LGPD Privileged Access: Articles 46–48 in Practice
DataDike Security Research
PAM Research & Field Engineering
Brazil's Lei Geral de Proteção de Dados (LGPD, Lei nº 13.709/2018) is a data-protection regime structurally close to GDPR, with an active regulator (ANPD) that has steadily moved from guidance into enforcement. The law does not mention PAM by name — most data-protection regimes do not — but three articles in Chapter VII (Security and Best Practices) translate directly into privileged-access controls that operators must produce on demand.
Article 46 — Security measures
Article 46 requires the controller and the processor to adopt "technical and administrative security measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of inappropriate or unlawful treatment." That phrasing is broad on purpose. In practice, ANPD inspectors interpret it as a requirement to demonstrate that access to systems containing personal data is gated, logged, and revocable.
The PAM evidence shape for Article 46 is mature in any well-run program: an inventory of systems that process personal data, a list of privileged accounts that can reach them, the authentication mechanism for each (MFA, vault-mediated, JIT), and a session log showing each privileged access event with the operator identity attached. The artifact is not a one-off audit report; it is a dashboard that produces the report on demand because the regulator does not give advance notice.
Article 47 — Continuous obligation
Article 47 makes the security obligation continuous, not point-in-time: "Treatment agents or any other person who interferes in one of the phases of treatment is obliged to ensure the security of the information provided for in this Law in relation to personal data, even after its termination." The clause has two consequences for privileged-access design.
First, off-boarding of privileged operators must be auditable and immediate. The standard pattern — disable the IDP account, let downstream systems eventually catch up — does not satisfy "even after its termination" if the audit trail cannot prove the disable happened the same day. PAM with native IDP federation closes this: when the directory revokes, the vault revokes, and the audit log records both events with timestamps.
Second, retention of audit logs has to outlive the operator. If a former employee's session three years ago becomes relevant in an ANPD inquiry, the recording and command audit must still be accessible. WORM (write-once read-many) storage or immutable cloud archiving covers this; standard log rotation does not.
Article 48 — Incident reporting
Article 48 requires the controller to notify ANPD and affected individuals of "any security incident that may create relevant risk or damage to data subjects." The clock is short — ANPD has clarified the expectation as within two business days — and the report must include "the description of the nature of the affected personal data, information about the data subjects involved, the indication of technical and security measures used, the risks related to the incident, and the reasons for delay if the communication was not immediate."
The PAM contribution to Article 48 readiness is the forensic timeline. When a credential compromise hits, the regulator does not want a narrative — they want the session log: which account, from which source, accessing which records, with what commands. A PAM with command-level audit produces that artifact within minutes; an environment without it spends days reconstructing what happened from heterogeneous syslogs.
The ANPD evidence checklist
In the published guidance documents, ANPD repeatedly emphasizes three artifacts: inventory of treatment (Art. 37), incident response playbook with notification SLAs (Art. 48), and access-control evidence (Art. 46). PAM is the second-cheapest of the three to operationalize and the one most often missing.
How DataDike maps to LGPD
DataDike ships LGPD-specific dashboards that align to Articles 46, 47, and 48 directly: a privileged-access inventory by system classification (allowing the controller to filter for "systems treating personal data"), an off-boarding timeline that proves revocation latency, and an incident-response export that produces the Article 48 evidence pack in the format ANPD inquiries have asked for in recent inspections.
For Brazilian financial services and healthcare operators specifically — where LGPD intersects with BACEN, ANS, or CFM requirements — the same audit stream feeds both the LGPD evidence pack and the sector regulator's separate format. Operators who run both reports out of one platform spend less time on overlapping evidence and more time on the work the regulators actually intended to drive.
