LGPD for Small Businesses: Brazil Data Protection Compliance Guide
The LGPD (Lei Geral de Proteção de Dados — Law 13.709/2018) is Brazil’s comprehensive data protection law, often compared to the European GDPR. It applies to every company that processes personal data in Brazil, regardless of size. However, small businesses benefit from simplified compliance rules that make implementation manageable without a dedicated legal team.
What Is the LGPD?
The LGPD regulates how companies collect, store, process, and share personal data of individuals (data subjects) in Brazil. It applies to:
- Any company processing data of individuals located in Brazil
- Any company processing data collected in Brazil
- Any company offering goods or services to individuals in Brazil
Key Definitions
| Term | Definition |
|---|---|
| Personal data | Any information that identifies or can identify a person (name, CPF, email, IP address) |
| Sensitive data | Data about health, religion, ethnicity, political opinion, biometrics, sexual orientation |
| Data subject (titular) | The individual whose data is being processed |
| Controller (controlador) | The entity that decides how data is processed |
| Processor (operador) | The entity that processes data on behalf of the controller |
| DPO (encarregado) | Person responsible for data protection compliance |
Simplified Treatment for Small Businesses
ANPD (Autoridade Nacional de Proteção de Dados) Resolution CD/ANPD 2/2022 established simplified LGPD compliance rules for:
- MEIs (Microempreendedores Individuais)
- MEs (Microempresas) — revenue up to R$ 360,000/year
- EPPs (Empresas de Pequeno Porte) — revenue up to R$ 4.8 million/year
- Startups (as defined by the Legal Framework for Startups)
What Simplified Treatment Means
| Requirement | Standard companies | Small businesses |
|---|---|---|
| Data Protection Officer (DPO) | Mandatory, named individual | Not mandatory (but recommended) |
| Records of processing activities | Detailed documentation | Simplified format accepted |
| Security incident response | Formal incident response plan | Simplified procedures accepted |
| Data Protection Impact Assessment | Full DPIA when required | Simplified assessment accepted |
| Communication with ANPD | Standard procedures | Doubled response deadlines |
Important: Simplified treatment does NOT exempt small businesses from LGPD compliance. It only reduces the complexity of the required measures.
Essential LGPD Compliance Steps
Step 1: Map Your Data
Identify all personal data your company collects and processes:
| Data category | Common examples | Where stored |
|---|---|---|
| Client data | Name, CPF, email, phone, address | CRM, spreadsheets, email |
| Employee data | Name, CPF, salary, health data | Payroll system, eSocial |
| Supplier data | Contact name, CNPJ, bank details | Accounting system |
| Website visitors | IP address, cookies, browsing data | Analytics, server logs |
| Marketing contacts | Email, name, preferences | Email marketing platform |
Step 2: Define Legal Bases
Every data processing activity must have a legal basis. The LGPD provides ten legal bases:
| Legal basis | Common use |
|---|---|
| Consent | Marketing emails, newsletters |
| Contract performance | Delivering a service to a client |
| Legal obligation | Tax filings, eSocial, labor records |
| Legitimate interest | Fraud prevention, security |
| Credit protection | Credit analysis, debt collection |
| Public administration | Government contracts |
Step 3: Update Privacy Documents
Create or update these essential documents:
- Privacy Policy: Published on your website, explaining what data you collect and why
- Cookie Policy: If your website uses cookies or tracking technologies
- Data Processing Records: Internal document listing all processing activities
- Consent forms: For data collection that requires explicit consent
Step 4: Implement Security Measures
| Measure | Implementation |
|---|---|
| Access control | Limit data access to employees who need it |
| Password policies | Strong passwords, two-factor authentication |
| Data encryption | Encrypt sensitive data in transit and at rest |
| Backup procedures | Regular backups with secure storage |
| Employee training | Basic data protection awareness for all staff |
| Vendor assessment | Verify that service providers comply with LGPD |
Step 5: Establish Data Subject Rights Procedures
Individuals have the right to:
- Access their data held by your company
- Correct inaccurate data
- Delete data (when consent is the legal basis)
- Port data to another provider
- Revoke consent at any time
- Be informed about who you share their data with
Create a simple process (even an email address) for receiving and responding to these requests. Small businesses have doubled deadlines for responses under simplified treatment.
Penalties for Non-Compliance
| Penalty type | Amount |
|---|---|
| Warning | With deadline for corrective measures |
| Simple fine | Up to 2% of revenue (limited to R$ 50 million per infraction) |
| Daily fine | Accumulates until the violation is corrected |
| Public disclosure | Publication of the infraction after confirmed |
| Data blocking | Prohibition on using the affected data |
| Data deletion | Mandatory deletion of improperly collected data |
ANPD has been progressively increasing enforcement. Small businesses are not exempt from penalties, though the simplified treatment framework is considered a mitigating factor.
Common Mistakes Small Businesses Make
- Assuming LGPD does not apply because the company is small
- Collecting more data than needed — only collect what you actually use
- No privacy policy on the company website
- Sharing client data with partners without legal basis or notification
- No response process for data subject rights requests
- Ignoring vendor compliance — your data processor’s violations can affect you
SedeFiscal and LGPD
SedeFiscal processes client data (company name, CNPJ, partner information, correspondence) as part of its virtual office services. This processing is based on contract performance and legal obligation. SedeFiscal maintains its own LGPD compliance measures to protect client data, and the data processing relationship is governed by the service agreement.
When setting up your own company’s LGPD compliance, remember that your fiscal address provider is one of your data processors — ensure the relationship is properly documented.
LGPD compliance is not a one-time project. It is an ongoing process of maintaining proper data handling practices. Start with the essentials, and build your compliance program as your business grows.
Need a fiscal address for your company in Brazil?
Plans starting at R$ 19.90/month with mail management included.
View Plans