For DPO · General Counsel · CIO · CEO

Is your company one "Prompt" away from a million-dollar fine?

AI has transformed productivity — but it's created a silent nightmare for compliance: Shadow AI. Employees pasting customer data, financial spreadsheets, and source code into ChatGPT, with nobody authorizing it.

LGPD doesn't ban AI — it demands governance. If your company doesn't know which data is being processed, by which model, and where the server is physically located, you're not innovating: you're taking on a massive legal liability.

Download the checklist See the 4 chasms

MyDatAgent · DPO Office v 2026.05

Official document · checklist

LGPD for AI Checklist
Shadow AI Audit

§ 1 · Mapping & legal bases

Inventory of AI in use across operations
Legal basis documented by purpose
International data transfer map
Vendor terms of service > ANPD
Anonymization & pseudonymization of PII
Internal templates for employees

38 items · 6 chapters PDF · 24 pages

980 downloads last month · 4.8 ★ DPO feedback

TL;DR · Executive summary

TL;DR — LGPD for AI Checklist

LGPD doesn't ban AI. It demands governance: explicit legal basis, anonymization, audit trail, and protection against international transfers.
ANPD fines for AI misuse reach 2% of gross revenue, capped at BRL 50 million (~USD 9.5M) per violation.
The hidden risk: Azure OpenAI in Brazil still sends telemetry to the USA (CLOUD Act). It's not enough to be "in a Brazilian region" — you need a provider that's 100% domestic.
Minimum checklist: signed DPIA, Shadow AI mapping, vendor contract with LGPD-specific clauses, team training, audit log per prompt.
MyDatAgent provides a pre-filled DPIA template + LGPD-by-design architecture that cuts audit time from weeks to hours.
Want to compare with your current tool? See MDA vs OpenAI · Azure · Vertex AI.

The chasm between public AI and LGPD

The principles your public AI violates every day

LGPD demands basic principles that tools like ChatGPT, Gemini, and Claude violate daily inside Brazilian companies. It's not interpretation — it's in the text of the law.

Violation 01

Improper international transfer

By sending data to APIs in the USA without specific contracts or consent, you violate art. 33 of LGPD.

Violation 02

Lack of purpose

An employee using ChatGPT to summarize a confidential contract is using a data processor for a purpose not stated in your privacy policy.

Violation 03

Lack of transparency

If an agent makes a decision about your customer (e.g., denies a benefit), LGPD requires the right to an explanation. Black-box AI doesn't allow that.

Violation 04

Indefinite retention

Can you guarantee that OpenAI or Google are not keeping your customers' data? Terms change — and the burden of proof is on you.

ANPD Sanction · Law 13.709/18 · Art. 52

The maximum fine is 2% of annual revenue · capped at BRL 50 million per violation — plus irreparable market trust damage.

Fine

Cap

BRL 50M

How to get out of zero risk

Getting off the hook isn't complex. But it takes method

Blocking ChatGPT on your office network doesn't work — the team will use their phones. You need a data governance pipeline for AI. MDA's Definitive Checklist covers the 6 fronts your DPO needs to audit.

Ch. 01

Shadow AI Mapping

How to identify where company data is being entered into AI without authorization. Discovery roadmap + interviews.

InventoryDLPCulture

Ch. 02

Legal Basis Compliance

Which legal basis to use for processing data via AI — Consent vs. Legitimate Interest — and how to document for audit.

Art. 7 LGPDRIPDDPIA

Ch. 03

Third-Party Contracts

What to require from AI vendors (OpenAI, Anthropic, etc.) to comply with ANPD. Mandatory clauses.

DPASCCSub-processors

Ch. 04

PII Governance

Technical checklist for anonymization and pseudonymization before LLM input. CPF, CNPJ, sensitive data.

PresidioMaskHash

Ch. 05

Private AI & Data Sovereignty

The migration roadmap to SLMs in private cloud (Brazil data center) that eliminates 90% of LGPD risk in one shot.

VPC BRSLMvLLM · FP8

Ch. 06

Internal Policies & Templates

Template for AI terms of use for employees + executive memo + minimal training. Ready to deploy.

TemplatesTrainingCulture

MDA Checklist · free download

Don't wait for the ANPD notice

Compliance is cheaper than the fine. The Checklist is a practical document for DPOs, CIOs, and General Counsels to audit and bring AI into compliance — without external consulting dependency.

DPO · Data Officer General Counsel CIO · CTO CEO

"We practice what we preach:" your signup data never trains public models. SOC 2 and ISO 27001 already audit our process.

The company that teaches compliance audits itself

SOC 2 Type IIAICPA · Certified ISO/IEC 27001ISMS · Certified LGPD readyVPC sa-east-1

Access the checklist in 2 steps

Free · PDF

1About you

2Your company

Full name*

Corporate email* Corporate emails only · Gmail / Hotmail blocked

2 steps to reduce friction · your data stays in our Brazilian VPC.

Job title*

WhatsApp*

Company*

Number of employees*

By completing this, you agree to receive relevant communications from MyDatAgent. Your data is protected and does not train public models.