Does LGPD Require DPIA? (The Correct Answer)

does lgpd require dpia

Does LGPD require DPIA? This is a common question nowadays, with data privacy laws like the LGPD being enforced by all businesses that handle Brazilian resident data.

Yes, under certain circumstances, the LGPD does require a Data Protection Impact Assessment (DPIA). The Brazilian Data Protection Authority (ANDP) determines which processes require a DPIA, and they may request that your business conduct a DPIA.

This article will dive into whether LGPD requires DPIAs, what DPIAs should include, and the benefits and drawbacks of conducting a DPIA under LGPD.

Let’s dig in.

Key Takeaways

  • A DPIA is required by Brazil's national data protection authority when requested. It is also recommended to complete DPIA when there is a risk to customer privacy.
  • Conducting a DPIA requires careful detailing of types and methods of data collection along with risk mitigation steps taken by the business.
  • A well-conducted DPIA boosts customer trust and ensures corporate compliance - benefits that ultimately outweigh drawbacks such as time consumption or complexity involved in the process.

What is the LGPD?

The General Data Protection Law, or Lei Geral de Proteção de Dados (LGPD), is Brazil's latest legislation on data privacy and protection. Comparable with the European Union’s GDPR, LGPD came into effect on September 18th, 2020.

The law establishes detailed rules for the collection, use, processing, and storage of personal information in Brazil, impacting both private and public sectors.

Enforcement of this comprehensive regulation falls under the National Authority for Data Protection or Autoridade Nacional de Proteção de Dados (ANPD), a new Brazilian government agency responsible for ensuring businesses comply with the Brazilian LGPD.

The LGPD plays a crucial role in safeguarding data subject rights to their data. With the prevalence of digital technology, ensuring that personal information is handled safely and responsibly has become more critical than ever before.

The law holds businesses accountable for how they collect, store, use, share, or manage an individual’s personal information, which increases data subject trust.

What is a DPIA?

A Data Protection Impact Assessment (DPIA) is like a privacy risk assessment for your company's personal data practices. A DPIA checks how safe and private data is by seeing if there are any potential risks.

The DPIA is often conducted by either an in-house data protection officers or an outsourced compliance service like Captain Compliance.

The whole point of this assessment process is to make sure our actions involving other people's information don't harm their privacy or data subject rights.

Here's what happens during a DPIA - Firstly, you need to understand why you're collecting someone else’s info and what exactly will be done with that data.

Then comes identifying potential risks these individuals may face if things go wrong at any stage in handling the collected details. After recognizing those threats, suitable steps should be taken to manage the situation effectively.

Regularly doing a DPIA is like taking regular visits to the doctor- both ensure health, but in this case, it's the health of personal data handling.

By making DPIAs a part of your routine practices, you can make sure you are on top of any potential risks and avoid causing harm to people through mishandling private information.

Does LGPD Require DPIA?

The Lei Geral de Proteção de Dados (LGPD) establishes mandates regarding the processing of personal information.

Colin Levy, an award-winning attorney and author of "The Legal Tech Ecosystem," says:

"The LGPD does not explicitly mandate DPIAs in the same way as the GDPR. However, the LGPD encourages good data protection practices and risk assessments, which may include conducting DPIAs or similar assessments."

Although the LGPD does not explicitly mandate DPIAs, Article 38 of the law gives discretionary powers to Brazil's national data protection authority (ANPD) to request controllers to conduct a DPIA in certain circumstances.

Levy states that:

"The National Data Protection Authority in Brazil (ANPD) may provide further guidance on when such assessments are advisable or required under the LGPD."

Are There Exemptions to the LGPD DPIA?

As far as the LGPD is concerned, there are exemptions to various obligations under certain circumstances.

However, it's important to note that these exceptions do not explicitly apply or pertain only to data protection impact assessments (DPIA) but rather concern the general processing of personal data.

Article 4 of the LGPD exempts these purposes:

  • Processing for private, non-economic reasons.
  • Processing exclusively for journalistic, artistic, or academic purposes. This particular case refers to Articles 7 and 11 of LGPD, which discuss personal data processing conditions such as consent requirements, among other points.
  • The law is not applied when the purpose serves public security interests, national defense, state security, or investigation/prosecution of criminal offenses.

These are general exemptions in terms of application of the entire law (including DPIAs), but again, they're contingent upon certain circumstances and should be treated with care considering potential repercussions.

When Should a Business Conduct a DPIA?

Under the provisions of LGPD, there are no specific guidelines talking about when a business should conduct a DPIA.

However, there are standard practices for data management in other jurisdictions. GDPR compliance will require DPIAs under certain circumstances. These circumstances include high-risk data processing for data subjects.

It's typically good practice to carry out a DPIA anytime you plan to introduce new technologies or processes that could lead to high risks regarding the data subject rights and freedoms of your customers (the data subject).

For instance, initiating systematic monitoring activities on a large scale would likely need the completion of a DPIA. Similarly, processing sensitive personal categories like health information or any type of sensitive data with large volumes should involve a DPIA.

Furthermore, under Article 38 provisions of LGPD, businesses should prepare themselves with DPIAs whenever ANPD requests it.

What to Include in a LGPD DPIA?

When undertaking a DPIA in accordance with Brazilian law, it is critical for businesses to understand the structure and contents of the DPIA. Here’s how to craft a DPIA under LGPD according to Article 38 of the LGPD:

Description of Data Types Collected

This section should detail all types of personal information collected by your business operations, including any sensitive categories handled, like health records or financial details, among others.

Methodology Used for Collection and Assurance of Information Security

In this section, the controller should explain how data is collected and what methods are employed to ensure information security. This could involve explaining encryption techniques used or other measures taken by a company's IT department.

Controller’s Analysis of Measures, Safeguards, And Risk Mitigation Mechanisms Adopted

This part of the report should describe what steps have been taken to mitigate risks and protect personal data privacy. It outlines specific protocols, tools, or strategies that are deployed in your business operations.

Here, you should also provide an analysis of how potential threats have been recognized and addressed with privacy risk mitigation measures - essentially, a detailed overview of preventative procedures for further maximizing data security.

Additional Addons

To further enhance a DPIA's effectiveness, consider including some additional elements:

Data Flow Analysis

This can be useful to map out exactly how data flows through your business. This includes where data comes from, who has access to it at each stage of processing, and finally, where and how it gets stored.

Roles & Responsibilities

Have clarity on everyone’s responsibility toward the personal information processed by clearly defining roles within the organization responsible for managing personal data. For example, the data protection officer could be in charge of the DPIA.

Data Breach Response

Include a template or strategy detailing how your organization would respond to any potential data breaches, including the sequence of steps taken and who can be contacted in such events.

By providing these additional details alongside what's specifically mentioned under LGPD’s Article 38 provisions, you will put together a compliant and effective DPIA, ensuring data privacy while minimizing the risk associated with handling personal information.

Benefits of Conducting a DPIA under the LGPD?

A DPIA under the LGPD provides companies with a strategic tool to analyze, identify, and minimize risks associated with data processing activities. It also promotes greater trust among customers about how their personal information is managed.

Risk Identification & Management

Firstly, a DPIA helps you recognize and manage the risks of your data processing activities. By conducting this assessment regularly or when introducing new technologies or processes, you anticipate problems before they happen.

Compliance with Regulations

The DPIA is a systematic way to ensure LGPD compliance and compliance with any other relevant data protection laws. This not only means avoiding possible fines or penalties but also demonstrating that you are serious about protecting personal data.


Conducting a DPIA often leads to building greater trust with your customers. When they know that you are proactive about their data privacy, it strengthens the relationship between consumers and the company.

Transparency and Accountability

A DPIA can showcase transparency in your data processing activities. It tells stakeholders that you are not merely collecting and using data without considering the privacy impact it brings to people.

Costing Savings

DPIAs can help avoid potential breaches and help comply with the privacy law, which often saves money for businesses.

These cost savings typically include LGPD fines, legal fees, reputational damage, and diminished data subject trust - all of which could significantly impact a business financially.

Legal Defense

In any potential legal dispute or issue related to personal data protection, having a DPIA report could serve as proof that your company is committed to the best practices of personal data handling.

Overall, conducting a DPIA under LGPD can bring these benefits and more while supporting your business operations and maintaining respect for privacy rights.

What are the Drawbacks of Conducting a DPIA under the LGPD?

While DPIAs offer significant benefits, they are not without potential drawbacks. Going through a full-blown data protection impact assessment process can be daunting for some businesses, especially if done manually or without the help of Captain Compliance.

Time Consuming & Resource Intensive

Conducting a thorough DPIA under the LGPD requires time and resources, which might pose challenges to businesses that lack these crucial elements.

It's no small task – there’s detailed information gathering involved, risk assessments needed, and documentation, all needing plenty of time to do.


The process of conducting a DPIA can often get complex as it involves an in-depth understanding and interpretation of guidelines such as those under the LGPD.

So, complexity is definitely something for businesses without specialized knowledge to consider if they’re thinking about undertaking a manual DPIA.

Lack of Expertise

The absence of personal data protection knowledge and legal expertise in a business can be a major drawback in conducting accurate and effective DPIAs. Luckily, Captain Compliance offers vast experience, making up for any expertise you might lack.

Ongoing Maintenance

Conducting one DPIA isn’t where it ends. Continuous monitoring is needed, which would require ongoing time commitment as well as resources to keep updated with changes either internally (within your company) or externally (like updates to the LGPD).

How Can Captain Compliance Help?

Developing an effective, compliant DPIA can be daunting, especially when considering its potential drawbacks, such as complexity or time intensity.

This task can be really difficult for businesses with no privacy team or data protection officer who is well-versed in the technical know-how of the LGPD.

That's where Captain Compliance comes in. With a dedicated team of experts who specialize in offering LGPD compliance services, you can feel confident that your DPIA will meet all LGPD requirements.

Get in touch with us today for a free consultation!


How Does the LGPD differ from the GDPR in DPIAs?

While both the LGPD and GDPR share many similarities concerning data protection principles, they differ significantly in their approach to DPIAs.

The GDPR, which governs data privacy within the European Union, explicitly requires DPIAs for processing operations that could result in a high risk to data subject rights and freedoms. The law also lays out specific criteria when a DPIA is mandatory.

On the other hand, under LGPD, no concrete provisions demand businesses conduct a DPIA at any particular point or reason unless prompted by ANPD based on respective assessments of whether certain processing activities might pose risks.

Want to know how the GDPR and LGPD differ? Click here to find out!

Does the LGPD require DPIAs to be completed at all times?

No, the LGPD doesn't require DPIAs to be completed at all times. However, under Article 38 of this law, the ANPD may prompt controllers to prepare a DPIA depending on their data processing operations.

Look at what DPIAs are supposed to look like here. See examples of DPIAs.

What is sensitive personal data under the LGPD?

Sensitive data under the LGPD is information that could result in discrimination or harm if released.

This includes racial and ethnic origin, religious beliefs, political opinions, health status or medical treatment information, genetic data, and biometric data, among other things.

Want to learn more about sensitive personal information? Click here to find out.

What happens if I don't comply with the LGPD?

Non-compliance with the LGPD can lead to serious consequences such as fines, which may amount to 2% of a business’s revenue or up to 50 million Brazilian reals per violation.

Additionally, there are other sanctions that you may incur depending on the severity of the violation.

Want to avoid these fines for good? Contact us today, and we’ll show you how.