Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Though in its seventh year of existence, Brazil's General Data Protection Law continues to face severe implementation challenges.
Unlike the EU's trajectory, marked by more than five decades of regulatory evolution and cultural consolidation around privacy, Brazil's scenario remains permeated by regulatory, structural, organizational and cultural barriers. The situation is even more delicate in the context of the public sector, as there is a consolidated history of low investment in technological infrastructure and technical training in privacy and information security, both at the municipal, state and federal levels.
The LGPD was enacted 14 Aug. 2018, while its entry into force — and therefore the possibility of effective enforcement and legal accountability — began in August 2020. Since then, the actions of Brazil's National Data Protection Authority in relation to public entities have assumed a predominantly pedagogical character and remained limited in scope.
This situation is aggravated by the structural limitations of the ANPD, which has a small technical and administrative staff for its scope. In this institutional vacuum, the courts of auditors — both state and federal — have played a more incisive and direct role in monitoring and holding government entities accountable, assuming greater prominence than the ANPD itself.
Brazil has recently undergone a significant change in its privacy and data protection system through Provisional Measure No. 1.317/2025, which transformed the National Data Protection Authority into the National Data Protection Agency. This new status grants the agency autonomy from oversight or hierarchical subordination, ensuring functional, decision-making, administrative, and financial independence, as well as fixed-term appointments and leadership stability. With this institutional shift, the agency is expected to gain greater robustness and growth, enhancing its capacity to carry out both supervisory and preventive functions more effectively.
Between 2023-25, the Court of Auditors of Minas Gerais, Bahia and Paraná conducted audits of public entities under their jurisdiction to assess their level of compliance with the LGPD, finding maturity levels far below requirements and issuing recommendations such as the appointment of data protection officers, data mapping, risk management, preparation of records of processing activities and data protection impact assessments, and the implementation of information security measures.
The Federal Court of Auditors audited 387 federal agencies and entities through questionnaires addressing nine LGPD elements — preparation, organizational context, leadership, training, processing compliance, data subject rights, data sharing, data breaches and protection measures.
Thus, the ANPD has had a more visible role in the analysis and judgment of complaints and proceedings already initiated, while the traditional oversight bodies consolidate their function of preventive and corrective supervision. With the ANPD's recent transformation into a regulatory agency, greater structural and budgetary robustness is expected, with increased staff and technical resources and enhanced operational independence, thereby enabling the full performance of its preventive and repressive functions.
Additionally, in Brazilian public administration, privacy and data protection are still not a political and administrative priority. Despite growing incidents of large-scale personal data breaches, especially in the last five years, the issue continues to be relegated to the background on the agenda of municipal, state and federal leaders.
Data from the Center for Prevention, Treatment and Response to Government Cyber Incidents illustrates the scale of the problem. Reported data breaches rose from 233 in 2021 to 7,476 in 2024, representing an increase of more than 3,000%. This situation highlights not only the lack of governance in privacy and information security but also the absence of a strategic vision capable of integrating data protection as a pillar of institutional trust, administrative efficiency and respect for citizens' fundamental rights.
This public inertia produces a striking result. Despite being subject to the law since its inception, the Brazilian public sector has failed to implement LGPD standards. In a 2023 analysis by the Rio de Janeiro State Court of Accounts, only one of 91 municipalities reached an intermediate level of maturity. Seventy-four, or 81%, were rated as having insignificant compliance. This finding is echoed by the ANPD, which, among its first eight sanctioning procedures, issued seven against public entities.
A concrete example of public sector liability under the LGPD can be found in a 2021 ruling by the São Paulo Court of Appeals. In that case, a municipality had made a citizen's HIV status publicly accessible on its website, merely requiring the insertion of a tax identification number and birthdate.
The court held the municipality strictly liable under Article 37, Section 6 of the Federal Constitution, awarding moral damages based on the public exposure of sensitive health data. The judgment referenced both the LGPD and the broader constitutional framework protecting personality rights, reinforcing the nonnegotiable obligation of public entities to ensure adequate safeguards over sensitive personal data.
This public sector inertia is a clear contradiction to what the legislature mandates, as reflected in Articles 23 to 32 of the LGPD, which establish specific obligations for public entities such as the appointment of DPOs, the creation of privacy governance programs, policies and notices, data mapping and record-keeping, and structured communication with data subjects and the ANPD.
Moreover, the right to data protection was recognized in 2022 as a fundamental right under Brazil's Federal Constitution, revealing a clear objective within the Brazilian legal framework: just like life, security and freedom, privacy and data protection must be safeguarded as a natural and inherent right of all individuals.
From mapping to governance: A practical framework for the public sector
The implementation of governance programs faces specific barriers in Brazil's public sector, primarily, the absence of in-house human resources professionals with specialized technical training in privacy and data protection, as pointed out in the report of Working Group No. 06 of the National Council for the Protection of Personal Data.
The LGPD contains an exclusive chapter of rules applied to the public sector, with mandatory requirements for all Brazilian public bodies. This is not in vain, since the amount and sensitivity of personal data in public databases are much greater than in the private sector. For instance, municipal administrations — where health data like medical records are held, in addition to the educational data of children and adolescents — require much denser protection, as any violation or data leak can cause serious harm to the individual and infringe on their fundamental rights.
Thus, the compliance process must begin with internal regulations and a complete inventory and mapping of personal data, analysis of its flow, identification of vulnerabilities, and risk management. It extends to the creation and revision of documents, training and awareness of DPOs and staff, and the establishment of clear governance structures.
While rooted in the LGPD, these multidisciplinary tasks extend beyond the law and must be developed through structured, strategic programs, often supported by data governance software. This is especially true in the public sector, where the main infrastructure for storing personal data is often outdated or precarious.
Therefore, LGPD compliance cannot be limited to digital personal data alone. Physical documents also require strict control, especially when access must be restricted or anonymization is necessary. Digital and physical copies alike must be secured and their use aligned with legal purpose, necessity and adequacy.
This reality reinforces the need to understand compliance as a continuous and integrated process.
Assessment. The assessment phase identifies gaps in privacy programs in relation to best practices, internal regulations and applicable legal standards. It involves the evaluation of policies, structures and technological resources, as well as the specific privacy governance framework of the institution.
Protection. Protection includes practices across the entire data life cycle — from collection to disposal — covering both privacy and information security. This phase emphasizes preventive practices: establishing appropriate technical and administrative safeguards to mitigate risks, define security standards, and ensure lawful data processing.
Maintenance. Maintenance ensures the continuity of privacy management through monitoring, auditing and regular communication of management frameworks. It includes updating documentation, refining risk registers, and adjusting procedures to reflect organizational changes and regulatory updates.
Response. Response includes developing and executing incident response plans, fulfilling legal obligations, managing data subject requests, and reporting to the ANPD. The goal is to minimize institutional risks and strengthen public confidence through transparency and accountability.
The multidisciplinary nature of compliance
Privacy and data protection compliance is not the exclusive domain of legal teams. At least three core pillars must be aligned: information security, legal affairs and process management.
Organizations commonly make the mistake of believing that drafting or reviewing privacy-related documents — such as privacy policies, codes or terms of use — is sufficient. The LGPD, however, dedicates Articles 46 to 51 to the establishment of a Privacy Governance Program, requiring the adoption of security measures and best practices.
Creating a data protection impact assessment, under Article 38, demands technical knowledge related to information security and technology. The ISO/IEC 27000 family of standards is essential in this context. Only with technical expertise in information technology is it possible to manage vulnerabilities in both physical and digital environments and to analyze and implement appropriate risk mitigation methods.
Many data breaches stem from technical vulnerabilities, like missing or outdated firewalls, lack of antivirus or antimalware software, absence of access controls like encryption or multifactor authentication, and precarious or non-existent data backups. Such incidents are not prevented by documents alone. Effective security demands specialized work and investment in hardware and software tailored to institutional needs.
Final considerations
The LGPD does not differentiate between public entities based on size. Every municipality, regardless of population or technical capacity, must designate a DPO, regulate data collection and sharing, adopt security measures and be prepared to demonstrate compliance at any time.
Public institutions must act not only in accordance with the law, but with the competence and responsibility that data protection demands.
Failure to implement an effective privacy governance program exposes public entities to administrative sanctions, reputational damage and civil liability. The absence of fines does not eliminate the risks.
Compliance is not a formality — it is a legal and moral imperative. Only through coordinated efforts among legal, security, and operational teams can institutions deliver the level of protection citizens are entitled to in a democratic society.
Adilson Braga, CDPO/BR, CIPM, is privacy and cybersecurity director at NEOGOV Technology and business development at Privacy Evolved.
