Compliance checklists are only useful when they reflect how regulators actually evaluate companies. ANPD's enforcement approach focuses on documented evidence of compliance, not declarations of intent. What follows is organized around the six operational areas where we see the widest gaps between stated compliance and actual practice in PE-backed companies operating in Brazil.
1. Legal Basis Documentation
Every processing activity must be mapped to one of the ten legal bases in LGPD Article 7 (or Article 11 for sensitive data). This is not a single document. It is a living register that connects specific data categories, processing purposes, and legal justifications. The register must be granular enough to withstand ANPD audit. "We process customer data for marketing purposes based on legitimate interest" is not granular enough.
The operational requirement is a Record of Processing Activities (ROPA) that includes: the category of personal data, the category of data subjects, the specific purpose of processing, the legal basis, the retention period, the recipients of the data, and the transfer mechanisms for any cross-border flow. Each entry must be maintained and updated as processing activities change.
For PE-backed companies post-close, the first 90 days should include a complete ROPA build or validation. This is the foundation document that every other compliance activity depends on. Without it, the company cannot demonstrate compliance with any LGPD requirement, because it cannot demonstrate that it knows what data it processes or why.
2. Data Subject Rights Infrastructure
LGPD Articles 17-22 grant data subjects a set of rights: confirmation of processing, access to data, correction, anonymization or deletion, portability, information about sharing with third parties, information about consent denial consequences, and revocation of consent. The company must have documented processes for receiving, verifying, and fulfilling these requests within the timeframes ANPD specifies.
What we see consistently is that companies have a privacy@ email address and nothing else. No ticketing system. No identity verification process. No documented workflow for fulfilling deletion requests across the data estate. No mechanism for confirming that deletion was completed in all systems, including third-party processors.
3. Consent Management Implementation
Where consent is the legal basis, LGPD requires that consent be free, informed, unambiguous, and purpose-specific. The controller must be able to prove consent was obtained. This means timestamped records tied to specific consent language, specific purposes, and specific data subjects. Generic consent records do not satisfy this requirement.
The consent management platform (CMP) must be technically integrated with the tag manager, the ESP, the CRM, and any other system that processes data based on consent. If the CMP records consent but the tag manager fires tracking pixels regardless, the consent record is operationally meaningless. This is the most common implementation failure we see: a CMP that exists as a legal artifact but has no connection to actual data processing.
Portfolio companies should audit the end-to-end consent flow quarterly: from the consent collection interface, through the CMP, to every downstream system that relies on that consent signal. Any break in the chain creates a gap between documented consent and actual processing that ANPD can identify in an audit.
4. Cross-Border Transfer Safeguards
Any transfer of personal data from Brazil to another country must comply with LGPD Article 33. The company must identify every cross-border data flow, implement an appropriate transfer mechanism for each flow, and document the mechanism in the ROPA. ANPD's 2024 regulation on international transfers established specific requirements for standard contractual clauses (SCCs) that must be adopted.
The operational challenge is that most PE-backed companies do not know how many cross-border transfers they have. Every SaaS tool with a US or EU data center represents a transfer. Every API integration that sends data to a processor outside Brazil is a transfer. The audit typically reveals 15-30 distinct cross-border data flows in a mid-market company, most of which have no documented transfer mechanism.
The remediation path is straightforward but labor-intensive. Map every flow. Classify each by transfer mechanism availability. Execute SCCs or other appropriate safeguards. Update the ROPA. The work is not technically complex, but it requires systematic identification of every data flow, which requires access to the infrastructure and vendor contracts that most commercial diligence processes never request.
5. Sensitive Data Controls
Sensitive data under LGPD includes: racial or ethnic origin, religious conviction, political opinion, trade union membership, health data, sex life data, genetic data, and biometric data. Processing sensitive data requires specific and highlighted consent, or one of the narrow exceptions in Article 11(2). The consent requirement is stricter than for ordinary personal data.
The compliance requirement is two-fold. First, identify all sensitive data categories present in the data estate. Second, ensure that each sensitive data processing activity has the required legal basis. Performance marketing operations are the primary risk area. Health and wellness brands, financial services companies, and EdTech platforms routinely process sensitive data categories without recognizing them as such under LGPD's definition.
Portfolio companies should conduct a sensitive data inventory as part of the ROPA build. Any sensitive data processing that cannot be justified under Article 11 must be either remediated (by obtaining specific consent) or discontinued. The cost of discontinuing a marketing audience segment is lower than the cost of an ANPD enforcement action for processing sensitive data without legal basis.
6. Data Protection Officer and Governance Structure
LGPD Article 41 requires controllers to appoint a Data Protection Officer (Encarregado). The DPO's identity and contact information must be publicly disclosed. The DPO serves as the point of contact for data subjects and for ANPD. While ANPD Resolution CD/ANPD No. 2 relaxed the DPO requirement for small businesses, most PE-backed companies do not qualify for this exemption.
Beyond the DPO appointment, the governance structure must include: a privacy impact assessment process for new processing activities, a data breach notification procedure (ANPD must be notified of breaches that may create risk or relevant harm to data subjects), vendor management procedures for processors, and a training program for employees who handle personal data.
What we see consistently is that the DPO appointment, where it exists, is a legal formality. The appointed person has no training, no budget, no authority, and no visibility into the marketing stack where most personal data processing occurs. For PE-backed companies, the DPO function must be operationalized, not just documented. That means giving the DPO access to the data estate, authority to review processing activities, and a reporting line that reaches the board or investment committee.