Lei Geral de Proteção de Dados (LGPD)

Documentation Updated: 2025-03-09

Description

Lei Geral de Proteção de Dados

• Purpose: Establish comprehensive data protection framework for Brazil
• Jurisdiction: Brazil
• Effective Date: September 18, 2020
• Detection Tools:
  • TBD
• Related Risks:
  • LLM01: Prompt Injection
  • LLM02: Sensitive Information Disclosure
  • LLM05: Insecure Output Handling
  • LLM08: Overreliance
• Related Regulations:
  • GDPR - EU Data Protection
  • CCPA/CPRA - California Privacy
  • India DPDP - India Data Protection

The Lei Geral de Proteção de Dados (LGPD) is Brazil’s comprehensive data protection law modeled after the EU’s GDPR. It establishes a legal framework for the processing of personal data, ensuring individual privacy and setting standards for transparency and accountability. The LGPD is fundamental for protecting personal information in Brazil and influencing global data protection practices.

Scope & Applicability

LGPD applies to any organization that processes personal data of individuals located in Brazil, regardless of where the organization is based.

• Covered Entities: All public and private organizations processing personal data of Brazilian residents.
• Data Types: Personal data in any format, including sensitive personal data such as health, biometric, and political opinions.
• Key Exemptions: Data that is irreversibly anonymized, personal or household activities, and certain government or law enforcement operations.

Key Requirements

Organizations must establish a lawful basis for data processing, obtain explicit consent, and provide individuals with rights over their data:

• Secure explicit, informed consent prior to data processing.
• Grant rights to access, correct, and delete personal data.
• Special Focus Areas:
  • Consent and Data Subject Rights: Ensure clear privacy notices and easy-to-use mechanisms for exercising rights.
  • Data Protection Measures: Implement robust security measures to protect against data breaches.
• Additional Focus: Regularly conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.

Impact on LLM/AI Deployments

For AI systems using Brazilian data, LGPD compliance requires integrating privacy safeguards:

• Data Processing & Consent: Ensure AI models use personal data only with a valid legal basis and clear user consent.
• Model Training Considerations: Apply anonymization and pseudonymization techniques to protect sensitive information.
• Automated Decision-Making: Provide transparency and, where applicable, human oversight of AI decisions.
• Security and Observability Considerations:
  • Access Controls: Limit access to personal data within AI systems.
  • Audit Trails: Keep detailed logs of data processing activities.
  • Regular Assessments: Periodically evaluate AI models for compliance with LGPD.
  • Incident Response: Develop a breach response plan specific to AI data flows.
  • Compliance Reviews: Schedule regular audits to verify ongoing adherence.

Enforcement & Penalties

LGPD is enforced by Brazil’s National Data Protection Authority (ANPD), which can impose significant fines for non-compliance.

• Enforcement Body: ANPD.
• Fines and Penalties:
  • Major Violations: Fines up to 2% of company revenue (capped at BRL 50 million per violation).
  • Lesser Violations: Administrative sanctions and public warnings.
• Additional Enforcement Mechanisms: Corrective orders and mandatory compliance audits.
• Operational Impacts: Breaches and non-compliance may disrupt operations and lead to reputational damage.

Resources & References

• Official Regulation Text
• ANPD Guidelines