LGPD
Brazil's Lei Geral de Proteção de Dados is Latin America's most comprehensive data protection law — enforceable since August 2021 with fines up to 2% of Brazil revenue.
The Lei Geral de Proteção de Dados (LGPD) — Brazil's General Data Protection Law — applies to any organization that processes personal data of individuals in Brazil, regardless of where the organization is headquartered. The law establishes ten legal bases for processing (broader than GDPR's six), creates data subject rights including access, correction, anonymization, and deletion, and establishes the Autoridade Nacional de Proteção de Dados (ANPD) as the enforcement authority. Fines can reach 2% of revenue in Brazil, capped at R$50 million per infraction.
LGPD's legal basis structure differs meaningfully from GDPR. Brazil's law includes "legitimate interest" and "credit protection" as separate bases, and the consent requirements — while similar to GDPR — have specific Brazilian interpretations developed through ANPD guidance. Sensitive personal data (including health data, biometric data, political opinion, and racial origin) requires explicit consent and carries heightened obligations. Organizations with existing GDPR programs need specific adaptations for Brazilian compliance, not simple replication.
Data localization is not a blanket requirement under LGPD — cross-border transfers are permitted to countries with adequate protection levels, under standard contractual clauses approved by ANPD, or under several other mechanisms. However, the ANPD adequacy list and approved transfer mechanisms continue to evolve, and organizations must monitor ANPD guidance to ensure their cross-border transfer arrangements remain compliant.
We architect LGPD compliance for organizations serving Brazilian markets — implementing the broader LGPD legal basis framework, designing data subject rights as system capabilities that meet Brazilian timelines and requirements, and building cross-border transfer documentation into the data pipeline. Our teams understand how LGPD and GDPR interact for organizations with overlapping EU and Brazil exposure and build unified compliance architectures where possible.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.