BIPI
BIPI

LGPD for SaaS: What Brazil Expects in 2026

Compliance

ANPD enforcement matured fast between 2024 and 2026. If you handle Brazilian PII through a SaaS, the data mapping, DPO, and breach notification expectations are sharper than they were two years ago.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 16, 2024 · 7 min read

#lgpd#brazil#privacy

Brazil's Lei Geral de Proteção de Dados came into force in 2020 and spent its first three years in a soft enforcement phase while the Autoridade Nacional de Proteção de Dados built up. By the second half of 2024, ANPD started issuing fines that mattered, and 2025 saw the first decisions over R$10 million. We have advised four SaaS providers on LGPD readiness through this transition. The bar has moved from box-checking to evidence.

Data mapping is the artifact regulators demand

Article 37 requires controllers to maintain a record of personal data processing activities. ANPD has issued guidance clarifying what this looks like in practice, and it is more than a Google Sheet. The expected artifact is a Relatório de Impacto à Proteção de Dados Pessoais, which is closer to a DPIA than a simple ROPA.

For a SaaS handling Brazilian customer data, the data map needs to cover legal basis per processing purpose, retention periods tied to those purposes, international transfer mechanisms, and the security measures applied. We helped a logistics SaaS build this in 2025 across 47 distinct processing activities. The exercise took 11 weeks and uncovered three legacy data flows nobody had documented since 2019.

DPO requirements: nuance ANPD added

Article 41 requires controllers to appoint a DPO, but the original law was vague on who qualifies and which controllers are exempt. ANPD's resolutions clarified two things. First, small businesses processing low-risk data can appoint a designated employee instead of a full DPO. Second, the DPO must be reachable through publicly disclosed contact information and must respond to data subject requests within established timelines.

If you are a non-Brazilian SaaS with Brazilian customers, you need a DPO accessible to Brazilian data subjects. Time zone is not a defence. We worked with a US analytics platform that was sending data subject responses 14 days after the request because the DPO was based in Pacific time and only checked the LGPD inbox weekly. ANPD opened an inquiry after a single complaint. The fix was a Brazilian DPO contractor on a 48-hour SLA.

2%
of revenue, capped at R$50M, is the maximum LGPD fine
15 days
is the typical ANPD response window for data subject requests
72 hours
for breach notification once impact is confirmed
R$10M+
in fines issued by ANPD in 2025 across multiple sectors

Breach notification: the structure ANPD wants

Article 48 requires controllers to communicate security incidents to ANPD and affected data subjects. The framework is similar to GDPR but the format is different. ANPD published a specific template that asks for the nature of the incident, the categories and approximate number of data subjects, the technical and organisational measures, and the mitigation actions taken.

The 72-hour clock starts when the controller becomes aware of the incident with sufficient confidence to assess impact. That is more permissive than GDPR's awareness standard. In practice we still recommend running both clocks against the same trigger; you do not want to argue jurisdictional clock differences during an active incident.

International transfer mechanisms

LGPD allows international transfers under several mechanisms: adequacy decisions, contractual safeguards, binding corporate rules, and explicit consent. ANPD's resolutions in 2024 published model contractual clauses that mirror the EU SCCs in structure. If your transfer impact assessment was built on EU SCCs, the Brazilian work is mostly translation, not redesign.

Engineering checklist for a SaaS with Brazilian customers

  • Identify which of your processing activities involve Brazilian data subjects, even if your servers are not in Brazil
  • Build a Portuguese-language privacy policy and data subject request portal
  • Appoint a DPO with Brazilian contact details and a defined response SLA
  • Sign updated DPAs with subprocessors using LGPD-aware language
  • Document your transfer mechanism and a transfer impact assessment for Brazilian data leaving the country
  • Train your incident response team on the 72-hour ANPD notification format

The companies that struggled with LGPD enforcement in 2025 had two things in common: they treated it as a copy of GDPR and they assumed ANPD lacked teeth. ANPD has matured. The companies that built LGPD as its own program with Brazilian-specific decisions have closed deals with regulated Brazilian buyers that competitors lost. Treat it like a market in its own right and the compliance work pays for itself.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.