Data Privacy and AI: How the ANPD and PL 2338 will audit systems
The regulatory storm of 2026: The siege of Artificial Intelligence
The integration of Artificial Intelligence in business is no longer an innovation differentiator to become the market standard. Today, companies use algorithms to automate hiring, analyze customer credit, optimize logistics routes, and monitor employee productivity.
However, this mass adoption occurred, in most cases, without any privacy or governance control. This is about to end abruptly.
The National Data Protection Authority (ANPD) has already placed AI regulation as one of the four axes of its Priority Themes Map for 2026-2027. More than that: the most important Artificial Intelligence regulation in the country, PL 2338, is one vote away from becoming a legal obligation for companies. And those who leave it to adapt after the sanction will start late and exposed to millionaire risks.
What is PL 2338 (The "Brazilian AI Act") and the weight of the sanctions
Approved unanimously in the Senate in December 2024, PL 2338/2023 is pending in the Chamber with a vote expected in 2026. It is strongly inspired by European regulation and carries a heavy nickname in the legal and technology market: the "Brazilian AI Act".
Its goal is not to prohibit innovation, but to ensure that automated systems do not make discriminatory decisions, do not violate users' privacy, and have human supervision.
The weight of the law is directly reflected in the sanctions. Non-compliance with the rules of PL 2338 provides for severe fines that can reach R$ 50 million per infraction. And there is an aggravating factor that frightens directors and investors: in case of recurrence, this value is doubled. For many corporations, a sanction of this level means the complete halt of operations and the immediate breach of market trust.
Risk Classification: Is your AI dangerous to the law?
Unlike traditional LGPD, which deals with the data itself, PL 2338 classifies each AI system by its risk level. The logic is clear: the law demands governance proportional to the impact that this system has on people's lives and rights.
Systems are divided into four levels, but it is the high-risk category that will bring the most severe obligations. If your company uses algorithms for the following functions, you are in the high-risk zone:
- Automated recruitment and HR: Resume screening, behavioral profile analysis, or monitoring employees in the workplace.
- Credit analysis and financial risk: Systems that automatically decide whether a customer will have a loan approved or denied.
- Health and diagnostics: Algorithms for screening patients or analyzing exams (a highly critical scenario that we have already covered in detail in our article on The Impact of LGPD in Digital Health).
- Biometric identification: Facial recognition systems in public or corporate access locations.
If your company operates any system that fits into these categories, compliance will not be optional. It will be a prerequisite to keep the tool running.
The invisible danger of Shadow AI in corporations
While the board and the legal department debate the processing of the law, the real exposure of the company is already happening right now, on your employees' computers.
Recent market studies reveal an alarming piece of data: 47.4% of Brazilian professionals report using AI tools without official company approval. This practice, known in the technology market as Shadow AI (invisible AI or in the shadows), is the biggest nightmare for information security managers.
In practice, this means that:
- Financial analysts are submitting confidential billing spreadsheets into public AIs to generate charts.
- Programmers are pasting proprietary source codes into text generators to find software errors.
- HR professionals are inserting candidate data and resumes into open platforms to generate interview summaries.
When a corporate or personal data is inserted into an unapproved public AI, the company completely loses control over that information. It can be used to train the platform's algorithm and leak to competitors. Shadow AI creates an immense LGPD liability and exposes the company to ANPD fines even before PL 2338 is approved.
The new bureaucracy: What is the Algorithmic Impact Assessment (AIA)?
For systems classified as high risk, PL 2338 introduces a new compulsory obligation: the Algorithmic Impact Assessment (AIA).
If you have already gone through a data compliance process, you must know the RIPD (Personal Data Protection Impact Report) required by the LGPD. The AIA is the direct equivalent of the RIPD, but focused exclusively on the behavior of Artificial Intelligence.
Before putting a high-risk AI system into production, the company will need to strictly document:
- What is the purpose of the system and how it makes decisions.
- Which databases were used to train the algorithm (ensuring there is no biased or illegally collected data).
- What are the prejudice mitigation metrics (e.g., ensuring the recruitment AI does not discard candidates based on gender or ZIP code).
- How human supervision will be done over the machine's decisions.
The inspection of these assessments will be distributed among sectorial agencies and centralized by the ANPD, consolidating the requirements we explained in our material on The New National Data Protection Policy (PNPDP).
The Myth: "AI Governance begins with creating policies"
There is a classic mistake that managers make when dealing with new technology legislation. They believe the first step is to ask the legal department to draft a long PDF with the "Artificial Intelligence Use Policy", email it to all employees, and consider the matter closed.
This does not work. AI governance does not begin with the policy, it begins with mapping what is already in use.
The overwhelming majority of companies have not yet made even a basic inventory of the automated systems they operate. You cannot create security rules, limit access, or make an Algorithmic Impact Assessment (AIA) of systems that your own IT team is unaware of. Mapping is the foundation. Starting to adapt after the presidential sanction of PL 2338 is starting with the fine timer already running against you.
How SafetyFYI shields your company in the era of Artificial Intelligence
The convergence between traditional LGPD, the new aggressive posture of the ANPD, and the new "Brazilian AI Act" requires rapid responses. The compliance deadline for companies tends to follow the history of the original LGPD, which was only 18 to 24 months after sanction. Early preparation is no longer caution and has become an aggressive competitive advantage.
SafetyFYI operates exactly in the center of this challenge. We help your company structure the complete technological regulatory compliance journey, stepping out of the operational dark into full transparency and security.
With our platform and team of experts, your company ensures:
- Systems Mapping and Inventory: We discover and catalog where AI is being used in your operation (combating Shadow AI).
- Risk Classification (PL 2338): We evaluate your algorithms to know which enter the high-risk category and require severe measures.
- AIA Preparation: We build the Algorithmic Impact Assessment with technical and legal precision.
- Integrated Governance: We unify your traditional LGPD compliance with the new AI obligations.
- Team Training: We raise awareness among your employees about the risks of feeding public AIs with sensitive corporate data.
All this managed by an intuitive platform, designed not to bureaucratize your development and innovation.
FAQ: Understanding PL 2338 and AI Auditing
1. My company does not develop AI, only uses third-party tools (like ChatGPT or Copilot). Does PL 2338 apply to us? Yes. The law applies to both developers (who create the AI) and operators (companies that contract and use AI in their processes). If your company uses a third-party AI to make decisions about customers or employees, you have legal responsibilities and must ensure compliance.
2. What happens if an employee uses AI hidden (Shadow AI) and leaks data? The company will be held responsible. Before the ANPD and the courts, the corporation responds for the acts of its employees and the failure in information security. Therefore, continuous training and blocking of unapproved tools are crucial.
3. What is the Algorithmic Impact Assessment (AIA)? It is a formal document, required for high-risk AIs, detailing how the system works, what data it uses, the risks of bias or discrimination, and what technical measures the company adopted to protect the rights of users affected by these automated decisions.
4. How will the ANPD audit the algorithms? The inspection will occur through the National System of Artificial Intelligence Regulation and Governance (SIA). The ANPD will have the power to request the exhibition of the AIA, audit the training data of the AIs, and, in severe cases of discrimination or risk, order the immediate suspension of the system's use by the company.
5. What is the first step to prepare my company for PL 2338? The mandatory first step is the Inventory. You need to immediately map all AI systems in use (official and unofficial) and classify them by risk level. Without this, it is impossible to calculate your legal exposure or create effective security policies.
Take control of your systems before the law does
Does your company know exactly how many Artificial Intelligence tools your employees are using today? Are you sure that your automated recruitment or credit process is not generating hidden millionaire liabilities?
Do not wait for the final approval of PL 2338 to discover that your operation is vulnerable. Early compliance protects your cash flow, your reputation, and ensures your innovation is not interrupted by inspectors.
Click here and speak right now with our experts via WhatsApp to start mapping and shielding your AI systems!
Talk to an expert