Lei Geral de Proteção de Dados
Fines up to 2% of Brazilian revenue and public disclosure of infractions make LGPD non-compliance a direct commercial and reputational liability for management.
The Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law, establishing a legal framework for the processing of personal data in Brazil. Enforced by the Autoridade Nacional de Proteção de Dados (ANPD), it introduces data protection principles, data subject rights, and obligations for controllers and processors.
The LGPD recognises ten legal bases for data processing (compared to GDPR's six), including consent, legitimate interest, and protection of credit. The ANPD has been progressively issuing detailed regulations, including dosimetry guidelines for calculating administrative sanctions.
For Microsoft 365 environments, LGPD compliance requires Purview sensitivity labels for data classification, DLP policies for processing restrictions, retention labels enforcing storage limitation, and data residency controls for cross-border transfer management. StremarControl engineers and operates the Microsoft-native controls required for LGPD mandates, translating obligations into enforceable Microsoft-native controls, structured evidence, and ongoing assurance discipline for ANPD compliance reporting.
Why This Matters Now
The LGPD is Brazil's comprehensive data protection law, modelled on the EU GDPR and applicable to any organisation processing personal data of individuals in Brazil. It requires DPO appointment, consent management, and strict cross-border transfer controls. For M365 environments, compliance demands Purview data classification, DLP policies, retention labels aligned with LGPD principles, and data residency controls. Brazil's LGPD impacts any multinational with operations or customers in Latin America's largest economy.
Framework Metadata
Scope & Applicability
Applies to any natural or legal person processing personal data in Brazil, offering goods or services to individuals in Brazil, or processing data of individuals located in Brazil. The law has extraterritorial reach similar to GDPR. Exemptions for purely personal purposes, journalistic/artistic/academic purposes, public safety, and national defence. M365 tenants processing Brazilian personal data must implement LGPD-compliant controls.
Core Obligations
Legal Basis for Processing
Process personal data only on one of ten legal bases: consent, legitimate interest, contract, legal obligation, research, exercise of rights, life protection, health protection, credit protection, or public policy.
Data Protection Officer
Appoint a Data Protection Officer (Encarregado) responsible for receiving complaints, providing guidance, and liaising with the ANPD.
Data Subject Rights
Provide data subjects with rights of confirmation, access, correction, anonymisation, portability, deletion, information about sharing, and consent revocation.
International Data Transfers
Transfer personal data internationally only to countries with adequate protection, with standard contractual clauses, or with specific consent.
Security Measures
Implement technical and administrative security measures to protect personal data from unauthorised access, destruction, loss, alteration, or disclosure.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Security Measures
Conditional Access with MFA and risk-based policies. Intune device compliance. Defender XDR for threat protection. Purview sensitivity labels for classification.
Conditional Access logs, Intune reports, Defender analytics, label usage reports.
Data Subject Rights
Purview eDiscovery for access and portability requests. Content Search for data subject identification. Retention labels for deletion requests.
DSAR completion logs, eDiscovery exports, retention disposition records.
International Data Transfers
Purview DLP with geo-fencing for cross-border transfer controls. Data residency configuration for Brazilian data. Conditional Access named locations.
DLP cross-border incident logs, data residency reports, geo-restriction configuration exports.
Implementation Timeline
Related Frameworks
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
Class action exposure reaching hundreds of millions of dollars makes CCPA/CPRA compliance a material financial risk that demands executive-level governance.
Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.
Ready to get Brazil LGPD-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against Brazil LGPD requirements, close gaps, and produce audit-ready evidence.