Postry
If you are a developer and still treat LGPD as "the legal team's problem," let me be direct: in 2026, Brazil's data protection authority (ANPD) is actively enforcing fines up to R$50 million per violation, and the educational phase is over. This guide shows you, in practical terms, what you need to implement in your code to achieve compliance — no legalese, with real code and architecture examples.
I have been working in software development for over 8 years, and in the last two, I had to refactor three legacy systems for LGPD compliance. What I learned is that most compliance issues don't originate in the privacy policy — they originate in poorly modeled databases, logs that store CPF numbers in plain text, and endpoints that return too much data. The part nobody talks about is that adapting a system to LGPD actually improves the overall architecture: you end up with real control over the data lifecycle.
What is LGPD and why developers need to understand it
The Lei Geral de Proteção de Dados (Law 13,709/2018) regulates the processing of personal data in Brazil. It applies to any operation involving the collection, storage, processing, or sharing of data from individuals — and that includes virtually every piece of software that interacts with users.
Article 6 of the LGPD establishes ten fundamental principles that must guide any data processing: purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability. For developers, these principles translate into concrete technical decisions about data modeling, access control, logging, and APIs.
In 2026, ANPD has intensified enforcement focusing on four areas: data subject rights, processing of children's and adolescents' data, public sector data processing, and artificial intelligence with emerging technologies. For development teams, this means that endpoints that fail to respond to deletion or access requests are priority targets for enforcement actions.
Privacy by Design: how to apply it in the development lifecycle
The concept of Privacy by Design (PbD) is not new, but LGPD has made it mandatory in practice. The core idea is that data protection must be incorporated from the system's conception, not added later as a patch. This fundamentally changes how you design your data models, APIs, and infrastructure.
Data minimization in modeling
The necessity principle requires you to collect only the data strictly necessary for the declared purpose. In practice, this means reviewing every field in your database and asking yourself: "do I really need to store this?"
| Common practice (non-compliant) | Adequate practice (compliant) |
|---|---|
| Collecting CPF, ID number, date of birth, and full address for a blog registration | Collecting only email and name for registration; requesting additional data only when needed for a specific feature |
| Storing IP, user-agent, and geolocation in all access logs indefinitely | Defining a retention period (e.g., 90 days) and automatically anonymizing old logs |
| Keeping inactive user data indefinitely | Implementing a retention policy with automatic deletion after a defined inactivity period |
| Copying personal data to development and test environments | Using synthetic or anonymized data in non-production environments |
Consent and legal basis in code
Each data processing activity needs a documented legal basis. The most common ones in software development are: data subject consent, contract execution, legal obligation compliance, and legitimate interest. In code, this translates to recording which legal basis justifies each processing operation.
A pattern that works well is creating a consent registry table that stores: the data subject identifier, the specific purpose, the applicable legal basis, the consent timestamp, the version of the accepted policy, and whether consent has been revoked. This is not overengineering — it is a legal requirement.
Implementing data subject rights in your API
LGPD guarantees data subjects a series of rights that your system must fulfill. Article 18 lists rights such as processing confirmation, data access, correction, anonymization, portability, and deletion. The response deadline is 15 business days — and ANPD actively enforces this in 2026.
Data Subject Access Request endpoint
You need an endpoint that returns all personal data your system stores about a specific data subject. This includes data in related tables, logs, accessible backups, and data shared with third parties. The response format should be structured and readable — JSON or CSV are acceptable.
The real technical challenge here is mapping all locations where personal data is stored. In legacy systems, personal data frequently spreads across unexpected tables: audit logs, cache, message queues, temporary tables. Conduct a complete inventory before implementing the endpoint.
Deletion endpoint (right to be forgotten)
Data deletion is technically more complex than it appears. You need to consider: data in related tables with foreign keys, data replicated in caches or search systems, data in backups, data shared with third-party processors, and data that must be retained due to legal obligations (such as tax invoices).
An efficient approach is implementing soft delete with anonymization: instead of deleting the record, you replace personal data with anonymized values and mark the record as deleted. This preserves the database's referential integrity while eliminating personal data. For data that must be retained due to legal obligations, document the legal basis for retention.
Data portability
The data subject has the right to receive their data in a structured and interoperable format. In practice, implement an endpoint that exports user data in standardized JSON or CSV. The LGPD compliance documentation recommends following established market formats when available.
Technical security: what LGPD requires from your code
Article 46 of LGPD requires data processing agents to adopt technical and administrative security measures capable of protecting personal data. This is not generic — ANPD has published guides with specific expectations for different organization sizes.
Encryption and pseudonymization
Sensitive personal data (such as health data, biometrics, or sexual orientation data) must be encrypted at rest and in transit. For regular personal data, pseudonymization is a recommended technique: replace direct identifiers with tokens or hashes, maintaining the ability to re-identify only by those who hold the key.
In the database, use column-level encryption for sensitive fields such as CPF, document numbers, and financial data. Tools like PostgreSQL's pgcrypto module or managed database Transparent Data Encryption facilitate this implementation. In transit, TLS 1.2 or higher is the minimum acceptable standard — and configure HSTS to enforce secure connections.
Granular access control
Implement the principle of least privilege across all layers: database, application, and API. Each service or module should have access only to the data strictly necessary for its function. Use specific database roles, API token scopes, and attribute-based access control (ABAC) policies when complexity justifies it.
Secure logging
Logs are a frequent source of personal data leaks. Never log personal data in application logs — use opaque identifiers (UUIDs) instead of CPFs, emails, or names. If you need audit logs with personal data for compliance, store them in a separate system with restricted access control and a defined retention period.
| Layer | Security measure | Tool/Technique |
|---|---|---|
| Database | Encryption at rest | pgcrypto, TDE, KMS |
| Transport | Encryption in transit | TLS 1.2+, HSTS |
| Application | Pseudonymization | Tokenization, salted hashing |
| API | Access control | OAuth 2.0, RBAC/ABAC |
| Logs | Anonymization | UUIDs, masking, automatic retention |
| Backups | Encryption + retention | Encrypted backup, scheduled deletion |
Generative AI and LGPD: the risk many ignore
In 2026, one of the biggest compliance risks for developers lies in integration with generative AI models. If your application sends users' personal data to LLM APIs like ChatGPT, Claude, or Gemini, this constitutes personal data processing and third-party sharing — requiring a specific legal basis and, depending on the case, a Data Protection Impact Assessment (DPIA).
ANPD's enforcement in 2026 includes AI and emerging technologies as a priority area. This means pasting customer personal data into prompts without explicit consent is a flagrant violation. Implement prompt sanitization: remove or pseudonymize personal data before sending it to external AI APIs.
Best practices include: using internal IDs instead of personal data in prompts, implementing a sanitization layer that detects and masks CPF, email, and phone patterns before sending, and documenting in the ROPA (Record of Processing Activities) that your system transfers data to AI processors.
Record of Processing Activities (ROPA) for developers
Article 37 of LGPD requires controllers and processors to maintain a record of personal data processing operations. For developers, this means technically documenting each data flow in the system: which data is collected, where it is stored, who accesses it, how long it is retained, and with whom it is shared.
A practical approach is maintaining the ROPA as code — a versioned YAML or JSON file in the repository describing each processing operation. This integrates privacy documentation into the development workflow and ensures that changes in data processing are reviewed in code review.
The LGPD guide for devs on GitHub offers practical templates for this documentation, including data mapping models and examples of data subject rights implementation.
Incident response: what to do when a breach happens
LGPD requires notification to ANPD and affected data subjects in case of a security incident that may pose risk or relevant damage. The recommended timeframe is 72 hours after incident identification — and this requires advance technical preparation.
Technical checklist for incident response
- Implement anomalous access monitoring for personal data (unusual queries, mass exports, off-hours access)
- Maintain immutable audit logs that record who accessed which data and when
- Have ready-made scripts to identify the scope of a breach: which data subjects were affected, which data was exposed
- Document an incident response runbook that includes technical steps and communication channels with the DPO and ANPD
- Periodically test the response process with simulations (tabletop exercises)
The Ateliware blog on LGPD in software development details real incident scenarios in Brazilian companies and how technical preparation made a difference in response time and damage mitigation.
Useful tools and libraries for compliance
Several tools facilitate compliance implementation in code:
- Dataguard / OneTrust SDK: consent and privacy preference management integrated into your application
- pgcrypto (PostgreSQL): column-level encryption natively in the database
- Vault (HashiCorp): centralized secrets and encryption key management
- Open Policy Agent (OPA): access policies as code, integrable with APIs and microservices
- Presidio (Microsoft): open-source library for personal data detection and anonymization in text — useful for log and AI prompt sanitization
- DataHub / Amundsen: data catalog that helps keep the personal data inventory up to date
The choice of tools depends on your stack and system complexity. For smaller applications, manual implementations with good abstractions may suffice. For enterprise systems with multiple microservices, specialized tools save time and reduce human error.
Conclusion
LGPD is not a checklist you resolve once and forget — it is a mindset shift in software development. In 2026, with ANPD actively enforcing and fines reaching R$50 million, treating privacy as a first-class technical requirement is not optional. The good news is that the practices required by LGPD — data minimization, granular access control, conscious logging, adequate encryption — are fundamentally good software engineering practices. Systems that respect user privacy tend to be more secure, better architected, and easier to maintain. Start with the data inventory, implement the data subject rights endpoints, and review your logs. The rest comes naturally when the privacy by design mindset takes hold in the team.
