Brazil LGPD

LGPD Data Protection Impact Report (RIPD): A Practitioner's Guide

The short version

A data protection impact report, the relatorio de impacto a protecao de dados pessoais or RIPD, is the LGPD's impact-assessment instrument. The LGPD defines it in Article 5(XVII) as a document describing the processing of personal data that could pose risks to civil liberties and fundamental rights, along with the measures to mitigate them. Under Article 38 the ANPD, Brazil's data protection authority, may order a controller to produce one, particularly where processing relies on legitimate interest or carries higher risk.

Brazil's LGPD is modeled closely on the GDPR, and its impact instrument follows the pattern: where processing could affect people's rights, the controller documents the processing, the risks, and the safeguards. The Brazilian version, the RIPD, is defined in the law and can be demanded by the regulator. This guide covers what it is, when it applies, what it contains, and how to prepare one.

What the RIPD is

The RIPD is defined in Article 5(XVII) of the LGPD as a report describing the data processing operations that may generate risks to civil liberties and fundamental rights, together with the measures, safeguards, and risk-mitigation mechanisms the controller adopts. It is the documented analysis a controller relies on to show it considered the impact of its processing on data subjects.

When it is required

Article 38 gives the ANPD the power to require a controller to prepare a RIPD, including for processing based on the legitimate-interest legal basis. In practice it is expected for higher-risk processing: large-scale handling of personal data, sensitive data, profiling, or new technologies. Even where the ANPD has not ordered one, preparing a RIPD for high-risk processing is treated as good practice and as evidence of the accountability the LGPD requires.

What it must contain

Following Article 5(XVII), a RIPD describes the processing and assesses its risk to rights. A complete report covers:

How to prepare a RIPD

Step 1: Describe the processing

Set out the data, the purpose, the legal basis, and the flows, so the analysis has a clear subject.

Step 2: Assess the risks to rights

Identify the risks the processing poses to data subjects' civil liberties and fundamental rights, and rate them.

Step 3: Set out the safeguards

Document the measures that mitigate each risk and the residual risk that remains.

Step 4: Document and keep current

Record the report so it can be produced if the ANPD requests it, and revisit it when the processing changes.

RIPD and the GDPR DPIA

The two are close cousins. Both document processing, assess risk to individuals, and record safeguards. The main difference is the trigger: the GDPR DPIA is required by law whenever processing is likely to result in a high risk, while the RIPD is an instrument the ANPD may demand under Article 38, with high-risk processing the usual occasion. A controller operating under both regimes can often build one analysis that satisfies each.

For the wider regime, see the Brazil LGPD compliance guide and the LGPD glossary; for the EU instrument it parallels, see the GDPR DPIA guide.

Primary sources

Common questions

What is a RIPD under the LGPD?
The RIPD, or relatorio de impacto a protecao de dados pessoais, is the LGPD's data protection impact report. Article 5(XVII) defines it as a document describing the processing operations that could pose risks to civil liberties and fundamental rights, together with the safeguards and risk-mitigation measures the controller adopts.
When does the LGPD require a RIPD?
Article 38 lets the ANPD require a controller to produce a RIPD, including for processing based on legitimate interest. It is expected for higher-risk processing such as large-scale or sensitive-data processing, profiling, or new technologies, and preparing one is treated as good accountability practice even absent an ANPD order.
What must a RIPD contain?
A description of the processing and its purpose, the types of personal data involved including sensitive data, an assessment of the risks to data subjects' rights, and the safeguards and risk-mitigation measures the controller adopts.
Is a RIPD the same as a GDPR DPIA?
They are close parallels. Both document processing, assess risk to individuals, and record safeguards. The difference is the trigger: a GDPR DPIA is required by law for high-risk processing, while a RIPD is an instrument the ANPD may demand under Article 38.
From the team behind this guide

Impact assessed, ready for the ANPD

Compliance Command Center brings consistent risk discipline across privacy regimes: it structures the impact analysis, assesses risk to rights, and keeps the documentation current and ready to produce. Practitioners build it, with a human reviewing every deliverable.

See Compliance Command Center Talk to a Practitioner