Brazilian privacy, operationalized

Comply with Brazil's LGPD

Legal bases, data-subject rights, a data protection officer, and ANPD breach handling — implemented as living controls and mapped to GDPR for reuse.
Start free trialBook a demo

What is the LGPD?

The Lei Geral de Proteção de Dados (LGPD) is Brazil's general data protection law, in force since September 18, 2020. It closely mirrors the EU's GDPR: it sets out lawful bases for processing personal data, grants individuals a set of data-subject rights, distinguishes controllers and operators, and is enforced by Brazil's national data protection authority, the ANPD.

Who it applies to and the penalties

The LGPD reaches any organization that processes the personal data of people in Brazil or carries out processing in Brazil — including many companies based elsewhere that serve Brazilian customers. The ANPD can impose fines of up to 2% of a company's revenue in Brazil, capped at R$50 million per violation, alongside warnings, processing restrictions, and public disclosure.

How it relates to GDPR

Because the LGPD is so closely aligned with the GDPR, most of a GDPR program transfers directly — records of processing, DPIAs, rights workflows, and the data protection officer role all carry over. In a significant 2026 development, Brazil and the EU adopted mutual adequacy decisions, easing personal-data transfers between the two jurisdictions.

How episki helps

episki implements the LGPD as living controls: a legal-basis mapper for each processing activity, records of processing, a data-subject request workflow, the encarregado (DPO) role, international-transfer safeguards, and an ANPD breach-notification workflow — all cross-mapped to GDPR, CCPA, and PIPEDA so one privacy program serves every market.

LGPD outcomes with episki

Quantify the impact security and compliance brings to your business.
10 legal bases
Lawful-basis determination for every processing activity.
ANPD
Brazil's data protection authority — breach notification workflow built in.
GDPR mapped
LGPD aligns closely with GDPR, so privacy work is reused.

Why teams choose episki for LGPD

Framework-specific automation, collaboration, and reporting in one workspace.
Lawful processing
Determine and document a legal basis for each activity.
  • Ten LGPD legal bases supported
  • Records of processing maintained
  • Purpose and necessity documented
Rights and roles
Data-subject rights and the DPO role LGPD expects.
  • Data-subject request workflow
  • Data Protection Officer (encarregado) duties
  • Controller / operator role mapping
One privacy program
LGPD overlaps almost entirely with GDPR.
  • Crosswalk to GDPR articles
  • Reuse ROPA and DPIA work
  • Aligns with CCPA and PIPEDA

LGPD readiness inside episki

What an organization processing Brazilian personal data needs.

Plug episki into your stack and work directly from this checklist during the free trial.

  • Legal-basis determination per processing activity
  • Records of processing (ROPA)
  • Data-subject request workflow
  • Data Protection Officer (encarregado) designated
  • International-transfer safeguards
  • ANPD breach notification workflow
LGPD accelerators

LGPD accelerators

Stand up Brazilian privacy compliance and reuse it across regimes.
Legal-basis mapper
Assign and document a lawful basis for each processing activity.
DSAR workflow
Intake and fulfill data-subject requests within statutory timelines.
GDPR crosswalk
Reuse your GDPR records and DPIAs to satisfy the LGPD.

LGPD frequently asked questions

Other compliance frameworks

CCPA / CPRACIS ControlsCMMCCSA STARCyber EssentialsDORAEU AI ActFedRAMPFFIECGDPRGLBAHIPAAHITRUST CSFISO 22301ISO 27001ISO 27017ISO 27018ISO 27701ISO 42001NIS2NIST 800-171NIST 800-53NIST AI RMFNIST CSFNY DFS Part 500PCI DSSPIPEDAPOPIASOC 1 Type I/IISOC 2 Type I/IISOC 3SOXStateRAMPTISAX

Build an LGPD program in episki

Implement lawful bases and data-subject rights once and reuse your GDPR work.
Start free trialBook a walkthrough