Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD) — Law No. 13,709/2018 — is Brazil's comprehensive data protection framework, enforceable since August 2021. It applies to any organisation that processes personal data of individuals located in Brazil, regardless of where the organisation is headquartered. For international companies with Brazilian customers, employees, or operations, LGPD compliance is not optional. A structured compliance audit provides the independent assurance needed to demonstrate accountability to Brazil's National Data Protection Authority (ANPD) and to business partners.
Legal Bases for Processing Under LGPD
LGPD provides ten legal bases for processing personal data — more than GDPR's six. These include:
- Consent of the data subject
- Compliance with a legal or regulatory obligation
- Execution of a contract or pre-contractual procedures
- Exercise of rights in judicial, administrative, or arbitration proceedings
- Protection of life or physical safety
- Protection of health (by health professionals or bodies)
- Legitimate interests of the controller or third parties
- Credit protection
- Research by public bodies (with anonymisation where possible)
- Fulfilment of a public policy or public service
Auditors verify that each processing activity is mapped to a documented legal basis and that the organisation can demonstrate the applicability of that basis.
DPO Requirements and the Role of ANPD
LGPD requires controllers to appoint a Data Protection Officer (DPO), referred to in the law as the Encarregado. Unlike GDPR, LGPD does not limit the DPO requirement to certain types of processing — all controllers must have one, though small processing operations may benefit from simplified obligations under ANPD regulations. The DPO's responsibilities include receiving complaints from data subjects, communicating with the ANPD, and providing guidance to employees on data protection matters.
The ANPD (Autoridade Nacional de Proteção de Dados) is Brazil's supervisory authority. It has the power to impose administrative sanctions including warnings, fines of up to 2% of the organisation's revenue in Brazil in the prior financial year (capped at R$50 million per infraction), and suspension or prohibition of data processing activities.
International Transfers and LGPD vs GDPR
LGPD restricts international transfers of personal data to countries that provide an adequate level of protection as determined by the ANPD, or where one of the approved safeguards is in place — including standard contractual clauses, binding corporate rules, or specific contractual clauses approved for the transfer. The ANPD is progressively issuing adequacy opinions and regulatory guidance in this area.
LGPD is frequently compared to GDPR. Key similarities include risk-based approach, data subject rights, and accountability principles. Key differences include the broader range of legal bases, the mandatory DPO for all controllers, and a different supervisory structure. Organisations already GDPR-compliant will find significant overlap, but LGPD compliance is not automatic — specific requirements (such as the Brazilian DPO role and the ANPD reporting obligations) require dedicated attention.
The LGPD Audit Process
A structured LGPD compliance audit follows a defined methodology:
- Data mapping: Establishing a complete inventory of personal data flows — what data is collected, from whom, for what purpose, and where it goes.
- Legal basis review: Confirming each processing activity has a documented, appropriate legal basis.
- Documentation review: Assessing privacy notices, data subject rights procedures, DPO appointment, processor agreements, and incident response plans.
- Technical and organisational controls: Reviewing security measures for adequacy relative to the risk of processing.
- Gap report: Identifying nonconformities with a prioritised remediation roadmap.