What is Brazil’s LGPD?
Brazil’s Lei Geral de Proteção de Dados Pessoais do Brasil, also known as LGPD, is a data protection law implemented on August 14, 2018, after years of debate and consultation. The data protection law was inspired by and is relatively similar to the European Union’s General Data Protection Regulation, also known as GDPR. Enforcement of Brazil’s comprehensive data protection law, LGPD, began in August 2021 and require companies to comply with strict requirements related to the processing of personal data and sensitive personal data.
More than four years into enforcement, LGPD compliance remains a critical priority for organizations doing business in Brazil. According to Perforce Delphix’s 2025 State of Data Compliance and Security Report, 11% of organizations identify LGPD as a key compliance obligation for their non-production environments — a number that reflects Brazil's growing role in the global digital economy.
What is Personal Information?
The LGPD also defines what personal data or personal information is, similar to the GDPR’s own definition of personal data. The LGPD states that personal information or personal data can refer to any data that, either by itself or combined with other data, can identify a natural person or subject them to a particular treatment.
Does LGPD Apply to My Business?
Follow these guidelines regarding who LGPD applies to and who is exempt:
Who It Applies To
The LGPD applies to any public or private individual or company with personal data processing activities carried out in Brazil, including the collection of personal data, regardless of where the company is geographically located. Companies that offer or supply goods or services in Brazil must also comply with LGPD.
It is also important to note that LGPD does not just apply to data collected from Brazilian citizens. Any individual who has personal data collected while inside Brazil is also protected under LGPD.
Who is Exempt
LGPD does not apply to data processing by a person who is processing data for personal purposes, for journalistic, artistic, literary, or academic purposes, or for national security, national defense, public safety, or a criminal investigation.
LGPD Compliance: The Nine Rights
Article 18 of LGPD explains the nine fundamental rights that data subjects have under LGPD, including:
- The right to access the data
- The right to confirmation of the existence of the processing
- The right to correct incomplete, inaccurate, or out-of-date data
- The right to anonymize, block or delete unnecessary or excessive data or data not being processed in compliance with the LGPD
- The right to delete personal data processed with the consent of the data subject
- The right to the portability of data to another service or product provider, through an express request
- The right to information about public and private entities with which the controller has shared data
- The right to information about the possibility of denying consent and the consequences of such denial
- The right to revoke consent
⚖️ See compliance requirements for an array of data privacy regulations >> Data Privacy Laws and Compliance: What You Need to Ensure Compliant Non-Production Data
Protect Data for LGPD with the Right Masking Solution
Safeguard sensitive and PII data in your development and testing environments. Learn how to choose the best data masking solution to ensure security, compliance, and operational speed.
The LGPD Compliance Challenge in 2025
Organizations subject to LGPD face the same compliance challenges affecting data protection worldwide. The 2025 State of Data Compliance and Security Report reveals concerning trends that directly impact LGPD compliance:
The Expanding Data Footprint
In the report, 95% of organizations report storing more sensitive data in non-production environments than the previous year — precisely where personal data covered by LGPD resides for development, testing, analytics, and AI purposes. This dramatically expands the compliance risk surface.
The Breach Reality
The same report found that 60% of organizations experienced data breaches or theft in non-production environments in the past year — an 11% increase from 2024. Under LGPD, these breaches trigger mandatory notification requirements to both the ANPD and affected data subjects, along with potential fines.
The Compliance Exception Problem
Despite the risks, 84% of organizations allow compliance exceptions in non-production environments. These exceptions create significant LGPD vulnerabilities. Personal data that should be anonymized remains exposed across development, testing, and analytics systems.
Universal Regulatory Exposure
100% of organizations have data subject to privacy regulations in non-production. For organizations operating in Brazil, this includes personal data protected under LGPD — names, addresses, financial information, and other identifiable data that flows through multiple copies of production databases.
LGPD for Business
Here is everything you need to know about your responsibilities as a business, as it pertains to the LGPD:
Obligations from Businesses
LGPD imposes the following obligations on businesses:
- Inform, correct, anonymize, delete, or provide a copy of the data if requested by the data subject
- Delete customer data after the relevant relationship terminates
- Appoint a DPO officer responsible for receiving complaints and communications
- Adopt technical and administrative data security measures to protect personal data from unauthorized access, accidents, destruction, and loss
- Provide a data breach notification to both the data subjects and local authorities in case of a breach
Meeting these obligations at scale requires robust data protection infrastructure. The challenge intensifies when you consider that organizations typically maintain 7-10 copies of each production dataset across non-production environments — each one potentially containing personal data subject to LGPD.
Enforcement
Outgoing President Michel Temer signed an executive order on December 28, 2018, that officially created the ANPD, which stands for Brazilian National Data Protection Authority ( Autoridade Nacional de Proteção de Dados in Portuguese). The authority fully enforces all aspects of the LGPD. It is technically independent of the Brazilian government, although it is tied directly to the office of the president.
Section 55(j) of Executive Order no. 869/18 establishes that the ANPD has the authority to, among other things:
- Issue rules and regulations regarding data protection and privacy;
- Within the administrative sphere, exclusively interpret the LGPD, including cases in which the law is silent;
- Request information regarding the processing of personal data from data processors and controllers;
- Exclusively oversee and impose administrative sanctions for violations of the LGPD;
- Promote data protection and privacy within the Brazilian society; and
- Develop studies regarding domestic and international data protection and privacy practices and establish partnerships with authorities from other counties to increase international cooperation.
Penalties
Under the Brazil LGPD (also known as LGPD Brasil), fines and penalties are not as punitive as the GDPR. The maximum administrative sanctions under the LGPD are 2% of the company’s Brazilian revenue of up to $8.9 million per infraction, compared to 4% of global revenue or up to $23.8 million under GDPR compliance.
The financial penalties are just one aspect of non-compliance costs. Organizations must also consider operational disruption, reputational damage, and loss of customer trust. With 95% of respondents expressing at least moderate concern about data breaches in non-production (and 43% being "extremely concerned"), the anxiety about LGPD violations is at an all-time high.
How to Become LGPD Compliant
In order to be LGPD compliant, your business needs to create the position of Chief of Data Treatment, which is the data protection officer or DPO in charge of the data processing operation. Your DPO is responsible for accepting complaints and communications from data subjects and the national data protection authority as well as orienting employees about good practices and performing other duties determined by the controller or outlined in complementary rules.
If a data breach occurs, the controller needs to provide a data breach notification to the National Data Protection Authority (ANPD) and the data subject in a reasonable time period if the breach is likely to cause risk or harm to the data subjects. Your breach notification notice should contain information about the data subjects involved, a description of the nature of the affected personal data, indication of the security measures used, the risks generated by the incident, the reasons for the delay of communication, if any, and the privacy protection measures that were or will be adopted.
Protecting Personal Data in Modern AI and Analytics Environments
LGPD compliance has become more complex with the rise of AI and analytics initiatives. Organizations now work with personal data across environments that weren’t common when LGPD was first enacted:
- 100% of organizations use sensitive data in analytics workflows — often developing reports and dashboards using Brazilian customer data.
- 90% work with sensitive data in AI environments — potentially training models on personal data protected by LGPD.
- 95% use personal data in software testing — exposing it in environments with typically weaker security controls.
The main challenge: 61% of organizations believe protecting data slows innovation, and 54% worry it degrades data quality. These perceived trade-offs drive the 84% who allow compliance exceptions. But modern automated solutions eliminate these trade-offs entirely, enabling both speed and LGPD compliance.
LGPD Definition of what is not personal data in Article 1212:
“Anonymized data shall not be considered personal data, for purposes of this Law, except when the process of anonymization to which the data were submitted has been reversed, using exclusively its own means, or when it can be reversed applying reasonable efforts.”
By irreversibly masking personal information and sensitive data, organizations would be protected if this anonymized data was exposed during an accidental or malicious breach.
If you want to learn more about compliance best practices, learn how Delphix provides an API-first data platform enabling teams to find and mask sensitive data for compliance with privacy regulations.
Achieve LGPD Compliance with Confidence
Ensure compliance with Brazil’s LGPD while safeguarding your business’s sensitive data with Delphix. Our advanced data masking technology ensures personal and sensitive data are anonymized, protecting against unauthorized access and potential breaches.
Related blog >> What Is Delphix?
Simplify Compliance and Eliminate Risk
- Discover sensitive personal data, such as names and financial details, automatically across all 170+ supported data sources.
- Transform sensitive information into irreversibly anonymized data while maintaining referential integrity.
- Comply seamlessly with LGPD regulations, reducing liability and ensuring trust.
Protect Sensitive Data Across Your Organization
With Delphix, enterprises can automate the discovery and masking of sensitive data across their databases, delivering compliant, anonymized data to development, testing, analytics, and AI environments. Our platform ensures data security while maintaining the performance and functionality of your operations.
Get Ahead of LGPD with Delphix
Request a personalized demo today. Discover how Delphix can help your organization meet LGPD requirements, secure sensitive data, and minimize compliance risk — all while accelerating innovation.