Implementing the LGPD in Practice: What It Is and How Your Company Should Prepare

Como funciona a LGPD na Prática - stw brasil

How does the LGPD work in practice and why should your company adapt to the new Data Protection Law?

The LGPD represents an important milestone in the protection of privacy and personal data in Brazil.

Sanctioned in August 2018 by President Michel Temer, Law 3,709 faced strong reactions from the executive and legislative powers, with extensions of the deadline for compliance with the legislation, until in September 2020, the presidential decree stipulated the second half of 2021 as the start date for supervision.

Above all, it is important to emphasize that the deadline for adapting to the new law is running out. However, there are still many doubts about the legislation among entrepreneurs.

It is worth reinforcing that from August 2021, companies that have not adapted to the law are subject to a fine of 2% of turnover up to a maximum of R$ 50 million – per infraction.

However, the sanctions provided for should not be the only motivation to comply with the LGPD. At a time when scandals of leaks and misuse of data are recurrent, acting to protect your customers’ information is an ethical issue that adds value to your business.

If you still have doubts about how the LGPD works in practice, and how your company should prepare to comply with the legislation, come with us, this article is for you!

What is the LGPD?

We will talk more about how to implement the concepts of the LGPD in practice.

However, it is essential to understand what it is and what this new Data Security Law is all about.

The advancement of information technology around the world has allowed humanity to produce, store, and process data like never before.

Not surprisingly, top managers from different sectors have been pointing out information as the new “fuel” for companies, equating its importance for business with that once had by oil.

One of the purposes of the LGPD is to bring transparency

Data is today one of the biggest assets of a company.

There is, however, a certain lack of transparency about how companies use this data, which was blatantly exposed in the Facebook – Cambridge Analytica case in 2018.

Cambridge Analytica captured user data from the social network with its applications, using the information collected without consent for use in political campaigns.

Furthermore, we cannot forget the mega data leaks, such as the one that occurred in Brazil and was disclosed at the beginning of 2021.

On that occasion, information from 223 million CPFs, including deceased people, was leaked.

As a result, this new reality has been driving the adoption of measures aimed at protecting personal data of users and giving greater transparency to the data processing process by companies in different parts of the world.

General Data Protection Law in Brazil

The Brazilian LGPD comes in the wake of these events.

The General Data Protection Law regulates the processing of data in national territory, determining how companies should act in the collection, use, and disposal of information, being applicable to businesses of any size and sector of activity, including self-employed professionals, such as lawyers, for example.

The law does not apply when data processing is

  • Performed by a natural person for private and non-economic purposes;
  • For exclusively artistic, journalistic, or academic purposes;
  • For exclusive purposes of public security, national defense, state security, or activities of investigation and repression of criminal offenses.

In conclusion, if you have a business where you use data processing with the aim of obtaining financial gains, it is necessary to adapt and understand how to apply the LGPD in practice.

Key concepts of the General Data Protection Law

To successfully apply the General Data Protection Law in your business, it is important to understand some key concepts that structure the legislation.

Personal data: information related to an identified or identifiable natural person.

Sensitive data: personal data that, if used improperly, can cause harm to the data subject.

Some sensitive data are: racial or ethnic origin, religious belief, political opinion, sexual life, genetic, biometric, etc.

Data Processing: any action performed with data, from collection to disposal.

Controller: the natural or legal person who decides “how” and “why” to process the data to fulfill the object of a contract.

Operator: who performs data processing following the controller’s instructions.

How to apply the LGPD in practice?

Analyze and study the principles of the legislation

The first step to applying the General Data Protection Law in your company is to study and understand the principles that govern the legislation.

Without this step, you run the risk of not making a full adaptation, leading to a waste of time, resources, and losses.

Therefore, knowing all the applicable points of the LGPD to your business, its basic principles, and how data capture and storage work is essential to develop an assertive adaptation strategy.

Train and raise awareness among your team

Good change management, whatever they may be, necessarily involves training and raising awareness among the team.

After all, they are the ones who will work daily with data processing. Therefore, without knowing the principles to be adopted as well as the importance of doing them, all your efforts tend to go down the drain.

Above all, it is worth remembering that for the law, your company is responsible for errors made by your employees. Your collaborators are considered your representatives.

Map your data

Mapping the existing data within your business is a fundamental step to comply with the LGPD successfully.

You need to know all the personal data and how they are treated in all areas of the company.

Remember that in contract relations with customers, suppliers, and collaborators, you are probably processing data.

In addition, know where your data is stored, the purpose, and the time you must store it.

Know the legal bases and their applications

The legal bases are the situations in which the law authorizes data processing.

In total, there are 10 legal bases. All data processing carried out by your company must be associated with some legal basis provided for in the LGPD.

An example of a legal basis is consent, i.e., when the data subject agrees clearly that a company uses their personal data for a specific purpose.

It is when your customer, for example, authorizes the use of their contact information to send offers and promotions. In this case, the contact information cannot be used for other purposes.

That is, data treatments that cannot be adapted to the legal bases must be discontinued.

Reinforce and disclose the security policy

The security policy is a vital step for the success of data protection.

It must be drawn up clearly and disclosed to the public so that everyone knows how their data is captured, its use, the time of storage, and how they will be eliminated.

It is important that the security policy is always disclosed to the user when they provide their data, giving greater transparency in the use of the information – which is one of the main objectives of the General Data Protection Law.

Define a data protection officer

Your company must have a data protection officer responsible for making the bridge with the data subjects, handling complaints and requests, providing clarifications, and taking measures.

The officer must guide the collaborators on the practices to be adopted according to the legislation.

The identity and contact of this officer must be disclosed to the public.


The LGPD is an important milestone in the protection of personal data and privacy. The Law was sanctioned at a time when the world is discussing the use of data by companies.

It is very important that the manager seeks to know and adapt his business to the new law, at the risk of suffering sanctions.

The General Data Protection Law provides for a fine of 2% of turnover up to R$ 50 million, for each infraction committed – and financial and image losses.

Therefore, if your company has not yet started the process of adapting to the LGPD, don’t wait any longer! In August 2021, supervision begins to punish offenders.

Do you want to know more about how to apply the LGPD in practice and how to adapt your company to the new legislation?

Keep following our blog and stay tuned to our social networks to access more content about the general data protection law.

See you next time!

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors

Social media


Leading company in information security. The digital protection of your company is our priority. We rely on state-of-the-art technology used by highly specialized professionals.

(11) 2666-3787
R. São Bento, 365 – 8o Andar – Centro Histórico de São Paulo, São Paulo – SP,
CNPJ: 05.089.825/0001-48.

Copyright ©️ 2023 – All rights reserved. Check out our  Privacy Policy.