Compare 13 Brazil LGPD (Lei Geral de Protecao de Dados) consulting partners delivering Lei 13.709/2018 compliance programmes, ANPD regulator engagement, the DPO appointment and data subject rights operating model, cross-border data transfer mechanisms under the recent ANPD international transfer regulation, the LGPD-specific data mapping and impact assessment work, integration with parent-company GDPR programmes for multinational operations, the consent and legitimate-interest balancing analysis for Brazilian residents, sector-specific obligations across financial services, healthcare, telecommunications, and public sector, and the ANPD-administrative-penalty defence work that now matters as enforcement matures. Listings cover Big Four Brazil practices, regional Brazilian law-aligned consultancies, India-heritage SIs with Brazil delivery, and the specialist privacy boutiques. No partner pays for placement on this directory.
LGPD engagements split into four typical workstreams. Programme set-up and current-state assessment, where the partner agrees the in-scope legal entities and data flows, runs the LGPD gap assessment against the 18 articles defining lawful bases, data subject rights, and controller-processor obligations, conducts stakeholder workshops across business areas, and produces the remediation roadmap. Operating model and DPO build, where the partner appoints or outsources the DPO function, builds the data subject rights workflow with response timelines, configures the consent and legitimate-interest balancing test framework, and establishes the breach notification and ANPD-engagement runbook. Data mapping and DPIA, where the partner builds the records of processing activities, conducts data protection impact assessments for high-risk processing, and integrates with the wider information governance estate. Cross-border and sector specialism, where the partner navigates the ANPD international transfer regulation (Resolution CD/ANPD No. 19/2024), maps to GDPR for multinationals operating in both jurisdictions, and handles sector-specific obligations under Bacen (banking), ANS (health insurance), ANATEL (telco), and the public sector regime.
Three procurement archetypes recur. Big Four Brazil practices (Deloitte, KPMG, PwC, EY) lead where LGPD sits inside a broader enterprise risk or audit programme, where the engagement needs ANPD-grade defensibility, or where the client is a multinational coordinating with parent-company GDPR; their advantage is audit alignment and stakeholder management. Brazil-local SIs (TIVIT, Stefanini Rafael, ICTS Protiviti, CGI) lead on factory delivery in Portuguese with deep ANPD case-law knowledge and on managed operations for the data subject rights workflow, often combined with the wider IT services arrangement. Privacy-law-aligned boutiques and DPO-outsourcing specialists (Opice Blum, IAPP-affiliated boutiques) lead on technically complex LGPD-versus-CPC litigation defence, the ANPD-administrative-penalty negotiation, and the senior DPO outsourcing where personal accountability under LGPD is in play. Friction point: LGPD enforcement matured slowly between 2020 and 2023 but ANPD-administrative-penalty action has accelerated since 2024, and customers who treated LGPD as a paper exercise during the early years routinely face heavy remediation lifts when ANPD investigation opens or when a Bacen or ANS supervisory audit lands.
For complementary research see privacy management platforms, consent management platforms, data subject rights platforms, data discovery tools, and GRC platforms. For adjacent services see GDPR services, OneTrust implementation, ISO 27001 implementation, IT governance and compliance, identity security consulting, and financial services IT consulting.
Tell us what you're evaluating and we'll send a tailored shortlist of vendors that actually fit — no vendor funding, no pay-to-play.
6,000+ vendors · 893 comparisons · 48 country guides · Independent & vendor-neutral