LGPD for companies in Brazil: 2026 compliance checklist
LGPD has been in force for 5 years and the ANPD continues to increase enforcement activity. Time to verify whether your company is genuinely compliant — or just has paperwork in a drawer.
Brazil’s General Data Protection Law (LGPD) entered into force in 2020 and the National Data Protection Authority (ANPD) has been progressively expanding its enforcement capacity. In 2025 and 2026, the focus has shifted to mid-sized companies that have not yet implemented effective technical controls — only formal documentation.
The problem is that many companies across Brazil — especially in Curitiba, São Paulo, and other major business hubs — went through a superficial compliance process: they hired a lawyer to draft policies, created a consent form on the website, and declared compliance. That is not enough. LGPD requires technical evidence that personal data is properly handled and protected.
Checklist 1 — Data mapping (ROPA). Does your company know exactly which personal data it collects, where it is stored, with whom it is shared, and for how long it is retained? The Record of Processing Activities (ROPA, required by Art. 37) must be up to date and accessible to the DPO.
Checklist 2 — Documented legal basis. Each processing operation must have an identified legal basis (consent, legitimate interest, contract execution, legal obligation, etc.). Employee data has different legal bases than customer data. Confusion on this point is one of the most common failures found during audits.
Checklist 3 — Technical controls in place. Documentation without technology is insufficient. Your company must have: encryption of sensitive data at rest and in transit, access control with least-privilege principle, auditable access logs, a backup process with defined RPO/RTO, and a data deletion mechanism upon data subject request.
Checklist 4 — Third-party management. If your company shares personal data with vendors — ERPs, email platforms, analytics tools, payment processors — you need Data Processing Agreements (DPAs) with each vendor, covering liability, purpose, and retention period.
Checklist 5 — Incident response plan. LGPD requires notification to the ANPD and affected data subjects in the event of a data breach. Does your company have a documented data incident response playbook? Do you know who notifies, within what timeframe, and how? In 2026, the absence of this plan is already considered a non-compliance finding.
Connect+ conducts full LGPD compliance assessments for companies in Curitiba, São Paulo and across Brazil, identifying technical and documentary gaps and implementing the required controls — with defined scope, timeline and cost from day one.
Enjoyed the content? We can make this happen for your company.