Skip to Content
Governance and Compliance

What Is Brazil's LGPD (General Data Protection Law)?

Brazil's LGPD (General Data Protection Law, Law No. 13,709/2018), the Brazilian counterpart to Europe's GDPR, is the federal law that governs how companies and public agencies collect, use, store and share personal data. It requires a documented legal basis for every use of personal data, grants data subjects rights such as access, correction and deletion, and is enforced by Brazil's data protection authority (ANPD), which can fine violators up to 2% of revenue, capped at R$50 million per infraction.

Zamak TechnologiesUpdated on July 10, 2026

How the LGPD works in practice

The law does not list systems to install, it sets rules for any processing of personal data, from a customer record to an HR spreadsheet. The cycle has four parts that repeat across any operation.

1

Every collection needs a legal basis

A company may only process personal data if it has one of the grounds set out in the law: consent, contract performance, compliance with a legal obligation, legitimate interest, among others. Collecting data “because it always has” is not a legal basis.

2

Data subjects have rights the company must honor

Confirming the data exists, access, correction, portability and deletion are requests the law grants to the data owner, and the company has a deadline to respond.

3

A security incident must be reported

A breach that creates meaningful risk to data subjects has to be reported to the ANPD and to the affected people within a reasonable time, not hidden until it leaks to the press.

4

The company answers for its vendors too

Whoever processes personal data on the company's behalf (a processor) enters the chain of responsibility. Hiring a vendor without a data protection clause does not exempt the contracting company.

Source: Law No. 13,709/2018 (LGPD) and Brazil's National Data Protection Authority (ANPD).

The rights the LGPD grants data subjects

  • Confirmation and access Knowing whether a company processes your data and getting a copy of what was collected, free of charge and in clear format.
  • Correction Requesting an update to incomplete, inaccurate or outdated data.
  • Deletion and anonymization Requesting deletion of data processed under consent, or its anonymization when deletion is not possible.
  • Portability Taking your data to another provider, in an interoperable format, without depending on the goodwill of whoever holds it.
  • Withdrawing consent Revoking a given authorization at any time, with immediate effect on future processing.

Why data compliance is no longer optional

144
countries already have national data protection laws, covering about 82% of the world's population (IAPP, Jan. 2025)
2% to 4%
of revenue is the fine ceiling of the major laws: up to 2% under the LGPD, up to 4% under the GDPR
US$4.44M
is the global average cost of a data breach (IBM, 2025)

The LGPD is not an isolated case. As of January 2025, 144 countries had national data protection laws, covering roughly 82% of the world's population (IAPP). A company that operates or sells across more than one market usually answers to several at once: the LGPD in Brazil, the GDPR in Europe, the CCPA in California, the PIPL in China, plus comparable laws elsewhere in Latin America and Asia. And the fines escalate: the LGPD allows up to 2% of revenue, while the GDPR reaches up to 4% of global turnover. But the real cost of an incident goes far beyond the fine. The global average cost of a data breach was US$4.44 million (IBM, 2025), adding notification, investigation, reputational damage and, increasingly, civil liability.

How a company prepares for the LGPD

LGPD compliance is not a project that ends, it is a discipline that has to hold. The most direct path:

  1. Map the data you processList what personal data the company collects, where it comes from, where it is stored and who has access. Without that map, you cannot set a legal basis or answer a data subject's request.
  2. Set the legal basis for each useEvery use of data needs a documented legal ground, not a generic consent banner pasted everywhere.
  3. Name a data protection officerMost data protection laws expect a communication channel between the company, data subjects and the regulator. Someone has to be that point of contact.
  4. Have an incident response plan readyFiguring out the notification process in the middle of a breach costs time the company does not have. A plan tested beforehand is what shortens that window.

In practice

The question that reveals the real risk: if a data regulator asked today for the legal basis behind a specific piece of data, would someone answer in minutes, or spend days looking for it?

How Zamak handles LGPD compliance

Zamak Technologies supports LGPD readiness as part of Governance and Compliance in the Zamak Method: control mapping, evidence management and an audit trail on a compliance platform. A good starting point is the Compliance Audit Express, which shows in minutes where the company is most exposed.

Frequently asked questions about the LGPD

Does the LGPD only apply to Brazilian companies?
No. The law reaches any company, in Brazil or abroad, that processes personal data of people located in Brazil or that offers goods or services to people in Brazil. The test is where the data subject is, not where the company is headquartered.
Does a small company have to comply with the LGPD?
Yes, there is no exemption based on company size. The ANPD factors size into how it scales enforcement and fines, not into whether the law applies.
What is the difference between the LGPD and the GDPR?
The LGPD is Brazil's law and was inspired by Europe's GDPR; the principles are similar (legal basis, data subject rights, incident notification), but the enforcement authority, the deadlines and the fine amounts differ between the two laws.
What does a data protection officer (DPO) do?
It is the official channel between the company, data subjects and the ANPD. It receives complaints, guides employees and tracks internal compliance with the law.
Does every breach have to be reported to the ANPD?
Not every one: the law requires notification when the incident may cause meaningful risk or harm to data subjects. Trivial leaks with no real risk fall outside that duty, but drawing that line takes judgment and, usually, legal support.
Is consent always required to process data?
No. Consent is just one of the legal bases the law allows. Contract performance, compliance with a legal obligation and legitimate interest, among others, can also authorize processing, depending on the case.