LGPD in practice: 5 processes every company needs

Brazil's General Data Protection Law (LGPD) has been in effect since 2020. The National Data Protection Authority (ANPD) is already enforcing sanctions. Yet most Brazilian companies still treat data protection as a one-off legal project: they hired a law firm, published a privacy policy, appointed a DPO, and considered the matter settled.

The problem is that the LGPD does not just require documents. It requires processes. Processes with deadlines, owners, records, and traceability. When the ANPD comes knocking — or when a data subject exercises their rights — a polished privacy policy on the website is not enough. You need to demonstrate that the organization operates in compliance with the law on a daily basis.

This article describes five processes every company needs for LGPD compliance. For each, it explains what the law requires, what most companies do (or fail to do), and how to structure the process with stages, deadlines, and an audit trail.

1. Data subject request handling

What the law requires

Article 18 of the LGPD grants data subjects a series of rights: confirmation of processing, data access, correction, anonymization, portability, and deletion, among others. The company must respond within a reasonable timeframe — the ANPD has signaled 15 days as the reference.

What most companies do

In practice, many companies lack a clear channel for receiving these requests. When a data subject emails asking for deletion, the message reaches customer support, gets forwarded to legal, then to IT, who cannot determine which systems contain that person's data. Weeks pass without a response.

How to structure the process

Data subject request handling needs to be a formal process with defined stages:

1. 1Receipt and triage — Requests enter through a single channel. Classification by type of right exercised. Clock starts.
2. 2Identity verification — Confirm the requester is the actual data subject.
3. 3Data mapping — Locate all systems and databases storing the subject's data.
4. 4Execution — Perform the requested action (deletion, correction, export). Document what was done in each system.
5. 5Response — Formally communicate the result within the deadline.
6. 6Record and archive — Maintain complete evidence for audit purposes.

In CaseFy, this process becomes a template with sequential stages. Each request becomes a case with fields for right type, subject data, and systems involved. The timeline logs every action automatically. Automations alert when the response deadline is approaching.

2. Consent management

What the law requires

Consent is one of the legal bases under the LGPD (Article 7, item I). When a company collects data based on consent, it must prove the subject consented freely, informedly, and unambiguously. The subject can revoke consent at any time.

What most companies do

Most companies collect consent through checkboxes on web forms. The problem is not collection — it is management. Where is the record that a specific subject consented? On what date? For what purpose? If revoked, when and how was it processed?

How to structure the process

Consent management must cover the full lifecycle:

1. 1Collection — Record consent with date, time, specific purpose, and method used.
2. 2Centralized storage — Maintain a single, searchable record of all collected consents.
3. 3Validity monitoring — Consents may expire. Identify when they need renewal.
4. 4Revocation — When revoked, process across all systems using that data. Record the date and impact.
5. 5Audit — Generate reports demonstrating the legal basis for each data processing activity.

In CaseFy, each consent can be tracked as an individual case or grouped by subject. Custom fields record purpose, expiration date, and status.

3. Security incident response

What the law requires

Article 48 requires the controller to notify the ANPD and affected data subjects of security incidents that may cause relevant risk or harm. The notification should be made within a reasonable timeframe — the ANPD recommends 72 hours — and must contain specific information.

What most companies do

Most companies have no data incident response process. When a breach occurs, IT tries to contain the technical problem. Legal is notified days later. No one knows exactly which data was affected. The ANPD notification, when it happens, is late and incomplete.

How to structure the process

Incident response must be an operational process, not a shelf document:

1. 1Detection and logging — Register the incident immediately: date, time, how and who detected it.
2. 2Classification — Assess severity: which data was affected, how many subjects, what potential risk.
3. 3Containment — Technical actions to stop the incident. Document each measure.
4. 4Impact analysis — Determine whether the incident requires ANPD and subject notification.
5. 5Communication — If required, prepare and send notifications with all legally required information.
6. 6Remediation — Implement fixes to prevent recurrence. Document lessons learned.
7. 7Closure — Final report with complete incident timeline.

The 72-hour deadline leaves no room for improvisation. In CaseFy, the incident response template defines stages, required fields, and deadline automations. When an incident is logged, the clock starts and the system automatically notifies those responsible for each stage.

4. Data Protection Impact Assessment (DPIA)

What the law requires

Article 38 provides that the ANPD may require a Data Protection Impact Assessment. In practice, a DPIA is recommended whenever processing may create high risk to data subjects: sensitive data, automated decisions, large-scale monitoring, or children's data.

What most companies do

Most companies do not prepare DPIAs. Those that do typically produce a single document that quickly becomes outdated. Data processing changes — new systems are adopted, new purposes arise — but the DPIA remains unchanged.

How to structure the process

A DPIA is not a document — it is a process with a lifecycle:

1. 1Needs identification — Map which processing activities require a DPIA.
2. 2Data gathering — Collect information about the processing: data involved, purpose, legal basis, systems, third-party sharing.
3. 3Risk analysis — Identify risks to data subjects and classify by likelihood and impact.
4. 4Mitigation measures — Define technical and organizational controls for each identified risk.
5. 5Review and approval — DPO and managers review the report. Record approvals.
6. 6Monitoring and updates — Define review frequency. Update when processing changes.

In CaseFy, each DPIA becomes a case with versioned documents, risk classification fields, and periodic review tasks. The timeline records every update, review, and approval.

5. Vendor and data processor management

What the law requires

Article 39 establishes that the processor must follow the controller's instructions. In practice, this means the company shares responsibility for what its vendors do with shared personal data.

What most companies do

Most companies hire vendors without assessing their data protection practices. Contracts may contain a generic confidentiality clause but no specific LGPD obligations: security measures, incident notification deadlines, audit rights, or data disposition at contract end.

How to structure the process

Vendor management under LGPD involves:

1. 1Inventory — Map all vendors that receive, access, or process personal data. Classify by volume and sensitivity.
2. 2Risk assessment — For each vendor, assess security practices, privacy policies, certifications, and incident history.
3. 3Contractual adequacy — Ensure contracts contain specific clauses: security obligations, incident notification duty, audit rights, data disposition at termination.
4. 4Periodic due diligence — Reassess vendors periodically.
5. 5Vendor incident management — When a vendor reports an incident, the response process must be triggered.
6. 6Offboarding — When the contract ends, ensure the vendor deletes or returns the data. Document confirmation.

In CaseFy, each vendor can be managed as a case with stages reflecting the relationship lifecycle: assessment, contracting, monitoring, and termination.

The common denominator: processes with an audit trail

All five processes share something: the LGPD does not just ask companies to do the right thing. It asks them to prove they did. That means recording every decision, timestamping every action, and identifying who executed each step.

CaseFy is a process orchestration platform. It is not an LGPD-specific tool. But the capabilities it offers — configurable templates, stages with deadlines, custom fields, versioned documents, audit timelines, automations, and external forms — are exactly what these processes demand.

Start for free →