Comforma Compliance
← Back to Regulations

LGPD

Brazil’s General Data Protection Law: Privacy for personal data.

Enforced
18 September 2020

Admin sanctions since 1 Aug 2021

Who this affects
Organisations processing personal data in Brazil

Also those offering goods/services to people in Brazil or collecting data in Brazil—regardless of location.

Penalty ceiling
Up to 2% of Brazilian revenue

Capped at R$50M per infraction

Obligations

  • Implement Security Measures

    Adopt and maintain technical and organisational measures proportionate to your risks to protect personal data in daily operations (Art. 46).

  • Keep Records of Processing Operations

    Maintain a formal register of processing operations—purpose, data categories, recipients, retention, and safeguards—available to the ANPD upon request (Art. 37).

  • Prepare Data Protection Impact Reports (RIPD) when required

    Produce a RIPD for high-risk processing when required by the ANPD or per guidance (e.g., legitimate-interest scenarios), documenting risks and mitigations (Arts. 10 §3, 38).

  • Govern Operators (Processors)

    Define controller instructions, use compliant contracts, and oversee operators and sub-operators to ensure adherence (Art. 39).

  • Appoint a DPO (Encarregado) and respond to data subjects

    Designate a DPO (unless exempted by ANPD rules), provide a public contact channel, and handle rights requests within LGPD timelines (Art. 41; Art. 18).

  • Purpose Limitation & Necessity

    Process only what is necessary for specific, legitimate purposes; embed minimisation into systems and workflows (Art. 6, items I & III).

  • And more

What we offer

Programmes are tailored end-to-end and may depend on earlier phases (e.g., deletion protocols require prior identification of personal-data flows and systems).

External DPO (Encarregado)

We act as your DPO: advise management, monitor compliance, train staff, oversee RIPDs, liaise with the ANPD, and report risks with practical remediation paths.

Speak with a DPO

Brazil Market Entry & Client Readiness

Be contract-ready for Brazilian customers: lawful bases, privacy notices, transfer mechanisms, operator clauses, and evidence packs that pass procurement and due diligence.

Plan your Brazil entry

Records of Processing (Art. 37)

We establish your register of processing operations—what you process, why, with whom, where, retention, and safeguards—and set a lightweight routine to keep it current.

Set up records

RIPD — Company-Specific Impact Report

A thorough, personalised RIPD for high-risk processing: scope, stakeholder interviews, risk analysis tailored to your systems and business model, mitigation design, and sign-off documentation.

Plan your RIPD

Incident & Breach Readiness

Design and embed a 72-hour response playbook with roles, decision trees, and notification templates (ANPD and data subjects). We train teams and set up the evidence you’ll need if an incident occurs.

Strengthen readiness

Retention & Deletion Operating Model

Define lawful retention by data category, implement deletion routines in systems, and set up audit logs to prove execution.

Design your model

Operator (Processor) Oversight

Practical onboarding and periodic review of operators: requirement baselines, contractual clauses, transfer mechanisms, and an oversight cadence that fits your vendor landscape.

Build operator oversight

LGPD for AI Systems

Align AI features and workflows with LGPD: controller/operator role mapping, legal bases, transparency to users, records updates, RIPD triggers, and acceptable-use guidance for teams.

Align AI with LGPD

Why now

Active enforcement

The ANPD is issuing guidance, opening procedures, and can impose fines, public notices, and processing restrictions.

Pre-launch duties

High-risk processing may require a RIPD and controls before go-live. Planning these steps avoids delays and non-compliance.

Transfers scrutiny

International transfers require valid mechanisms (adequacy, clauses, or seals). Clients increasingly ask for proof during due diligence.

How we work

Diagnose

Focused discovery across product features, data flows, and vendors to baseline actual practice.

Design

Co-create bespoke controls and workflows (minimisation, RIPD cadence, operator intake, breach playbooks) aligned to your reality.

Implement & Evidence

Embed changes with your teams and produce evidence packs that stand up in audits and client reviews.

Assure

Quarterly tune-ups: records updates, transfer reassessments, spot checks, and change logs that prove control over time.

See our full compliance process

Avoid fines. Protect trust. Keep your business running.

We design LGPD controls that fit your organisation and generate evidence you can stand behind.

Talk to us