LGPD Compliance for Small Businesses: Practical Guide

LGPD Is Not Optional — Even for Small Businesses

Brazil’s Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018) applies to every organization that processes personal data of individuals in Brazil. There is no exemption based on company size.

Many small business owners assume LGPD is only for large corporations. This is wrong, and increasingly dangerous. ANPD (Autoridade Nacional de Proteção de Dados) has been actively enforcing since 2023, and small businesses are not exempt from investigations or penalties.

The good news: ANPD Resolution CD/ANPD No. 2 (January 2022) created simplified compliance requirements for small businesses and startups. You still need to comply, but the path is more manageable than what large enterprises face.

This guide walks you through practical, step-by-step LGPD compliance for a Brazilian SMB.

Understanding What LGPD Requires

Core Principles (Art. 6)

LGPD is built on ten principles. Every processing activity in your business must respect them:

1. Purpose (finalidade): Collect data only for specific, explicit, and legitimate purposes
2. Adequacy (adequação): Processing must be compatible with the stated purpose
3. Necessity (necessidade): Limit collection to the minimum necessary
4. Free access (livre acesso): Individuals must be able to access their data easily
5. Quality (qualidade): Keep data accurate, clear, and up to date
6. Transparency (transparência): Provide clear information about processing activities
7. Security (segurança): Implement technical and organizational measures to protect data
8. Prevention (prevenção): Adopt measures to prevent data incidents
9. Non-discrimination (não discriminação): Never use data for discriminatory purposes
10. Accountability (responsabilização): Demonstrate compliance measures

Legal Bases for Processing (Art. 7)

You need a legal basis for every type of personal data processing. The ten legal bases are:

Most relevant for SMBs:

• Consent: The individual explicitly agrees to the processing. Requires clear, specific, and documented consent that can be revoked.
• Legitimate interest: Processing is necessary for a legitimate business purpose that does not override the individual’s rights. The most flexible basis, but requires a legitimate interest assessment (LIA).
• Contract performance: Processing is necessary to fulfill a contract with the individual (e.g., processing customer data to deliver a purchased service).
• Legal or regulatory obligation: Processing is required by law (e.g., maintaining employee records per CLT, reporting to tax authorities).

Less commonly used by SMBs:

• Credit protection
• Public administration
• Health protection
• Research (by research bodies)
• Legal proceedings
• Life protection

Sensitive Personal Data (Art. 11)

Sensitive data has stricter requirements. This includes: racial or ethnic origin, religious beliefs, political opinion, union membership, health or sex life data, genetic or biometric data.

If your business processes any sensitive data (common in healthcare, HR, education), you need explicit consent or a specific legal basis.

Step-by-Step LGPD Implementation

Step 1: Data Mapping (Mapeamento de Dados)

Before you can protect data, you need to know what data you have, where it is, and how it flows.

For each department or process, document:

• What personal data is collected (name, CPF, email, address, financial data, etc.)
• How it is collected (forms, website, phone, in-person)
• Why it is collected (purpose)
• Legal basis for processing
• Where it is stored (systems, databases, physical files)
• Who has access (employees, vendors, partners)
• How long it is retained
• Whether it is shared with third parties Learn more about our financial strategy services.

Common data categories in SMBs:

• Customer data (contact info, purchase history, payment details)
• Employee data (personal info, payroll, health records, performance reviews)
• Supplier/vendor data (contact info, banking details)
• Marketing data (email lists, website analytics, social media)
• Financial data (invoices, payment records, tax information)

Create a spreadsheet with one row per data processing activity. This becomes the foundation of your ROPA.

Step 2: Privacy Policy and Notices

Every business needs a privacy policy. It must be:

• Written in clear, accessible Portuguese
• Easily accessible (prominently linked on your website, provided to employees and customers)
• Comprehensive but readable

Your privacy policy should include:

• Identity and contact information of the data controller (your company)
• Contact information of the DPO (Encarregado)
• Types of personal data collected
• Purposes for processing
• Legal bases for each processing activity
• Data sharing with third parties
• Data retention periods
• Individual rights and how to exercise them
• Security measures in place
• Cookie policy (if applicable)

Step 3: Consent Management

If you rely on consent as a legal basis for any processing activity:

Requirements for valid consent:

• Must be freely given (no coercion or bundling with unrelated services)
• Must be specific (for each purpose separately)
• Must be informed (the individual understands what they are consenting to)
• Must be unambiguous (clear affirmative action, not pre-checked boxes)
• Must be documented (you must prove consent was given)
• Must be revocable (individuals can withdraw consent at any time)

Practical implementation:

• Use clear opt-in checkboxes (never pre-checked) on forms
• Keep a consent log with timestamps, IP addresses, and the text shown
• Provide an easy way to withdraw consent (unsubscribe links, account settings)
• Review and refresh consent periodically for long-term processing

Step 4: Data Subject Rights (Art. 18)

Individuals have the right to:

1. Confirm whether their data is being processed
2. Access their data
3. Correct incomplete or inaccurate data
4. Anonymize, block, or delete unnecessary data
5. Transfer data to another provider (portability)
6. Delete data processed with consent
7. Know which entities their data was shared with
8. Know they can refuse consent and the consequences
9. Revoke consent

Implementation:

• Create a dedicated email address or form for data subject requests (e.g., [email protected])
• Define a response process with a maximum 15-day response time
• Train your team to recognize and route data subject requests
• Document all requests and responses

Step 5: Security Measures

LGPD requires “technical and organizational security measures” (Art. 46) but does not prescribe specific technologies. For SMBs, implement these baseline measures:

Technical measures:

• Strong password policies (minimum 12 characters, unique per system)
• Two-factor authentication on all critical systems
• Encryption of data at rest and in transit
• Regular software updates and security patches
• Antivirus and firewall protection
• Regular data backups with tested recovery procedures
• Access controls (principle of least privilege)

Organizational measures:

• Data protection training for all employees (at least annually)
• Clean desk policy for physical documents
• Visitor access controls
• Vendor security requirements in contracts
• Incident response procedures documented and tested
• Data retention and deletion schedules

Step 6: Appoint a DPO (Encarregado)

LGPD requires every data controller to appoint a DPO. For small businesses, ANPD Resolution No. 2 provides flexibility:

Options for SMBs:

• Internal DPO: Designate an existing employee with the appropriate knowledge. This is common but ensure they have adequate training and independence.
• Outsourced DPO: Hire an external professional or firm to serve as your DPO. Costs range from R$1,000-R$5,000/month depending on complexity.
• Shared DPO: Multiple small businesses share a DPO. Allowed under ANPD guidelines.

DPO responsibilities:

• Receive complaints and communications from data subjects and ANPD
• Provide guidance to employees on data protection
• Monitor compliance with LGPD and internal policies
• Serve as the point of contact for ANPD
• The DPO’s contact information must be publicly available

Step 7: Data Breach Response

You must have a documented data breach response plan. Here is a practical framework:

Detection and containment (0-4 hours):

• Identify the nature and scope of the breach
• Contain the incident (isolate affected systems, revoke compromised credentials)
• Assemble your incident response team

Assessment (4-24 hours):

• Determine what data was affected
• Assess the number of individuals impacted
• Evaluate the potential harm to data subjects
• Determine whether the breach is likely to result in “relevant risk or damage”

Notification (within 2 business days if risk is relevant):

• Notify ANPD with: description of the incident, types of data involved, number of affected individuals, technical and security measures taken, risks involved, and remediation measures
• Notify affected individuals with clear, accessible information

Remediation and documentation:

• Implement measures to prevent recurrence
• Document the entire incident, response, and lessons learned
• Update security measures and breach response plan as needed

ANPD Enforcement: What to Expect

ANPD has been increasingly active since receiving sanctioning powers in 2023.

Enforcement Actions Available to ANPD

1. Warning with deadline for corrective measures
2. Simple fine of up to 2% of private legal entity revenue (limited to R$50 million per violation)
3. Daily fine for ongoing violations
4. Publicization of the violation (reputational damage)
5. Blocking of personal data involved in the violation
6. Deletion of personal data involved in the violation
7. Partial suspension of database operations for up to 6 months
8. Suspension of processing activities for up to 6 months
9. Partial or total prohibition of processing activities

Small Business Considerations

Under ANPD Resolution No. 2, small businesses benefit from:

• Simplified compliance procedures
• Extended deadlines for responding to ANPD requests
• No mandatory ROPA (but strongly recommended)
• Simplified DPO requirements
• Preference for warnings and educational measures over fines in initial violations

However, these benefits do not apply if the small business:

• Processes data as its core business activity
• Processes sensitive data at scale
• Transfers data internationally as a primary activity

Vendor and Contract Management

Your LGPD compliance is only as strong as your weakest vendor. Every third party that processes personal data on your behalf is a data processor (operador) subject to LGPD.

Required Contract Provisions

All contracts with data processors must include:

• Scope of processing authorized
• Security measures required
• Obligation to assist with data subject requests
• Data return or deletion upon contract termination
• Audit rights
• Sub-processor notification and approval requirements
• Breach notification obligations

Key Vendors to Address

Prioritize LGPD contract updates with:

• Cloud service providers (hosting, storage)
• Payroll processors
• Marketing platforms (email, CRM, analytics)
• Payment processors
• IT support and maintenance providers
• HR and recruitment platforms
• Accounting firms

Building a Compliance Roadmap

Here is a realistic timeline for a Brazilian SMB to achieve baseline LGPD compliance:

Month 1: Data mapping, gap analysis, DPO appointment Month 2: Privacy policy creation, consent mechanism updates, employee training Month 3: Security measures implementation, vendor contract updates Month 4: Data subject rights procedures, breach response plan Ongoing: Regular audits, training refreshes, policy updates, incident monitoring

Total estimated cost for a 20-50 employee company: R$15,000-R$50,000 for initial implementation, plus R$2,000-R$8,000/month for ongoing maintenance (outsourced DPO, monitoring, and updates).

The investment is modest compared to the potential penalties and reputational damage of non-compliance. More importantly, good data practices build customer trust — a competitive advantage that pays for itself.

---

Need help implementing LGPD compliance in your business? Take our free assessment to identify your compliance gaps, or explore our regulatory compliance services for expert guidance through the implementation process.