6 min read

LGPD: How the Brazilian General Law of Data Protection can impact Your Business

In 2018, according to a national survey, 58% of Brazilians were not confident that the new General Data Protection Act (LGPD) would be able to protect their data.

According to experts, this distrust comes, among other things, from a lack of knowledge about the subject.

It is this topic that this article will help you reflect on.

Read on to understand what LGPD is and what impacts it could have on your business!

What is LGPD?

The General Data Protection Act (LGPD) can be summed up as a new law that requires public and private organizations to comply with security standards to prevent theft, leaks and illegal sales of digital and electronic information.

In practice, we are talking about Law 13709, August 14, 2018. It covers the processing of personal data, including digital media, by individuals and legal entities under public or private law. It was created mainly to protect the fundamental rights of freedom and privacy.

In general terms, here is what the LGPD provides to Brazilian citizens:

  • right of privacy: protection of personal data of Brazilian citizens; ensuring greater control over information, through transparent and safe practices, to guarantee fundamental rights and freedoms;
  • clear rules for companies: collecting, storing, processing and sharing personal data for companies is followed by legal norms;
  • promotion of development: from a legal bases for the economic and technological development of society, increasingly moved by data (in digital transformation, in the case of companies);
  • consumer law: guarantee of free initiative, free competition and consumer/user protection;
  • strengthening trust: increasing society’s confidence in the collection and use of their data – which impacts, for example, the purchase and sale of products and services on the web (e-commerce);
  • legal certainty: increasing legal certainty as a whole in the use and processing of personal data.

Until the enactment of this law, Brazilian legal codes were somewhat vague regarding the protection of personal data and privacy, especially online. 

Companies in the Telecom market, for example, had no solid legislation on which to support their business models; they acted following international codes, as per national jurisprudence.

Likewise, the Brazilian state itself dealt with millions of personal and corporate data in a very non-disclosed way, without clearly showing how the information was treated.

Now, through the LGPD, there are clear guidelines in the form of the law.

It is also important to note that LGPD is not 100% defined. There is, at this time (April 2019), a parliamentary committee discussing changes to the law, along with how to normalizing it.

According to the Senate‘s website, “in addition to regulating the General Law of Protection of Personal Data, the text [the amendment in process] creates the National Authority for Data Protection (ANPD). The new body must regulate, interpret and monitor compliance with the general law and punish those who fail to comply.”

The relationship between LGPD and GDPR

What also needs to be highlighted is that the LGPD is part of an international movement for the regulation of data manipulation. 

Perhaps the most striking legislation in recent years is the General Data Protection Regulation (GDPR), which entered into force recently in the European Union (EU). 

Like LGPL, GDPR is a set of rules designed to give EU citizens more control over their data; to simplify the regulatory framework so that both citizens and businesses can fully benefit from the digital economy.

Looking at the corporate world, with the GDPR in place, organizations will not only have to ensure that personal data are collected legally and under strict conditions, but that they manage them in a way that protects them from misuse. 

GDPR applies to any company operating in the EU, as well as to any organizations outside the EU that offer goods or services to customers or companies in the region. 

GDPR is very specific to two different types of data manipulators: ‘processors’ and ‘controllers’. According to Article 4 of the GDPR, they are as follows:

  • controllers are “a person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data”; 
  • processors are the “a person, public authority, agency or other body that processes personal data on behalf of the controller”.  

There are many similarities in this regulation with the LGPD, although it is 100% focused on Brazilian citizens, residents, and companies that work here. 

As in the GDPR, organizations that are not Brazilian but that act in Brazil (face-to-face and or virtually) must conform to LGDP. 

Read more: GDPR: what is it and how does the data protection act of the European Union work! 

The impacts of LGPD on companies

Next, what the major impacts of LGPD on Brazilian or international companies operating in the country are.

Scope of Law

The LGPD is quite broad. It includes data of all formats that identify or make a person identifiable. 

Also, all companies that treat personal data in the Brazilian territory or of people located in it, with few specific exceptions, must comply with the new rules.

Need for a database for data processing

From the LGPD, for a company to handle a user’s data, there needs to be a legal basis. The consent of the person needs to be well documented.

More user rights

The data holders, also called users, have greater control over their information – the purpose of collection and with whom they are shared, for example.

LGPD also warrants that they may withdraw from providing their data at any time.

Regulatory authority

The National Data Protection Authority was vetoed by President Michel Temer at the time of sanctioning the LGPD. As we have already mentioned, there is a discussion in the Senate for the creation of an ANPD that conforms with the Constitution. 

As a result, companies have a body to report on when it comes to the collection, storage, use and other purposes of their customers’ data.


Penalties and sanctions depend on the gravity of the situation. 

If an infraction is proven, the responsible organization can receive from warnings up to a fine equivalent to 2% of its billing, always limited to the maximum amount of R$ 50 million.

The benefits of LGPD to business

There are also advantages of LGPD for companies. Here are five benefits we have highlighted. 

1-More legal certainty: LGPD mitigates the doubts and makes the rules related to privacy in the country clearer. It also places the Brazilian market alongside markets such as the European one;

2- Customer Relationship Improvements: By following the LGPD, companies become more transparent with their customers. Thus, the relationship becomes narrower and supported by trust;

3-Improved cybersecurity: With the privacy of the data always on the agenda, it is possible to establish an even more conscious and secure workflow. Security updates on networks, servers and infrastructures are carried out with the certainty that there will be no sudden changes in legislation;

4-Improved data management: To be compliant with the LGPD, you need to know exactly what confidential information the company has about people. Therefore, it is important to perform audits, better organize the stores and refine the data management processes;

5-Increased marketing ROI: By eliminating irrelevant information that hinders marketing actions, such as lost leads or addresses that no longer exist, the database becomes more organized. Thus, marketing can adapt their messages more easily according to the profile of the stakeholders. Consequently, Return on Investment (ROI) improves; budgets and efforts will be spent wisely, for example.

How to prepare for the LGPD

In addition to knowing what the LGPD is, companies need to start taking action to follow all the guidelines of the new legislation. 

Here are some tips to get your business ready.

Focus your business on the user

LGPD virtually forces organizations to focus more on users. This means creating resources, platforms and methods that give more transparency to transactions and the use of information from customers, suppliers and partners.

The user experience combined with information security needs to be strengthened. And that goes beyond implementing mechanisms. More and more people will have to be given the means to manage which data they want to share and which data they do not want to share.    

Update your IT strategy

To do this, you need to upgrade your information technology (IT) strategic planning. 

This is equivalent to acquiring more modern tools for capturing, analyzing, storing and processing data. It also concerns the insertion of new methods and new work routines for the technology team.  

Invest in market intelligence

Following the guidelines of the LGPD, businesses that want to take advantage of the new legislation should also invest in market intelligence. 

Business Intelligence Platforms, Business Analytics, and projects that employ methods such as Design Thinking, among others, are welcome when it comes to taking a more innovative approach to ensuring data privacy and updating the business model.

Seek expert help

Finally, as there are many variables to be observed, and in many businesses, you will need to make substantial modifications to a variety of processes, a good tip is to get help from a specialist consulting firm.

With technical, legal and strategic support, it is possible not only to adapt to comply with the LGPD but also to make it a leap forward for innovation and competitiveness. 

So, did you understand what the General Data Protection Law (LGPD) is? Contact us and see how we can help you adapt to GDPR!

For more on how to best protect your business on data practices take a look at: