Brazil LGPD (Lei Geral de Proteção de Dados) — Engineering Specifics

Brazil's Lei Geral de Proteção de Dados (LGPD), Law No. 13,709/2018 as amended by Law No. 13,853/2019, became fully enforceable with administrative sanctions from August 2021, overseen by the Autoridade Nacional de Proteção de Dados (ANPD). The LGPD applies to any processing of personal data carried out in Brazil, by entities established in Brazil, or where the processing is aimed at offering goods or services to individuals in Brazil — extraterritorial reach comparable to GDPR. The law enumerates ten legal bases for processing (Article 7), including consent, legitimate interests, contract performance, legal obligation, vital interests, research, and several public-authority bases, plus six additional bases for sensitive data processing (Article 11) — generally requiring consent or specific legal authorization.

Engineering obligations under the LGPD center on three structural requirements. First, the appointment of a Data Protection Officer (Encarregado) — mandatory for all controllers, with no size threshold, and the officer's contact details must be publicly disclosed (Article 41). Second, Data Protection Impact Reports (Relatório de Impacto à Proteção de Dados Pessoais, or RIPD) — required before processing sensitive data, children's data, or any high-risk processing as defined by the ANPD; these are analogous to GDPR DPIAs but with some procedural differences. Third, data subject rights under Articles 18–20 closely mirror GDPR: access, correction, anonymization or blocking, portability, deletion, information about sharing, and the right to revoke consent — all with a 15-day response timeline set by ANPD Resolution CD/ANPD No. 4/2023.

Brazil's LGPD has several engineering nuances absent from GDPR. Anonymization is treated as a data protection technique that removes data from the law's scope, but ANPD guidance requires irreversibility testing — data that can be re-identified with "reasonable effort" remains personal data. International data transfers (Chapter V) require either an adequate country listing, standard contractual clauses approved by ANPD, binding corporate rules, or specific consent — Brazil has its own SCCs distinct from EU SCCs. Penalties reach 2% of revenue in Brazil (not global revenue) per infraction, up to BRL 50 million, applied per violation — so systemic failures can accumulate multiple penalties. ANPD Resolution CD/ANPD No. 2/2022 defines the simplified compliance regime for micro and small businesses.

We implement LGPD compliance with Brazilian-specific data residency and transfer controls, ANPD-aligned RIPD templates pre-scoped for sensitive and children's data processing, and a 15-day DSR response SLA enforced through automated request tracking. Our transfer mechanism tooling supports ANPD-approved SCCs alongside EU SCCs for organizations with both European and Brazilian obligations.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.