LGPD for SMBs: a practical 90-day compliance checklist
A realistic action plan for small and medium-sized businesses that have not yet complied with Brazil's General Data Protection Law. No legal jargon, no six-figure consulting fees.
In 2025, the ANPD (Brazil's National Data Protection Authority) started issuing fines to SMBs in earnest. Until then, the authority had focused on large technology and telecom companies. Today, clinics, agencies, e-commerce stores, and professional services firms are all on the radar.
If your company processes data belonging to patients, customers, or employees, ignoring LGPD is a financial risk you do not need to take. The good news: achieving compliance is simpler than it looks, as long as you follow a systematic plan.
This is a practical 90-day checklist, tested across more than 40 client companies, designed to bring you to a minimum level of legal adherence.
Month 1: Diagnosis and mapping
Weeks 1-2: Data inventory
Answer the following questions, with supporting evidence:
- What personal data do we collect? (national ID numbers, names, email addresses, phone numbers, physical addresses, health data, financial data)
- Whose data? (customers, employees, leads, suppliers)
- Where is this data stored? (Google Drive, local spreadsheets, CRM, proprietary systems, email)
- Who has access? (list of people and their permission levels)
This mapping is the foundation of everything. Without it, nothing else makes sense.
Weeks 3-4: Legal basis
For each category of data collected, document the legal basis that authorizes its processing:
- Consent (the customer explicitly opted in)
- Contract performance (data required to deliver the service)
- Legitimate interest (commercial prospecting, fraud analysis)
- Compliance with a legal obligation (tax and labor records)
The ANPD will ask "why do you hold this data?" and you need a clear answer ready.
Month 2: Documentation and processes
Weeks 5-6: Privacy policy
Your privacy policy must include, at a minimum:
- What data you collect and why
- With whom you share it (list of third-party processors)
- How long you retain it
- How data subjects exercise their rights (access, correction, deletion, portability)
- Contact information for the DPO (data protection officer)
Publish it on your website with a link in the footer of every page. And, a critical point: make sure it accurately reflects what you actually do in your operations.
Weeks 7-8: Data subject request channel
You need a channel (email or form) through which data subjects can request access to, correction of, or deletion of their data. The ANPD requires a response within 15 calendar days.
Create a dedicated address (for example, dpo@yourcompany.com or privacy@yourcompany.com) and document the internal process for handling requests.
Month 3: Infrastructure and training
Weeks 9-10: Technical security
- Encryption in transit (HTTPS across the entire website and all systems)
- Encryption at rest (sensitive data encrypted in the database)
- Access control (each person sees only what they need, following the principle of least privilege)
- Access logs (who accessed what and when)
- Regular backups (at least daily, with restoration tests)
For small operations, a platform such as Supabase or AWS already delivers this out of the box, provided you configure it correctly.
Weeks 11-12: Team training
Every employee who handles personal data needs basic training covering:
- What LGPD is and why it matters
- How to identify personal data
- What to do in the event of an incident (breach, data loss)
- How to report data subject requests
A formal course is not required. A one-hour meeting per quarter plus an internal reference document already provides substantial protection.
What the ANPD actually audits
In order of priority, based on public enforcement cases:
- Absent or outdated privacy policy , an easy fine to issue, and very common
- Undocumented consent (a generic opt-in checkbox in the footer does not qualify)
- Failure to respond to data subjects within 15 days
- Sharing data with third parties without disclosure
- Security incidents not reported to the ANPD
Points 1 through 4 are resolved through documentation and process. Point 5 is the most complex and requires proper infrastructure.
Tools that help
You can handle all of this with spreadsheets, Google Docs, and email; many companies start exactly that way. As you grow, an integrated tool becomes worthwhile.
The Compliance Analyzer in the marketplace performs this diagnosis in 40 minutes, identifies the gaps, and generates a prioritized action plan with assigned owners, deadlines, and effort estimates. Included in the Pro plan.
Conclusion
LGPD is not as daunting as it sounds, but it does require discipline. The worst scenario is ignoring it until a notice arrives. At that point you have 15 days to respond, and without preparation, it becomes chaos.
Starting now, with a well-executed 90-day plan, resolves 80% of your regulatory risk. The remaining 20% consists of fine-tuning that you carry out over time.
Contact us if you need help assessing where you stand. The first 30 companies to register in 2026 will receive the Compliance Analyzer diagnosis at no charge.
Advanced Robotics: PwC Identifies the Technology Already Reinventing Business
PwC has flagged advanced robotics as a near-term reinvention technology. What does that mean in practice for SMBs in Brazil?
29% of SMBs Use AI at the Core of Their Business. What About the Other 71%?
An OECD report reveals that only 29% of SMBs have integrated generative AI into their core operations. What separates those who experiment from those who transform.
AI in SMBs: Moving from Pilot to Real Operations
53% of SMBs already use AI. The next step is not more experimentation; it is integrating AI where the return shows up within 90 days.