Insights

ANPD and fine calculation: why large-scale data processing is a supervisory priority for 2026–2027

The definition of the ANPD’s priorities for 2026–2027 highlights an important shift in its supervisory approach. The focus moves beyond the mere occurrence of an incident and places stronger emphasis on the nature of the affected database and the scale of the processing activities.

Classifying a database as “large scale” has a direct impact on the calculation of administrative sanctions. When a violation involves a large number of data subjects, sensitive personal data, or activities linked to critical infrastructure, the authority tends to frame the case as high regulatory risk, bringing the penalty closer to the statutory maximum.

In complex corporate structures, with multiple business units and shared technological infrastructure, the risk is amplified. A localized incident may produce systemic effects, increasing the regulatory exposure of the entire economic group.

Risks and implications for companies

The main risks associated with large-scale data processing include:

  • Classification as direct and critical regulatory risk, with immediate impact on the calculation of fines;
  • Significant increase in financial penalties, including the possibility of applying the legal maximum provided under the LGPD;
  • Expansion of supervisory scope to other companies within the same economic group;
  • Heightened reputational exposure, especially when data subjects are users of essential services;
  • Pressure to implement structural corrective measures within short deadlines, with relevant operational impact.

When critical infrastructure data coexists with financial, commercial, or retail data, the risk of cross-contamination becomes a sensitive factor in the ANPD’s analysis.

Strategic solutions and recommendations

In this context, certain measures are considered priorities:

  • Implement logical and physical segregation of databases, especially those involving essential services or large volumes of data subjects;
  • Isolate critical data infrastructure from commercial, financial, or retail databases within the same economic group;
  • Review system architectures and data flows, reducing points of interdependence that could amplify the impact of incidents;
  • Update risk assessments and data protection impact reports, expressly considering the large-scale processing criterion;
  • Strengthen data governance and information security, with clear responsibilities and continuous monitoring.

The regulatory message is clear: scale matters, and the way databases are structured may determine the level of sanctions in a potential administrative proceeding.

Do you already know which databases in your operation may be considered large scale by the ANPD? On the PDK website, we publish additional content that helps translate these regulatory priorities into practical governance decisions.

Conteúdo relacionado

28 de January de 2026

New PIX security rules: what changes in the MED and how companies should prepare for 2026

28 de January de 2026

Law No. 15,325/2026: how the regulation of the multimedia profession impacts contracts, teams, and risk management

28 de January de 2026

Digital ECA and ANPD enforcement: deadlines, risks, and how companies should prepare for 2026

MENU

Fale conosco
+55 (21) 99073 4906
contato@pdka.com.br