LGPD Training
Brazil's General Data Protection Law requires organisations to ensure every employee who handles personal data understands their responsibilities. Roleplays turns LGPD awareness into practical, measurable competency through AI-powered simulations.
Why LGPD training matters
The Lei Geral de Protecao de Dados (LGPD), Law 13.709/2018, is Brazil's comprehensive data protection law, modelled after the EU's GDPR. It governs how organisations collect, process, store, and share personal data of individuals in Brazil. The law is enforced by the ANPD (Autoridade Nacional de Protecao de Dados) and carries penalties of up to 2% of annual revenue, capped at R$50 million per infraction.
While LGPD does not prescribe a specific training programme, Article 50 establishes that organisations should adopt good practices and governance measures, including employee awareness and training programmes. The ANPD's enforcement guidance consistently emphasises that organisations must demonstrate they have taken reasonable measures to ensure employees understand data protection obligations, and training is the primary way to demonstrate this.
LGPD training applies to any organisation that processes personal data of individuals in Brazil, regardless of where the organisation is headquartered. This includes every department that touches personal data: HR (employee records), marketing (customer databases), customer service (support interactions), finance (payment information), and IT (system administration and data infrastructure).
Who needs LGPD training
- Customer service and support agents
- HR teams handling employee data
- Marketing and sales teams with CRM access
- IT staff and data administrators
- DPOs and privacy officers
ANPD enforcement reality
- Fines up to 2% of revenue (R$50M cap)
- Public disclosure of violations
- Suspension of data processing activities
- Training records considered mitigating factor
- Good practices programmes reduce penalty severity
What LGPD training must cover
Effective LGPD training goes far beyond reading the law. Employees need practical skills for handling real-world data protection scenarios.
Employee awareness and data literacy
Every employee must understand what constitutes personal data under LGPD (Art. 5), the difference between personal data and sensitive personal data, the legal bases for processing (Art. 7), and the rights of data subjects (Arts. 17-22). Training must go beyond definitions, employees need to recognise personal data in their daily work context, whether it appears in emails, spreadsheets, support tickets, or verbal conversations.
Practical scenario: A customer service agent receives an email requesting all personal data held about a customer (data subject access request). Does the agent know how to respond, who to escalate to, and what the legal timeframe is?
Data handling procedures
Employees must know the correct procedures for collecting, storing, sharing, and deleting personal data. This includes understanding data minimisation principles (Art. 6, III), purpose limitation (Art. 6, I), and proper consent collection (Art. 8). Departments that regularly handle sensitive data, such as health information, biometric data, or financial records, require specialised training on the additional protections LGPD mandates for these categories (Art. 11).
Practical scenario: A marketing team wants to use a customer database for a new campaign. Does the team know whether the original consent covers this new purpose? Do they understand when re-consent is required?
Incident response training
LGPD Article 48 requires organisations to notify the ANPD and affected data subjects about security incidents that may cause "relevant risk or damage" to data subjects. Employees must be trained to recognise potential data breaches, know the internal escalation procedure, understand the notification timelines, and avoid actions that could worsen an incident (such as attempting unauthorised data recovery or communicating publicly without authorisation).
Practical scenario: An employee discovers that a shared folder containing customer CPF numbers was accidentally made publicly accessible. Do they know the correct escalation path, and can they articulate the severity of the incident?
DPO and privacy team responsibilities
The Data Protection Officer (Encarregado, per Art. 41) plays a central role in LGPD compliance. DPO training must cover: managing data subject requests, conducting Data Protection Impact Assessments (DPIAs/RIPDs), maintaining Records of Processing Activities (ROPA), liaising with the ANPD, and overseeing the organisation's overall data protection programme. The DPO must also be capable of training other employees, making their own competency development critical.
Practical scenario: The ANPD sends a formal request for information about a specific data processing activity. Can the DPO locate the relevant ROPA entries, demonstrate the legal basis, and respond within the required timeframe?
How Roleplays helps
Simulations that teach employees to handle personal data correctly, and document every training interaction for ANPD compliance.
Data handling scenarios
Simulate real-world situations where employees must decide how to handle personal data: customer requests for deletion, consent withdrawal, data portability demands, and sharing requests from third parties. AI personas act as customers, colleagues, or even ANPD representatives, testing whether employees follow correct procedures.
Consent management training
Train teams on proper consent collection, storage, and withdrawal handling. Simulations test whether employees can explain data processing purposes clearly, obtain informed consent, recognise when existing consent does not cover a new use case, and process consent withdrawal requests without resistance or delay.
Incident response simulation
Practise data breach response in a safe environment. Employees face simulated security incidents, from accidental data exposure to sophisticated attacks, and must follow the correct identification, containment, notification, and documentation procedures per Art. 48. Managers practise leading incident response teams under time pressure.
Documented compliance evidence
Every training session generates a complete record: who was trained, what content was covered, when it happened, how they performed, and whether they met competency thresholds. This documentation serves as evidence of your "good practices" programme under Art. 50, which the ANPD considers a mitigating factor when assessing penalties.
Department-specific training paths
Different departments handle different types of personal data and face different risks. HR teams receive scenarios about employee data rights. Marketing teams practise consent management. Customer service agents learn to handle data subject access requests. IT teams train on data breach identification and containment. Each path has tailored evaluation criteria.
Portuguese-native experience
LGPD training must be conducted in a language employees understand. Roleplays supports Portuguese natively with voice and text simulations, ensuring training content accurately reflects Brazilian legal terminology (titular de dados, encarregado, tratamento de dados) rather than awkward translations from English or European Portuguese.
Frequently asked questions
Does LGPD actually require employee training?
While LGPD does not prescribe a specific training programme with mandated frequency, Article 50 establishes that organisations should adopt good practices and governance programmes that include employee awareness measures. The ANPD's enforcement guidance and penalty calculation methodology explicitly consider whether the organisation has implemented training programmes as a mitigating factor. In practice, LGPD training is essential for demonstrating compliance and reducing penalty exposure.
How often should employees receive LGPD training?
LGPD does not specify a frequency, but best practices aligned with GDPR guidance suggest annual training at minimum, with additional sessions after significant regulatory changes, data breach incidents, or changes in data processing activities. Roleplays allows you to configure any retraining cycle per department or role, and the platform tracks completion automatically.
Can we train employees on data subject access requests (DSARs)?
Yes. Roleplays includes scenarios where AI-powered data subjects exercise their rights under Articles 17-22: access requests, correction requests, deletion requests, data portability, and consent withdrawal. Employees practise identifying the request type, verifying the requester's identity, following the correct internal workflow, and responding within legal timeframes.
How does training documentation help reduce ANPD penalties?
The ANPD's penalty dosimetry regulation considers "adoption of good practices and governance" (Art. 52, paragraph 1, item IX of LGPD) as a mitigating factor. Documented training programmes with completion records, competency assessments, and ongoing retraining cycles demonstrate that the organisation took reasonable measures to prevent violations. Roleplays provides this documentation automatically for every training session.
Is Roleplays itself LGPD compliant?
Yes. Roleplays uses database-per-tenant isolation, ensuring your training data is completely separated from other customers. The platform processes minimal personal data (employee identifiers and training records), with clear purpose limitation and data retention policies. A Data Processing Agreement (DPA) is available for all enterprise customers.
Get compliant faster.
Build a documented LGPD training programme that the ANPD will recognise as genuine good practice. Start with simulations your team will actually complete.