What is the primary objective of LGPD?

The primary objective of LGPD is to protect the fundamental rights of privacy and freedom of natural persons by establishing rules for the processing of personal data. Enacted as Law No. 13.709/2018, LGPD safeguards personal data (Art. 5, I) and sensitive data (Art. 5, II), enforcing 10 principles including purpose limitation, necessity, transparency, security, prevention, non-discrimination, and accountability (Art. 6).

Who is legally or professionally required to comply with LGPD?

All controllers and processors handling personal data of individuals located in Brazil must comply with LGPD, regardless of company size or location. Its extraterritorial scope (Art. 3) applies to any processing in Brazil, targeting individuals located in Brazil, or data collected there, affecting public/private entities, with no thresholds like employee count or revenue.

Does LGPD require an external audit or third-party certification?

LGPD does not mandate external audits or third-party certification. The Autoridade Nacional de Proteção de Dados (ANPD) conducts audits (Art. 55), but organizations must maintain Records of Processing Activities (Art. 37), perform Data Protection Impact Assessments (DPIAs) for high-risk processing (Art. 38), and demonstrate compliance via internal governance.

How often should an assessment for LGPD be performed?

LGPD requires ongoing assessments, with Records of Processing Activities maintained continuously and DPIAs conducted for high-risk activities as needed. ANPD regulations like Resolution CD/ANPD No. 15/2024 imply regular reviews via incident logs (5 years retention) and monitoring; best practices recommend annual internal audits and updates upon processing changes.

What are the consequences of non-compliance with LGPD?

Non-compliance with LGPD triggers graduated sanctions by ANPD, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction), data processing suspension, and deletion orders. Additional penalties encompass warnings, daily fines, publicity of infractions, and operational blocks (Art. 52-53), factoring cooperation, damage, and safeguards.

Can LGPD be mapped to other international frameworks?

Yes, LGPD can be mapped to other international frameworks due to shared principles like purpose limitation and data subject rights. Its 10 principles (Art. 6), 10 legal bases (Art. 7), and rights (Art. 18) align closely with global regimes, enabling hybrid programs, though ANPD-specific rules like SCCs (Resolution CD/ANPD No. 19/2024) require adaptation.

What is the first step to begin implementing LGPD?

The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting data mapping for a Record of Processing Activities (RoPA). Controllers must publicly disclose the DPO (Art. 41), inventory data flows, purposes, legal bases, and risks (Art. 37), prioritizing high-risk processing to enforce principles and enable DPIAs.

What is the primary objective of COBIT?

COBIT's primary objective is to help organizations create value from I&T, manage risk, and optimize resources through a tailored governance system. COBIT 2019 defines 40 governance and management objectives across five domains—EDM (Evaluate, Direct, Monitor), APO (Align, Plan, Organize), BAI (Build, Acquire, Implement), DSS (Deliver, Service, Support), and MEA (Monitor, Evaluate, Assess)—translating stakeholder needs via the goals cascade into actionable practices and CMMI-based performance management (levels 0-5).

Who is legally or professionally required to comply with COBIT?

No organization is legally required to comply with COBIT, as it is a voluntary framework maintained by ISACA. Professionally, it is adopted by enterprises relying on I&T for value creation, particularly in regulated sectors like finance and public services, where boards and executives use its six governance system principles and 11 design factors to demonstrate accountable EGIT to auditors and stakeholders.

Does COBIT require an external audit or third-party certification?

COBIT does not require external audit or third-party certification. Organizations perform internal capability assessments using the COBIT Performance Management (CPM) model (levels 0-5). MEA04 Managed Assurance supports self-directed monitoring, with optional ISACA-aligned appraisals via credentials like CGEIT or CISA for evidence of conformance.

How often should an assessment for COBIT be performed?

COBIT assessments should be performed periodically as part of ongoing MEA activities, typically annually or after significant changes. The CMMI-based capability model (levels 0-5) drives baselining, gap analysis, and improvement roadmaps, with APO02 Managed Strategy recommending maturity reviews tied to enterprise context shifts like strategy or threat landscape updates.

What are the consequences of non-compliance with COBIT?

Non-compliance with COBIT carries no direct legal penalties, as it is a non-mandatory framework. Indirect consequences include weakened EGIT, exposing organizations to unmitigated I&T risks, audit deficiencies, and failure to align with stakeholder expectations, potentially amplifying regulatory exposures in aligned obligations via poor MEA monitoring.

Can COBIT be mapped to other international frameworks?

Yes, COBIT 2019 explicitly supports mapping to other frameworks through its governance framework principles of openness, flexibility, and alignment. Its 40 objectives and seven components (e.g., processes, structures) integrate as an umbrella model, with design toolkits enabling crosswalks while tailoring via 11 design factors.

What is the first step to begin implementing COBIT?

The first step to implement COBIT is to evaluate enterprise context using 11 design factors and the goals cascade. Per the COBIT 2019 Design Guide, assess stakeholder needs, baseline current capabilities via CPM (levels 0-5), and prioritize objectives to define a tailored governance system scope.

Standards Comparison

LGPD vs COBIT

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

COBIT

Voluntary

2019

Global framework for enterprise IT governance and management

Quick Verdict

LGPD mandates personal data protection for individuals located in Brazil with fines up to 2% revenue, while COBIT provides voluntary IT governance framework for enterprise alignment. Companies adopt LGPD for legal compliance, COBIT for strategic IT value and risk management.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope targeting individuals located in Brazil
10 core principles including prevention and non-discrimination
Fines up to 2% Brazilian revenue capped at R$50M
Mandatory DPO appointment for controllers with public disclosure
3 business-day breach notifications to ANPD and subjects

IT Governance

COBIT

COBIT 2019 Governance and Management Objectives

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

40 objectives across 5 domains (EDM, APO, BAI, DSS, MEA)
11 design factors for tailoring governance systems
CMMI-based capability levels 0-5 for performance management
Goals cascade linking stakeholders to IT metrics
7 components covering processes, culture, and skills

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's comprehensive data protection regulation. Enacted in 2018 and fully enforced since 2021, it safeguards personal data of natural persons with extraterritorial scope, applying to any processing targeting individuals located in Brazil. It follows a risk-based approach with 10 core principles like purpose limitation, necessity, and accountability.

Key Components

10 principles (e.g., transparency, security, non-discrimination)
Data subject rights (access, deletion, portability, objection to automated decisions)
Legal bases for processing (consent, contracts, legitimate interests)
Governance via mandatory DPO for controllers, records of processing, DPIAs for high-risk activities
ANPD enforcement with graduated sanctions up to 2% Brazilian revenue (R$50M cap)

Why Organizations Use It

LGPD compliance avoids multimillion fines, operational halts, and reputational damage while building trust in Brazil's digital economy. It enables market access, efficient data use, and competitive edges via privacy-by-design, especially for multinationals in e-commerce, finance, healthcare.

Implementation Overview

Phased risk-based methodology: governance setup, data mapping, policies, technical controls, DSR automation, vendor management, ongoing audits. Applies to all sizes/industries processing Brazilian data; no certification but ANPD audits/sanctions enforce.

COBIT Details

What It Is

COBIT 2019 (Control Objectives for Information and Related Technologies), developed by ISACA, is a flexible governance framework for enterprise IT (EGIT). It translates stakeholder needs into actionable objectives to create IT value, manage risk, and optimize resources via a tailored, design-factor-driven approach.

Key Components

40 objectives across **5 domainsEDM (governance), APO (plan/organize), BAI (build/implement), DSS (deliver/support), MEA (monitor/assess)
6 governance principles and 7 components (processes, structures, culture, skills, etc.)
CMMI-based performance management (capability levels 0-5)
Goals cascade; no certification, but assessments and ISACA credentials

Why Organizations Use It

Aligns IT strategy with business goals
Enhances compliance (SOX, GDPR), audit readiness, risk management
Drives digital transformation, efficiency, stakeholder trust

Implementation Overview

Phased: assess maturity, design via 11 factors, pilot objectives, monitor/improve
Cross-industry, all sizes; requires training, RACI, metrics; voluntary audits

Key Differences

Aspect	LGPD	COBIT
Scope	Personal data protection/processing	Enterprise IT governance/management
Industry	All sectors, Brazil-focused	All industries, global applicability
Nature	Mandatory regulation, ANPD enforcement	Voluntary governance framework
Testing	DPIAs for high-risk, ANPD audits	Capability assessments, internal audits
Penalties	2% revenue fines (R$50M cap)	No legal penalties, certification loss

Scope

LGPD

Personal data protection/processing

COBIT

Enterprise IT governance/management

Industry

LGPD

All sectors, Brazil-focused

COBIT

All industries, global applicability

Nature

LGPD

Mandatory regulation, ANPD enforcement

COBIT

Voluntary governance framework

Testing

LGPD

DPIAs for high-risk, ANPD audits

COBIT

Capability assessments, internal audits

Penalties

LGPD

2% revenue fines (R$50M cap)

COBIT

No legal penalties, certification loss

Frequently Asked Questions

Common questions about LGPD and COBIT

LGPD FAQ

COBIT FAQ

You Might also be Interested in These Articles...

CMMC Level 2 Implementation Guide for Small DIB Contractors: First 5 Steps to C3PAO Certification with Infographic

Actionable CMMC Level 2 guide for small DIB contractors: 5-step roadmap to C3PAO certification with infographic on timelines, costs & POA&Ms. Achieve DoD compli

SEC Cybersecurity Rules Materiality Determination Framework: Step-by-Step Guide with Checklists and Real-World Examples

Master SEC Form 8-K Item 1.05 materiality determinations with our step-by-step framework, checklists, case law factors, and real-world examples. Avoid enforceme

The NIS2 "FTE Trap": Why 5 Analysts for 24/7 Security is Actually 8 (and Why the Board Needs to Know)

Exposed: NIS2 FTE Trap math shows 5 analysts fail 24/7 coverage due to sickness, training, leave & 2026 churn. Line-by-line breakdown for compliance. Alert your

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how LGPD and COBIT compare against other standards

Other LGPD Comparisons

Other COBIT Comparisons

What It Is

Key Components

10 principles (e.g., transparency, security, non-discrimination)

Data subject rights (access, deletion, portability, objection to automated decisions)

Legal bases for processing (consent, contracts, legitimate interests)

Governance via mandatory DPO for controllers, records of processing, DPIAs for high-risk activities

ANPD enforcement with graduated sanctions up to 2% Brazilian revenue (R$50M cap)

What It Is

Key Components

40 objectives across **5 domainsEDM (governance), APO (plan/organize), BAI (build/implement), DSS (deliver/support), MEA (monitor/assess)

6 governance principles and 7 components (processes, structures, culture, skills, etc.)

CMMI-based performance management (capability levels 0-5)

Goals cascade; no certification, but assessments and ISACA credentials

Aspect

LGPD

COBIT

Scope

Personal data protection/processing

Enterprise IT governance/management

Industry

All sectors, Brazil-focused

All industries, global applicability

Nature

Mandatory regulation, ANPD enforcement

Voluntary governance framework

Testing

DPIAs for high-risk, ANPD audits

Capability assessments, internal audits

Penalties

2% revenue fines (R$50M cap)

No legal penalties, certification loss