LGPD in practice: what every company needs to do now

Brazil's General Data Protection Law (LGPD — Law nº 13.709/2018) has been in force since September 2020 and fines can reach R$ 50 million or 2% of annual revenue. Despite this, most small and medium-sized businesses have not taken the basic steps. If yours is in that group, this guide is for you.

What is personal data?

Personal data is any information that identifies or makes a natural person identifiable. This includes: name, tax ID (CPF), email, phone number, address, IP address, location data, browsing behavior, photo, voice and much more. If your company collects any of this data — and it certainly does — the LGPD applies to you.

The 7 mandatory steps

1. Map the data you process

Before anything else, you need to know what data you collect, where it is stored, who has access and where it goes. This is called data mapping. It covers data from customers, suppliers, employees, prospects and website visitors.

• Which systems store personal data? (ERP, CRM, email, spreadsheets)
• Who has access to these systems?
• Is data shared with third parties? (accounting, finance, marketing)

2. Define the legal basis for each processing activity

The LGPD requires every personal data processing activity to have a legal basis — a justification provided by the law. The most common ones for businesses are:

• Consent: the data subject explicitly authorized (e.g. newsletter)
• Contract performance: necessary to provide the contracted service
• Legitimate interest: legitimate interest of the controller, as long as it does not harm the data subject
• Legal obligation: required by law (e.g. tax data for the Revenue Authority)

3. Create or update your Privacy Policy

Your company must have a privacy policy that is clear, accessible and written in plain language. It must inform: what data is collected, for what purpose, with whom it is shared, how long it is stored and how data subjects can exercise their rights.

4. Implement basic technical controls

The LGPD requires adequate security measures to protect data. At a minimum:

• Encryption of sensitive data at rest and in transit (HTTPS mandatory)
• Access control — only those who need it can access the data
• Strong authentication (MFA) for systems with personal data
• Backup with defined retention periods and regular testing
• Access logs — who accessed what and when

5. Appoint a DPO (Data Protection Officer)

The LGPD requires every company that processes data at scale to appoint a DPO (Data Protection Officer). For smaller companies, the DPO can be the owner, a designated employee or an outsourced specialized company. The DPO's name and contact must be publicly available.

6. Prepare your data subject request process

Every data subject has rights guaranteed by the LGPD: access, correction, deletion, portability and consent withdrawal. Your company has up to 15 days to respond to requests. You need a contact channel (email, form) and an internal process to handle these requests.

7. Incident response plan

If a data breach occurs, the LGPD requires notification to the ANPD (National Data Protection Authority) and affected data subjects within a reasonable timeframe. You need a documented plan: how to detect, contain, investigate and communicate an incident.

Where to start?

If you are starting from scratch, the sequence is: data mapping → privacy policy → basic technical controls → DPO appointment → team training. You don't need to do everything at once — what matters is starting and documenting progress.

How long does it take?

A basic LGPD compliance program takes 60 to 90 days with dedication. A full program, with all technical controls implemented and tested, can take 6 to 12 months depending on the complexity of the environment.

Infomek helps companies in Curitiba with LGPD technical compliance: data mapping, implementation of security controls, DLP, encryption and audit preparation. Contact us for a free diagnosis.