Skip to main content

Learn how the LGPD will impact your business

The new regulation requires a multidisciplinary approach to ensure the best information privacy management

See how we can support your company in this journey.

What is the Brazilian General Data Protection Act?


Inspired by the European regulation (General Data Protection Regulation - GDPR), the Brazilian General Data Protection Act (in Portuguese, LGPD, Lei Geral de Proteção de Dados) establishes rules on collecting, handling, storing and sharing of personal data managed by organizations. The legislation is part of the Brazilian context of progressive adaptation to the best global data management practices and it covers all companies that offer services or have operations involving data handling in Brazil.  

With the presidential approval, in August 2018, companies will have until 18 months to adjust to the new rules. Companies that violate the new law will be subject to the application of fines that can reach up to 2% of the organization's revenue, with a limit of R$50 million per violation.

In addition to securing individual rights, the LGPD aims to encourage the sustainable development of the economy and the businesses, based on the best international practices.

In addition to establishing new compliance standards, organizations can leverage the LGPD for obtaining a competitive advantage in the use of such data, with a correct planning and the application of good privacy practices.

Our solutions


Deloitte has a multidisciplinary team to provide integrated solutions and support organizations in adapting to the new legislation, as well as in the resolution of possible incidents.

See examples of how Deloitte can help your business to address this challenge:



The Deloitte Cyber from Risk Advisory area has developed a six-step program to support companies in structuring and implementing a robust compliance plan for the LGPD and the GDPR:

  • Strategy: determines the general approach for a privacy program, in synergy with the company’s reality;
  • Organization and responsibility: defines the structure that will deal with privacy issues as well as the roles and responsibilities of those involved;
  • Policy, process and data: ensures the effective protection, management and use of data, aligned with the company's strategy;
  • Communication, training and awareness: creating an internal communication campaign to ensure that employees know and follow the defined rules;
  • Privacy operations: inserts the subject in every project of the organization, through clear guidelines (privacy by design), as well as systems’ assessments following the Privacy Impact Assessment (PIA) method. It also covers guidelines for audit and researches on privacy certification seals;
  • Processing inventory: a key element in any privacy program, it is a mandatory requirement of the LGPD and the GDPR.

Six-step compliance plan for the LGPD



While cybersecurity acts in the prevention, the Deloitte Forensics front helps to reconstruct the facts and draw up effective measures in case of incidents in the digital environment, such as data leakage.


Computer forensic methodology

Read more about the Brazilian General Data Protection Act?