LGPD: Brazil’s Data Protection Law Explained

Brazil’s Lei Geral de Proteção de Dados (LGPD) brought one of the world’s largest economies into the modern privacy era. If you process the personal data of people in Brazil — wherever your business sits — it applies, and it’s enforced by a dedicated regulator, the ANPD.

Extraterritorial, like GDPR

The LGPD reaches any processing that takes place in Brazil, offers goods or services to people in Brazil, or processes data collected there. So a company based anywhere can be in scope — the test is who the data is about and what you’re doing, not where your servers are.

Ten legal bases

Unlike GDPR’s six lawful bases, the LGPD provides ten legal bases for processing — including consent, legal obligation, legitimate interest, credit protection and the regular exercise of rights. Picking and documenting the right basis for each processing activity is foundational.

Core obligations

How it compares to GDPR

If you already run a GDPR programme you’re most of the way there — the principles, rights and accountability model rhyme. The differences are real, though: ten legal bases instead of six, a 15-day response window, ANPD-specific guidance, and penalties that, while significant (up to 2% of Brazilian revenue, capped per infraction), differ from GDPR’s. Don’t assume a copy-paste.

How to comply

• Map where you process Brazilian personal data and assign a legal basis to each activity.
• Appoint a DPO and publish a contact channel for data subjects.
• Stand up rights handling to meet the 15-day window.
• Tighten security measures and breach-notification readiness.
• Keep records of processing and run impact reports for higher-risk processing.

The bottom line

The LGPD is GDPR-shaped but distinctly Brazilian. Build on a GDPR foundation, adapt for the ten legal bases and ANPD specifics, and operationalise the rights and records rather than treating the law as a policy PDF.