ITL-04 CONSULTING SERVICE
Privacy & LGPD
LGPD compliance built on the company's actual operation — mapping what really happens to the data, not filling in generic templates.
The problem
Many LGPD programs stop on paper: policies copied from templates, a record of processing that doesn't reflect real data flows, and no tested plan for the day a personal data incident happens. When the Brazilian data protection authority (ANPD) or a data subject knocks on the door, it's the real operation that gets examined — not the document.
How we work
Data Protection Officer (DPO) support
Acting as technical and documentation support to the DPO, or as DPO-as-a-service together with dedicated privacy specialists, covering both the legal-regulatory and the technical dimensions.
Mapping and documentation
Survey of the real personal data flows and preparation of the complete documentation package: impact assessment (RIPD/DPIA), records of processing activities (RoPA), internal policies and standards.
Personal data incident response
An incident response plan aligned with ANPD deadlines and requirements, integrated into the company's security incident response process.
Security as the foundation of privacy
ITool's differentiator: the technical and administrative measures required by Article 46 of the LGPD are designed by people who implement security in practice — access control, encryption, segmentation, and monitoring stop being generic paragraphs.
Applied experience
Complete compliance packages — from the impact assessment to the incident response plan — delivered for industrial operations of multinational groups in Brazil, in integration with the client's legal and technology teams.
Frequently asked questions
Does a B2B company with no consumer data need to comply with the LGPD?
Yes. Employee, candidate, business contact, and visitor data are already personal data under the LGPD. The extent of the program varies with the risk of the processing, but the obligation exists for virtually any company operating in Brazil.
What is the difference between the impact assessment (RIPD) and the records of processing (RoPA)?
The RoPA (Article 37) is the record of all data processing operations — the inventory. The RIPD (Article 38) is the impact assessment required for processing that may create high risks to data subjects — the in-depth risk analysis of specific operations. A mature program needs both, and the RoPA feeds the RIPD.
Do you work alongside the company's legal department?
Yes, and we recommend it. ITool covers the technical-operational and documentation dimension; formal legal opinions remain with the company's counsel or specialized partners, with whom we work in an integrated way.
Need a conversation about Privacy & LGPD?
Describe the scenario in two lines. We'll answer with an honest read — including if the answer is that you don't need us.