← Frameworks / Privacy & Regulatory

LGPD (Lei Geral de Proteção de Dados) + BCB Resolution 4893/2021

Brazil's combined data protection and financial cybersecurity framework. LGPD (Law 13,709/2018) establishes comprehensive data protection principles, data subject rights, international transfer rules, and ANPD oversight. BCB Resolution 4893/2021 mandates cybersecurity policy, incident response and reporting, cloud governance, board accountability, and annual cybersecurity reporting for financial institutions regulated by the Banco Central do Brasil. Includes PIX instant payment security and Open Finance Brasil API requirements.

Clauses: 48

Avg Coverage: 44.4%

Publisher: ANPD / Banco Central do Brasil Version: 2018/2021

LGPD + BCB 4893 → SP 800-53 SP 800-53 → LGPD + BCB 4893 Coverage Analysis

Clause	Title	SP 800-53 Controls
BCB.Art.2	Cybersecurity Policy Requirements	AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PL-09 PM-01 PM-09 PS-01 RA-01 SA-01 SC-01 SI-01 SR-01
BCB.Art.3	Cybersecurity Policy Principles (confidentiality, integrity, availability of data and information systems)	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AU-09 CP-01 CP-02 CP-06 CP-07 CP-09 CP-10 IA-01 IA-02 IA-05 SC-07 SC-08 SC-12 SC-13 SC-28 SI-01 SI-02 SI-03 SI-04 SI-07
BCB.Art.3-Supp	Risk-Based Security Controls Proportionate to Institution Size and Complexity	PL-10 PL-11 PM-07 PM-09 PM-11 RA-01 RA-03 RA-07 RA-09
BCB.Art.4	Cybersecurity Policy Dissemination and Culture	AT-01 AT-02 AT-03 AT-05 AT-06 PL-04 PM-13 PM-14
BCB.Art.5	Incident Response Plan Requirements	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 PM-04
BCB.Art.5-Supp	Incident Classification and Severity Framework	IR-04 IR-05 IR-08 RA-02 RA-09
BCB.Art.6	Incident Detection and Assessment Procedures	AU-02 AU-06 CA-07 IR-04 RA-05 RA-10 SI-02 SI-04 SI-05
BCB.Art.7	Incident Response Actions and Containment	IR-04 IR-05 IR-07 IR-09 SC-24 SI-04
BCB.Art.8	Incident Reporting to BCB (Banco Central do Brasil)	IR-06 IR-08 AU-06
BCB.Art.9	Incident Record Retention (10-year minimum)	AU-04 AU-09 AU-11 SI-12
BCB.Art.10	Cybersecurity Assessment and Testing Programme	CA-02 CA-04 CA-07 CA-08 PM-14 RA-05 RA-06 SA-11
BCB.Art.11	Cloud Computing Services Governance	AC-20 CA-03 CA-09 PM-08 SA-04 SA-09 SR-01 SR-02 SR-03
BCB.Art.11-Supp	Cloud Service SLA and Contract Requirements for Financial Institutions	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-08
BCB.Art.12	Cloud Provider Due Diligence and Risk Assessment	RA-03 RA-09 SA-04 SA-09 SR-02 SR-03 SR-05 SR-06
BCB.Art.13	Cloud Data Location and Residency Requirements	AC-04 CM-12 SA-09 SC-07
BCB.Art.14	Data Processing and Storage Abroad	AC-04 CM-12 MP-05 SA-09 SC-08
BCB.Art.15	BCB Regulatory Access to Cloud Data and Systems	AU-09 AU-16 SA-09 SR-08
BCB.Art.16	Cloud Outsourcing Notification to BCB	PM-08 SA-04 SA-09
BCB.Art.17	Board and Director Responsibilities for Cybersecurity	PM-01 PM-02 PM-09 PL-09 PS-09
BCB.Art.17-Supp	Designated Cybersecurity Director Registration with BCB	PM-02 PS-09
BCB.Art.18	Annual Cybersecurity Report to BCB	AU-01 CA-02 CA-05 PM-06 RA-03 RA-04
BCB.Art.19	Cybersecurity Assessment Programme and Continuous Improvement	CA-02 CA-04 CA-05 CA-07 PM-04 PM-06 PM-14 RA-04 RA-05
BCB.Art.20	Record-Keeping and Documentation Requirements	AU-01 AU-02 AU-03 AU-04 AU-07 AU-09 AU-11 CM-08 CM-12 CM-13 PM-05 SI-12
BCB.OpenFinance	Open Finance Brasil Security Requirements	AC-03 AC-04 IA-02 IA-05 IA-08 SC-07 SC-08 SC-13 SC-23 SA-09
BCB.PIX	PIX Security Requirements (BCB Resolution 147/2021 and related provisions)	AC-02 AC-03 AC-04 AC-17 IA-02 IA-05 IA-08 SC-07 SC-08 SC-12 SC-13 SC-23 SI-04 SI-10
LGPD.Art.6	Processing Principles (purpose limitation, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, accountability)	AC-06 AU-01 AU-02 CM-12 CM-13 PT-01 PT-02 PT-03 PT-04 PT-05 PT-07 SI-18
LGPD.Art.7	Legal Bases for Processing Personal Data (ten legal bases)	PT-01 PT-02 PT-04
LGPD.Art.8	Consent Requirements (free, informed, unambiguous, specific purpose)	PT-04 PT-05 AU-02 AU-03
LGPD.Art.9	Data Subject Right to Information About Processing	AC-08 PT-05
LGPD.Art.10	Legitimate Interest as Legal Basis	PT-02 PT-03 RA-03 RA-08
LGPD.Art.11	Processing of Sensitive Personal Data	AC-03 AC-16 MP-03 PT-01 PT-03 PT-07 SC-28
LGPD.Art.14	Processing of Children's and Adolescents' Data	PT-04 PT-07
LGPD.Art.15-16	Termination of Processing and Data Deletion	AU-11 MP-06 SI-12 SR-12
LGPD.Art.17-18	Data Subject Rights (confirmation, access, correction, anonymisation, portability, deletion, information about sharing)	PT-05 PT-06 SI-18
LGPD.Art.19-20	Data Subject Request Fulfilment and Review of Automated Decisions	PT-06 PT-08
LGPD.Art.23-26	Public Sector Processing Rules	PT-01 PT-02 PT-03 PT-05 AC-04 SA-09
LGPD.Art.33-36	International Data Transfers	AC-04 AC-17 MP-05 SA-09 SC-08
LGPD.Art.37-38	Data Protection Impact Assessment (RIPD - Relatorio de Impacto a Protecao de Dados)	CA-02 PL-02 PL-05 RA-01 RA-03 RA-08
LGPD.Art.41	Data Protection Officer (Encarregado pelo Tratamento de Dados Pessoais)	PM-02 PS-09
LGPD.Art.42-45	Liability and Indemnification (controller/operator liability, burden of proof)	AU-01 AU-02 AU-03 AU-10
LGPD.Art.46	Security Measures (administrative and technical measures to protect personal data)	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AU-01 AU-09 CA-01 CM-01 CM-06 IA-01 IA-02 IA-05 MP-01 MP-02 MP-04 PE-01 PE-02 PE-03 SC-07 SC-08 SC-12 SC-13 SC-28 SI-01 SI-02 SI-03 SI-04 SI-07
LGPD.Art.47	Processing Agents' Obligations (controller and operator security duties)	AT-01 AT-02 AT-03 PL-04 PS-01 PS-02 PS-03 PS-04 PS-05 PS-06 PS-07 PS-08 PS-09
LGPD.Art.48	Incident Notification to ANPD and Data Subjects	AU-06 IR-01 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09
LGPD.Art.49	ANPD Post-Incident Measures and Remediation Orders	IR-04 IR-06 PM-04
LGPD.Art.50	Good Practices and Governance (privacy programme, codes of conduct)	AC-01 AT-01 AT-02 AT-06 CA-01 CA-02 CA-05 CA-07 PL-01 PL-02 PL-04 PL-09 PM-01 PM-09 PM-14 RA-01
LGPD.Art.52	Administrative Sanctions (warnings, fines, daily fines, data blocking/deletion)
LGPD.Art.55-A-K	ANPD Structure, Competencies, and Regulatory Powers
LGPD.BCB.Integration	LGPD-BCB Compliance Integration (dual regulatory alignment)	PM-01 PM-09 PL-01 PL-02 PL-09 PT-01 PT-02 RA-01 RA-03