What Is Brazil's LGPD (General Data Protection Law)?
Brazil's LGPD (General Data Protection Law, Law No. 13,709/2018), the Brazilian counterpart to Europe's GDPR, is the federal law that governs how companies and public agencies collect, use, store and share personal data. It requires a documented legal basis for every use of personal data, grants data subjects rights such as access, correction and deletion, and is enforced by Brazil's data protection authority (ANPD), which can fine violators up to 2% of revenue, capped at R$50 million per infraction.
How the LGPD works in practice
The law does not list systems to install, it sets rules for any processing of personal data, from a customer record to an HR spreadsheet. The cycle has four parts that repeat across any operation.
Every collection needs a legal basis
A company may only process personal data if it has one of the grounds set out in the law: consent, contract performance, compliance with a legal obligation, legitimate interest, among others. Collecting data “because it always has” is not a legal basis.
Data subjects have rights the company must honor
Confirming the data exists, access, correction, portability and deletion are requests the law grants to the data owner, and the company has a deadline to respond.
A security incident must be reported
A breach that creates meaningful risk to data subjects has to be reported to the ANPD and to the affected people within a reasonable time, not hidden until it leaks to the press.
The company answers for its vendors too
Whoever processes personal data on the company's behalf (a processor) enters the chain of responsibility. Hiring a vendor without a data protection clause does not exempt the contracting company.
Source: Law No. 13,709/2018 (LGPD) and Brazil's National Data Protection Authority (ANPD).
The rights the LGPD grants data subjects
- Confirmation and access Knowing whether a company processes your data and getting a copy of what was collected, free of charge and in clear format.
- Correction Requesting an update to incomplete, inaccurate or outdated data.
- Deletion and anonymization Requesting deletion of data processed under consent, or its anonymization when deletion is not possible.
- Portability Taking your data to another provider, in an interoperable format, without depending on the goodwill of whoever holds it.
- Withdrawing consent Revoking a given authorization at any time, with immediate effect on future processing.
Why data compliance is no longer optional
The LGPD is not an isolated case. As of January 2025, 144 countries had national data protection laws, covering roughly 82% of the world's population (IAPP). A company that operates or sells across more than one market usually answers to several at once: the LGPD in Brazil, the GDPR in Europe, the CCPA in California, the PIPL in China, plus comparable laws elsewhere in Latin America and Asia. And the fines escalate: the LGPD allows up to 2% of revenue, while the GDPR reaches up to 4% of global turnover. But the real cost of an incident goes far beyond the fine. The global average cost of a data breach was US$4.44 million (IBM, 2025), adding notification, investigation, reputational damage and, increasingly, civil liability.
How a company prepares for the LGPD
LGPD compliance is not a project that ends, it is a discipline that has to hold. The most direct path:
- Map the data you processList what personal data the company collects, where it comes from, where it is stored and who has access. Without that map, you cannot set a legal basis or answer a data subject's request.
- Set the legal basis for each useEvery use of data needs a documented legal ground, not a generic consent banner pasted everywhere.
- Name a data protection officerMost data protection laws expect a communication channel between the company, data subjects and the regulator. Someone has to be that point of contact.
- Have an incident response plan readyFiguring out the notification process in the middle of a breach costs time the company does not have. A plan tested beforehand is what shortens that window.
In practice
The question that reveals the real risk: if a data regulator asked today for the legal basis behind a specific piece of data, would someone answer in minutes, or spend days looking for it?
How Zamak handles LGPD compliance
Zamak Technologies supports LGPD readiness as part of Governance and Compliance in the Zamak Method: control mapping, evidence management and an audit trail on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the company is most exposed.