Five Steps for Companies to Comply with LGPD Without Major Investments

The debate on privacy and digital governance gains relevance among smaller businesses, which already represent 99% of Brazilian companies, according to Sebrae. While many entrepreneurs still associate the General Data Protection Act (LGPD) with a complex and expensive topic, experts warn that compliance can start with simple, low-cost actions.

According to Edgard Dolata, lawyer and specialist in LGPD, guest professor in executive education programs and partner at Legal Comply and Dopp Dolata Advogados, data protection is today a survival requirement for small businesses as well. “There is a false idea that digital security is a subject for large corporations. But micro and small companies are among the most vulnerable to ANPD attacks and sanctions”, he says.

Data from the National Data Protection Authority (ANPD) indicates that the number of complaints against small businesses grew by 37% in the first half of 2025, driven by failures in digital campaigns and the absence of basic privacy policies. 

For Dolata, the way to avoid fines and preserve reputation starts with the minimum structuring of governance. “ Compliance does not require large investments, but clarity about who accesses the information, how they are stored and the destination of the data after use”, he explains.

Among the most effective and economical measures, the lawyer recommends five initial steps:

1. Appoint an internal responsible for privacy and information security, even if it accumulates other functions.
2. Create a simple data usage policy that guides employees and partners.
3. Review access permissions and implement two-factor authentication on critical systems.
4. Perform automatic and tested backups, ensuring business continuity in case of incidents.
5. Train the team to recognize digital scams such as phishing and fake supplier emails.

According to Edgard Dolata, the biggest mistake of small companies is to postpone actions because they believe that the inspection will not reach them. “With the accelerated digital transformation and the increase in online complaints, the ANPD already monitors previously invisible sectors, such as regional e-commerces, schools and service offices”, he highlights.

The expert's guidance is clear: investing in information security is to invest in the longevity of the company. “ Data protection is not a luxury, it is also a requirement for survival for small businesses. Each password exchanged, each written policy and each trained employee represent a concrete step to protect the brand and the customer”, he concludes.