Request a Demo
Request a Demo

What's next? Next steps and trends for the LGPD in Brazil.

Estimated reading time: 3 minutes

Summary

Initially, the LGPD (Brazilian General Data Protection Law) was received like a storm foretold. Consulting firms sold miraculous solutions, companies rushed to fill checklists and clutter drawers with policies that would never be read. The fear of fines was the driving force, but the result, for the most part, was fragile: superficial projects, incapable of generating trust or strategic value.

This phase played its part. It was the infancy of the LGPD (Brazilian General Data Protection Law) — full of stumbles, but essential to teach that data protection is not bureaucracy: it's strategy. Today, seven years later, Brazil is maturing. And with maturity come new challenges.

The die as gold… or a ticking time bomb

Data has ceased to be mere records and has become the most valuable currency in the digital economy. In the right hands, it fuels innovation, competitiveness, and growth. In the wrong hands—or poorly managed—it becomes a high-risk liability capable of destroying reputations, eroding market confidence, and generating invisible costs that no Excel spreadsheet can measure.

And that's no exaggeration. In the first half of 2025, Brazil suffered 314,8 billion instances of malicious activity, according to Fortinet. Mega data leaks and cyberattacks are already part of daily news. We are one of the favorite targets of cybercriminals.

Data protection and cybersecurity, once seen as parallel paths, are now merging. It's not enough to have nice policies: it's necessary to demonstrate resilience, with response plans, clear metrics, and real governance.

The market woke up.

Boards and councils no longer want speeches about "best practices." They want numbers.

  • How long does it take us to respond to an incident?
  • What is the actual compliance rate per process?
  • Where is the legal basis for each piece of data processed?
  • How much is the risk of a project cost?

The answer cannot be "we are adequate." The answer needs to be "we have control, traceability, and governance."

The DPO (Data Protection Officer) takes center stage. They are not just a guardian of the law, but a cultural facilitator, process strategist, and translator between technology, legal, and business aspects. And third parties? They are no longer just suppliers: they are extensions of the corporate perimeter, requiring constant monitoring and collaborative action plans.

The AI ​​challenge: ally or threat?

Generative Artificial Intelligence has become the "new coworker" for many people. It writes reports, analyzes data, and organizes spreadsheets. But how safe is it to share information with this colleague? And what if this colleague never forgets anything and can repeat everything?

Brazil still lacks specific regulations, which has opened the door for three corporate tribes:

  1. Those that completely prohibit the use of AI.
  2. Those that allow it, but with clear limits.
  3. Those that release without any criteria.

The inconsistency is glaring: we want AI in all processes, but we don't know where our data is being processed. This is where transparency, legal basis, and human oversight cease to be mere rhetoric and become minimum conditions for scaling innovation.

Bill 2338/2023 emerges as a promising regulatory framework, inspired by the European model, focusing on risks and placing the human being at the center. The ANPD (National Data Protection Authority), which has already matured with the LGPD (Brazilian General Data Protection Law), is expected to assume this leading role as well.

Conclusion: the age of maturity

The LGPD (Brazilian General Data Protection Law) has shifted from being about "what you can't do" to "how to do it the right way."
It has ceased to be a cost and has become a cornerstone of trust.
It has ceased to be regulatory and has become strategic.

On the global stage, data protection is not a luxury. It's a condition for survival and competitiveness. Brazil's future will be written not only in legislation, but also in metrics, governance practices, and the organizational culture we choose to cultivate. The game has changed. The question now is not whether your company is compliant. The question is:
Is your company ready to compete in a market where trust is the biggest differentiator?

Want to read more articles by this author? Understand the strategic impact of a data protection clause. here.

About the Author

Meet the author of this article.

  • Manuela Cotulio is a lawyer and CEO of PrivOn, a consultancy specializing in data protection, information security, and corporate training. She holds a postgraduate degree in Cyber ​​Security from UNIVEM, is currently pursuing postgraduate studies in Digital Law at Universidade Cândido Mendes, and in Compliance, Corporate Governance, and ESG at Damásio. A certified DPO by EXIN, she also holds ISFS, PDPF, and PDPP certifications. Currently, she is the vice-president of the Digital Law Commission of the OAB/SP – Assis Subsection, a member of the Legal Committee of APDADOS, and works as a legal mentor at Fomenta Vale.
see all posts

Want to see how Privacy Tools can help your company in practice?

Request a personalized demonstration and see how our solutions adapt to your needs.

Logo-7
Logo-6
Logo-8
Logo-20
Logo-19
Logo-17
Logo-16
Logo-18
Logo-15
Logo-14
Logo-13
Logo-12
Logo-11
Logo-10
Logo-9
Logo-5
Logo-4
Logo-3
Logo-2
Logo-1
Schedule demo

Related articles section

Read also

What stood out at the IAPP Global Summit 2026?

The IAPP Global Summit 2026 in Washington, which took place between March 30th and April 02nd, maintained its fundamental characteristic:...

Read more

Technology Governance: Why new technologies require new legal security mechanisms.

Every day we become more dependent, both as individuals and as a society, on new technologies. If, until a few years ago, the legal debate focused...

Read more

Everything you need to know about the Digital ECA.

The internet has become a central part of the lives of children and teenagers. Social networks, online games, video platforms, and apps are ubiquitous...

Read more

Artificial Intelligence without a DPO? Unthinkable! Innovation demands AI governance.

Technological evolution creates the illusion that speed is more important than structure. And artificial intelligence is no exception...

Read more

Map of Priority Themes of the ANPD (National Data Protection Authority): what changes for companies in 2026

Topics related to information security, privacy, and the protection of children's and adolescents' data were the subject of other articles...

Read more

Governance that generates growth: why SMEs need a strategic DPO.

For a long time, data protection was perceived by small and medium-sized enterprises as a distant issue—relevant, but not necessarily...

Read more