demonstrates ANPD's willingness to suspend processing immediately when organizations fail to demonstrate adequate safeguards — particularly for children's data and AI training.

This guide provides actionable implementation steps, operational checklists, and audit-ready documentation frameworks for achieving LGPD compliance.

Quick LGPD Primer: Scope, Principles, and Rights

Who Must Comply

Brazil's Lei Geral de Proteção de Dados (Law 13,709/2018) applies to any personal data processing conducted by natural persons or legal entities, regardless of processing location, when:

• Processing occurs in Brazilian territory
• Targeting individuals in Brazil with goods or services
• Data was collected in Brazil

Personal data encompasses any information linked to an identified or identifiable natural person. This broad definition captures names, email addresses, device identifiers, IP addresses, cookies, behavioral data, and any information that could identify someone directly or indirectly.

Exemptions include: personal/household processing, artistic/journalistic/academic purposes (with LGPD principles still applying), public security/national defense activities, anonymized data (where anonymization is irreversible with reasonable effort), and data originating outside Brazil not shared with Brazilian processing agents.

Core LGPD Principles

Article 6 establishes ten processing principles — four more than GDPR's six — that govern all personal data handling:

Purpose — Processing limited to legitimate, specific, explicit purposes disclosed to data subjects. Secondary use incompatible with original purpose is prohibited.

Adequacy — Processing must be compatible with stated purpose in collection context.

Necessity — Data minimization; collect only the minimum required for purpose achievement.

Free Access — Data subjects guaranteed facilitated, free consultation on form, duration, and data integrity.

Data Quality — Accuracy, clarity, relevance, and currency assured per context and purpose.

Transparency — Clear, accessible information on processing and agents, subject to trade secrets.

Security — Technical and administrative measures protecting against unauthorized access, destruction, loss, alteration, or dissemination.

Prevention — Measures to prevent harm from processing.

Non-discrimination — No processing for discriminatory, unlawful, or abusive purposes.

Accountability — Controllers and processors must prove effective compliance measures.

Data Subject Rights Under LGPD

Article 18 grants data subjects nine rights exercisable at any time, free of charge:

Confirmation and access — Verify whether data is being processed and receive personal data. Controllers must provide immediate confirmation in simplified form, with detailed access within 15 days (half GDPR's 30-day timeline).

Correction — Fix incomplete, inaccurate, or outdated data immediately unless factually or legally impossible.

Deletion and blocking — Remove unnecessary, excessive, or non-compliant data. Article 16 establishes retention exceptions for legal obligations, regulatory requirements, and study by research entities.

Data portability — Receive data in structured, interoperable format for transfer to another provider, enabling switching services without losing information.

Information on sharing — Learn which public or private entities received their data, promoting transparency about data flows beyond the original controller.

Consent revocation — Withdraw consent without prejudice to processing completed before revocation.

These faster timelines create operational pressure compared to GDPR. Small-scale agents receive doubled timelines (30 days instead of 15), but most organizations face the standard deadline requiring automated fulfillment systems.

LGPD Compliance Roadmap: End-to-End Implementation

Phase 0: Governance and Leadership Buy-In

Successful LGPD compliance requires executive sponsorship and cross-functional coordination. Establish a privacy steering committee including legal counsel, IT/security, compliance, and business unit leaders. This committee provides strategic oversight, resolves conflicts, allocates resources, and approves policies.

Secure budget allocation for privacy software, counsel, training, and staff time. Calculate non-compliance costs — ANPD fines reach 2% of Brazilian revenue (capped at R$ 50M per infraction), plus reputational damage.

Phase 1: Data Mapping and Records of Processing

Article 37 requires comprehensive Records of Processing Activities, especially when processing relies on legitimate interest.

Data mapping workflow:

System inventory — Catalog all systems: CRMs, marketing platforms, analytics tools, databases, backup systems, email servers, file shares, cloud applications.

Data categorization — Classify by sensitivity. Regular personal data includes names, emails, addresses. Sensitive personal data includes racial/ethnic origin, religious beliefs, political opinions, health data, sexual life information, genetic data, biometric data.

Legal basis identification — Map each activity to one of LGPD's ten legal bases. Document why that basis applies and maintain evidence.

Retention determination — Establish retention periods with justification. Indefinite retention violates the necessity principle. Consider business needs, legal requirements, regulatory obligations.

Recipient identification — List all entities receiving data: internal departments, service providers, processors, marketing platforms, analytics providers.

Phase 2: Legal Bases and Lawful Processing Model

Article 7 establishes ten legal bases for processing — critically, there is no hierarchy; all are equally valid. Controllers must identify and document one applicable basis per processing activity.

The ten legal bases:

1. Consent — Freely given, informed, active, unambiguous manifestation
2. Legal/regulatory obligation — Compliance with statutory duties
3. Public administration — Public policy execution by government entities
4. Research purposes — By research entities, with anonymization where possible
5. Contract performance — Necessary for contract execution or preliminary negotiation
6. Exercise of legal rights — In judicial, administrative, or arbitration proceedings
7. Life or physical safety — Protection of data subject or third parties
8. Health protection — By health professionals or sanitary entities
9. Legitimate interests — Controller/third-party interests when fundamental rights do not prevail
10. Credit protection — Credit analysis and risk assessment

Consent as legal basis requires:

• Free consent (no coercion; easy withdrawal without penalty)
• Informed consent (clear information on purposes, retention, sharing, rights)
• Active consent (opt-in; pre-checked boxes are void)
• Purpose-specific consent (generic authorizations are void)
• Revocable consent (withdraw at any time without affecting non-consent-dependent services)
• Controller bears burden of proof—must document compliance with LGPD consent rules

Legitimate interest as legal basis requires a three-part assessment (though not statutorily mandated, ANPD enforcement has made it practically mandatory):

Legitimacy — Interest must be lawful, precisely articulated (not vague), and real/concrete (not speculative).

Necessity — Processing must be necessary; less intrusive alternatives must be ruled out.

Balancing — Controller's interest must not disproportionately override data subject rights/freedoms. Mitigation measures required if imbalance exists.

ANPD's Meta and X Corp rulings established that children and adolescents' data require heightened scrutiny. Controllers must explicitly document how processing serves the "best interest" of minors and provide risk mitigation like pseudonymization or consent mechanisms.

Phase 3: Data Protection Impact Assessments

Unlike GDPR Article 35, LGPD Article 38 grants ANPD discretion—the authority may request a Relatório de Impacto à Proteção de Dados (RIPD), particularly for legitimate interest processing.

Controllers in high-risk domains should prepare RIPDs proactively. ANPD's 2024-2025 roadmap prioritizes AI/facial recognition and children's data protection.

RIPD content: Processing description, risk assessment, technical/organizational measures, mitigation mechanisms, residual risk analysis.

Conduct DPIAs before implementing large-scale processing, systematic monitoring, automated decision-making, sensitive data processing, AI/machine learning systems, or children's data processing.

Phase 4: Data Subject Request Processes

Controllers must operationalize DSAR workflows with documented procedures.

Intake systems accept requests through web portals, dedicated email, postal mail, and phone lines. Identity verification prevents unauthorized access through government ID, security questions, or two-factor authentication.

Data retrieval requires mapping where personal data resides. Redaction procedures protect trade secrets and third-party data. Audit logs document who fulfilled requests, when, in what format.

The 15-day detailed access deadline is half GDPR's timeline. Organizations without automation struggle meeting this consistently.

Phase 5: Vendor and Subprocessor Controls

Processor obligations (Article 39) require controllers to implement comprehensive vendor management:

Processor contracts should specify processing scope (what data, for what purposes, how long), controller instructions (processor processes only per documented instructions), confidentiality commitments, security obligations, subprocessor restrictions, data subject request assistance, deletion/return on termination, and audit rights.

While LGPD doesn't mandate processor contracts (unlike GDPR Article 28), they're practically essential. Without formal agreements, responsibility allocation becomes ambiguous, and both parties face regulatory risk.

Vendor due diligence involves security assessments before engagement, annual security questionnaires, certification verification (ISO 27001, SOC 2), breach notification procedures, and subprocessor approval processes.

Contract templates should incorporate LGPD-specific clauses including Article 39 obligations, security measure requirements, breach notification (3-business-day ANPD timeline), data subject assistance, termination data handling, and audit cooperation.

Phase 6: Incident Response and Breach Notification

Resolution CD/ANPD No. 15 (April 2024) operationalized Article 48's breach notification requirements. A notifiable incident requires notification if it creates potential relevant risk involving:

• Sensitive data (racial, religious, political, health, biometric, genetic)
• Children or elderly data
• Financial data
• Authentication/system credentials
• Legally/judicially/professionally privileged data
• Large-scale data

Critical point: Actual harm is not required—potential relevant risk suffices.

Notification timelines:

• ANPD: 3 business days (6 for small-scale agents) via electronic form
• Data subjects: 3 business days (6 for small-scale agents) via direct communication or public channels

Incident registry must be maintained for 5 years minimum, even for non-notified incidents. ANPD may investigate unreported incidents independently and impose sanctions.

IAMSPE's 2023 sanction for failing to notify a 1.5M-record breach for three months demonstrated ANPD's strict enforcement of the 3-business-day threshold.

Phase 7: Monitoring, Auditing, and Continuous Improvement

Compliance is not a one-time project but an ongoing operational commitment.

Quarterly compliance reviews assess data processing changes, vendor additions/removals, policy updates, security incident patterns, and DSAR fulfillment metrics.

Annual comprehensive audits include full RoPA review, legitimate interest assessment updates, processor contract verification, security control testing, and staff training completion verification.

Continuous monitoring dashboards track DSAR response times, consent withdrawal rates, security incident frequency, vendor compliance scores, and training completion percentages.

Practical Implementation Checklists

Data Mapping and Consent

□ Inventory all systems storing personal data
□ Categorize data by sensitivity □ Identify legal basis for each processing activity
□ Establish retention periods with justification
□ Implement granular consent with opt-in mechanisms
□ Provide clear, plain-language explanations
□ Enable one-click withdrawal without penalties
□ Maintain timestamped consent logs
□ Test withdrawal mechanisms regularly

DSAR and Vendor Management

□ Create multiple intake channels (web, email, postal)
□ Implement identity verification procedures
□ Map data locations across all systems
□ Track 15-day response deadline
□ Conduct vendor security assessments
□ Execute processor contracts with LGPD clauses
□ Verify security measure implementation
□ Schedule annual vendor reviews
□ Maintain vendor risk register

Breach Response and Monitoring

□ Detect incidents through monitoring systems
□ Contain breaches immediately
□ Determine notification threshold
□ Notify ANPD within 3 business days
□ Notify data subjects within 3 business days
□ Document incidents in 5-year registry
□ Track DSAR response times
□ Monitor consent withdrawal rates
□ Measure vendor compliance scores
□ Verify training completion

Technical Implementation Patterns

Consent Capture and Storage

Implement CMPs with geolocation-based rule triggering applying Brazilian requirements automatically, purpose-specific toggles for analytics/marketing/profiling, timestamp recording of consent events, consent synchronization across systems in real-time, and withdrawal tracking with documentation.

Automated RoPA Updates

Integrate discovery patterns: system scanning detecting databases and applications, AI-powered data classification, API integrations connecting to CRMs and marketing platforms, change detection alerting on new systems, legal basis mapping linking activities to Article 7/11 bases, and version control tracking RoPA changes.

DSAR Automation and Logging

Implement centralized intake portals, automated discovery querying all systems, data extraction from multiple sources, automated redaction of trade secrets, format conversion to portable formats, secure delivery via encrypted channels, and comprehensive audit logging tracking every step.

Evidence and Audit Readiness

Dashboards and KPIs

Monitor compliance metrics:

• DSAR fulfillment rate — Percentage meeting 15-day deadline
• Average response time — Days from intake to delivery
• Consent withdrawal rate — Percentage revoking consent
• Vendor compliance score — Percentage with current contracts
• Security incident frequency — Breaches per quarter
• Training completion — Staff completing privacy education

Documentation Pack for ANPD Audits

Maintain audit-ready evidence:

• Current RoPA — Complete processing inventory
• Legal basis documentation — Justification per processing activity
• Legitimate interest assessments — Three-part balancing tests
• Consent logs — Timestamped collection and withdrawal records
• Processor contracts — Agreements with all vendors
• DSAR fulfillment records — Request handling documentation
• Security policies — Technical and organizational measures
• Incident registry — 5-year breach history
• Training records — Staff completion certificates
• DPIA/RIPD reports — Impact assessments for high-risk processing

LGPD Enforcement and Practical Mitigation

Typical Violations and Fines

ANPD sanction hierarchy (Article 52):

1. Warning
2. Public disclosure of infraction
3. Blocking/deletion of non-compliant data
4. Daily fines (per violation per day)
5. Simple fine (up to 2% of annual revenue in Brazil, capped at R$ 50M per infraction)
6. Suspension of database operation (≤6 months)
7. Suspension of processing activity
8. Prohibition on government benefits

Recent enforcement:

• Telekall (2023) — R$ 14,400 fine for lack of lawful basis, missing DPO, obstruction
• IAMSPE (2023) — Sanction for 3-month delayed breach notification
• Meta (July 2024) — Immediate suspension of AI training on platform user data
• X Corp (December 2024) — 5-day suspension of minors' data use for AI training

Total fines since 2023: ~R$ 98M (~$20M USD).

Remediation Playbook

When violations are identified:

Immediate containment — Stop non-compliant processing, implement temporary safeguards, preserve evidence.

Root cause analysis — Determine why violation occurred, identify systemic issues, assess similar risk elsewhere.

Corrective action plan — Define specific remediation steps, assign responsibility and deadlines, allocate resources.

ANPD engagement — Notify authority of self-discovered violations, propose correction timeline, demonstrate good faith.

Implementation and verification — Execute corrections, test effectiveness, document completion.

Preventive measures — Update policies and procedures, enhance training, improve monitoring, strengthen controls.

ANPD considers good-faith compliance efforts when determining sanctions. Proactive self-reporting and rapid remediation reduce penalties.

LGPD vs GDPR: What International Teams Need to Know

Key Implementation Differences

Legal bases: LGPD provides 10 vs. GDPR's 6. LGPD includes research, health protection, and credit protection as separate bases, offering more flexibility but requiring precise identification.

Processor contracts: LGPD recommends but doesn't mandate (unlike GDPR Article 28). Best practice: always use contracts despite legal ambiguity.

DPIA triggers: LGPD grants ANPD discretion vs. GDPR's statutory triggers. Uncertainty whether DPIA is needed until ANPD requests creates risk.

Response timelines: LGPD 15 days for detailed access vs. GDPR 30 days. Faster timeline creates operational pressure.

Breach notification: LGPD 3 business days vs. GDPR 72 hours. Similar timelines but LGPD uses lower risk threshold (potential vs. high risk).

International transfers: LGPD requires ANPD-approved SCCs in exact form vs. GDPR's flexible templates. More restrictive due to lack of adequacy decisions.

Children's data: LGPD explicitly mandates "best interests" balancing vs. GDPR's implicit consideration. ANPD enforcement prioritizes this.

Single Framework Approach

Unified implementation possible for:

• Data mapping/RoPA — Single inventory covering both frameworks
• Security measures — Common controls satisfy both regimes
• Processor contracts — Single DPA template incorporating both requirements
• Consent mechanisms — Single CMP tracking both frameworks
• DSAR workflows — Single portal set to faster LGPD deadline

Divergence required for:

• Legitimate interest assessments — Separate LIA emphasizing "best interest" for minors
• Children's consent — LGPD requires separate parental consent per purpose
• International transfers — Separate agreements using ANPD SCCs
• DPIA triggers — Proactive LGPD RIPDs for AI/biometrics

Recommended Tools and Automation Stack

Data Mapping and RoPA Tools

Automated discovery and documentation platforms:

• Secure Privacy — An AI-powered, all-in-one privacy governance platform that automates compliance workflows, reduces manual effort by 20+ hours/month, and provides real-time visibility across GDPR, CCPA, LGPD and other regulations
• OneTrust — Comprehensive privacy management with LGPD support
• BigID — Data discovery across 2,000+ applications
• DataGrail — Fast implementation with strong automation

Consent Management Platforms

LGPD-compliant CMPs:

• Didomi — Granular consent with Brazilian localization
• Secure Privacy — Education and LGPD-specific automation
• iubenda — Policy generation with LGPD templates
• Cookiebot — Cookie compliance with Brazilian support

DSAR Automation Platforms

Request intake and fulfillment:

• OneTrust DataGuidance — End-to-end DSAR workflow
• DataGrail — Automated discovery and response
• Secure Privacy — 15-day deadline tracking

Vendor Risk and Contract Automation

Processor management:

• OneTrust Vendorpedia — Third-party risk assessment
• Secure Privacy — DPA template management
• TrustArc — Vendor risk scoring

FAQs About LGPD Compliance

What is LGPD and who does it apply to? Brazil's Lei Geral de Proteção de Dados (Law 13,709/2018) is a comprehensive privacy law applying to any personal data processing in Brazil, targeting individuals in Brazil, or involving data collected in Brazil—regardless of where the processing organization is located.

How long to respond to a DSAR under LGPD? Immediate confirmation in simplified form. Detailed access within 15 days maximum—half GDPR's 30-day timeline. Small-scale agents receive 30 days. Corrections and deletions must be immediate unless factually or legally impossible.

Do I need a Data Protection Officer under LGPD? Controllers must appoint DPOs. Processors optionally appoint unless acting as controller for their own data. Small-scale agents (≤R$ 4.8M revenue) are exempt unless engaging in high-risk processing like children's data or AI.

How to lawfully transfer data out of Brazil? Use ANPD-approved Standard Contractual Clauses (exact, unaltered text per Resolution 19/2024), obtain specific highlighted consent for international transfer, rely on legal obligations or public policy, or request ANPD authorization. No countries currently have adequacy decisions.

What are the legal bases under LGPD? Ten bases: consent, legal obligation, public administration, research, contract performance, legal rights exercise, life/safety protection, health protection, legitimate interests, and credit protection. All are equally valid; controllers must identify one per processing activity.

What triggers breach notification under LGPD? Security incidents creating potential relevant risk involving sensitive data, children/elderly data, financial data, credentials, privileged data, or large-scale data must be notified to ANPD within 3 business days and data subjects within 3 business days. Actual harm is not required.

Conclusion: Next Steps

LGPD compliance requires operational systems, not just legal documentation. Start with comprehensive data mapping identifying all processing activities. Assign legal bases per Article 7 or 11 with documented justification. Implement consent management platforms capturing granular preferences with audit trails.

Operationalize DSAR workflows meeting 15-day deadlines through automation. Execute processor contracts with all vendors incorporating LGPD obligations. Establish breach response procedures meeting 3-business-day notification timelines. Conduct proactive DPIAs for high-risk processing.

ANPD enforcement has shifted — preventive measures like Meta and X Corp suspensions demonstrate willingness to act immediately without formal sanctions. The 2025-2026 enforcement roadmap prioritizes children's data, AI/biometrics, and data scraping. Organizations in these sectors should expect inspections and prepare documentation proactively.

Treat LGPD as operational governance, not just legal compliance. Document, operationalize, audit, and iterate continuously.