What is the primary objective of **LGPD**?

**The primary objective of LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is to protect the fundamental rights of privacy and freedom of natural persons by regulating the processing of personal data.** Enacted on August 14, 2018, it unifies fragmented norms, enforces 10 core principles (e.g., purpose limitation, necessity, accountability under Art. 6), and grants data subjects rights like access, correction, deletion, and portability (Art. 18), while mandating controllers and processors to adopt security measures and governance.

Who is legally or professionally required to comply with **LGPD**?

**All controllers and processors handling personal data of Brazilian residents must comply with LGPD, regardless of company size or location.** Its extraterritorial scope (Art. 3) applies to any processing in Brazil, targeting Brazilian residents for goods/services, or collecting data there—impacting global firms in e-commerce, fintech, healthcare, and cloud services. No thresholds exempt micro/small entities; public/private bodies included, with exemptions limited to non-economic private uses or journalism (Art. 4).

Does **LGPD** require an external audit or third-party certification?

**LGPD does not mandate external audits or third-party certification.** The **Autoridade Nacional de Proteção de Dados (ANPD)** conducts audits (Arts. 55-56), but organizations must maintain Records of Processing Activities (RoPAs, Art. 37), perform Data Protection Impact Assessments (DPIAs) for high-risk activities (Art. 38), and demonstrate accountability via internal governance, including DPO appointment for controllers (Art. 41).

How often should an assessment for **LGPD** be performed?

**LGPD assessments, including RoPAs and DPIAs, must be maintained continuously and updated for changes in processing activities.** ANPD regulations (e.g., CD/ANPD No. 02/2022) require ongoing records; DPIAs for high-risk processing like legitimate interests (Art. 38); quarterly internal audits recommended, with annual external reviews for maturity, plus ad-hoc for incidents or ANPD requests.

What are the consequences of non-compliance with **LGPD**?

**Non-compliance with LGPD triggers graduated ANPD sanctions, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction).** Penalties (Art. 52) range from warnings and publicity to daily fines, data blocking/deletion, and activity suspension (up to 6 months, extendable); factors include gravity, cooperation, and safeguards. Civil claims for damages (Art. 42) and reputational harm apply to B2B/employee data.

Can **LGPD** be mapped to other international frameworks?

**Yes, LGPD can be mapped to other international frameworks due to shared principles like purpose limitation, minimization, and data subject rights.** Its 10 principles (Art. 6) and bases (Art. 7) align closely with global regimes, enabling hybrid programs; however, nuances like Brazil revenue-based fines (vs. global), 10 bases, and ANPD-specific SCCs (Resolution 19/2024) require tailored gap analyses for cross-jurisdictional compliance.

What is the first step to begin implementing **LGPD**?

**The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting a comprehensive data mapping to create a Record of Processing Activities (RoPA).** Per Art. 41, publish DPO details; map flows, purposes, legal bases, sensitive data, and transfers (Art. 37) to enforce principles (Art. 6) and identify gaps, prioritizing high-risk areas like cross-border flows.

What is the primary objective of **EU AI Act**?

**The primary objective of the EU AI Act is to establish a risk-based regulatory framework that prohibits unacceptable-risk AI practices, imposes strict obligations on high-risk AI systems, mandates transparency for limited-risk systems, and leaves minimal-risk systems largely unregulated.** Regulation (EU) 2024/1689, effective from 1 August 2024, protects health, safety, and fundamental rights while fostering trustworthy AI across the EU market.

Who is legally or professionally required to comply with **EU AI Act**?

**Providers, deployers, importers, distributors, and authorized representatives of AI systems are legally required to comply if systems are placed on the EU market or outputs are used in the EU.** Providers develop or market high-risk systems under Article 16; deployers (professional users) must conduct fundamental rights impact assessments (Article 27) and ensure human oversight (Article 14). Extraterritorial scope applies to third-country entities via the "EU output nexus."

Does **EU AI Act** require an external audit or third-party certification?

**High-risk AI systems require conformity assessment, which may involve third-party notified bodies for certain Annex III uses or where internal assessment is insufficient.** Article 43 mandates internal (Annex VI) or third-party (Annex VII) procedures, leading to EU Declaration of Conformity (Article 47) and CE marking (Article 48). Notified bodies issue certificates (Article 44) and conduct periodic surveillance.

How often should an assessment for **EU AI Act** be performed?

**Risk classification assessments must be performed before placing high-risk AI on the market or putting into service, with continuous lifecycle monitoring via post-market plans.** Article 6 requires initial high-risk determination (Annex I/III); substantial modifications (Article 3(23)) trigger reassessment. Providers maintain ongoing risk management systems (Article 9) and report serious incidents (Article 73).

What are the consequences of non-compliance with **EU AI Act**?

**Non-compliance with the EU AI Act incurs tiered administrative fines up to 7% of worldwide annual turnover or €40 million for prohibited practices (Article 5), 4% or €20 million for other violations like data governance failures, and 2% or €10 million for supply chain breaches.** Enforcement by national authorities (Article 70) includes market withdrawal, bans, and personal liability for executives.

Can **EU AI Act** be mapped to other international frameworks?

**No, the EU AI Act cannot be directly mapped to other international frameworks as it establishes unique, standalone obligations focused on EU-specific risk tiers, conformity assessments, and GPAI rules.** While synergies exist with product safety regimes (Annex I), it demands bespoke compliance via its Articles 9–15 requirements, CE marking, and EU database registration (Article 49).

What is the first step to begin implementing **EU AI Act**?

**The first step is to conduct an AI inventory and risk classification to identify prohibited practices (Article 5), high-risk systems (Article 6, Annexes I/III), GPAI obligations (Chapter V), and entity roles.** Map all systems/models, document classifications, and prioritize remediation per phased timelines (prohibitions from February 2025, GPAI from August 2025).

LGPD vs EU AI Act

Standards Comparison

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

EU AI Act

Mandatory

2024

EU regulation for risk-based AI safety and governance

Quick Verdict

LGPD governs personal data processing for Brazilian residents with principles and rights enforcement, while EU AI Act regulates AI systems risk-based for EU market access with conformity and prohibitions. Companies adopt LGPD for Brazil compliance, AI Act for safe AI deployment.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope applies to Brazilian residents' data globally
10 core principles expand GDPR with prevention, non-discrimination
Fines up to 2% Brazilian revenue capped at R$50 million
Mandatory DPO for controllers with public disclosure
3-business-day breach notifications to ANPD and subjects

Artificial Intelligence

EU AI Act

Regulation (EU) 2024/1689 Artificial Intelligence Act

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Risk-based classification of AI systems
Prohibitions on unacceptable-risk practices
High-risk conformity assessments and CE marking
GPAI model transparency and systemic risk duties
Post-market monitoring and incident reporting

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's federal data protection regulation. Enacted in 2018 and fully enforced since 2021, it safeguards personal data processing with extraterritorial scope targeting Brazilian residents, employing a risk-based approach aligned with constitutional privacy rights.

Key Components

**10 core principlespurpose limitation, necessity, transparency, security, prevention, accountability, etc.
10 legal bases for processing, including consent, contracts, legitimate interests.
Data subject rights: access, correction, deletion, portability, anonymization, objection to automated decisions.
Governance: mandatory DPO for controllers, records of processing, DPIAs for high-risk activities.
Enforcement via ANPD with graduated sanctions up to 2% Brazilian revenue (R$50M cap).

Why Organizations Use It

Mandatory for entities processing Brazilian data to avoid fines, suspensions, reputational harm. Drives trust, operational efficiency via minimization, competitive advantages in e-commerce, fintech; enables secure innovation like AI amid cyber threats.

Implementation Overview

Phased, risk-based: governance/DPO appointment, data mapping/RoPA, policies/controls, DSR/incident response, vendor SCCs, audits/training. Applies universally—no size exemptions; ANPD oversees without formal certification.

EU AI Act Details

What It Is

Regulation (EU) 2024/1689, the EU AI Act, is a comprehensive regulation establishing harmonized rules for AI across the EU. Its primary purpose is to ensure AI systems are safe, transparent, and respect fundamental rights, with a risk-based approach classifying systems as unacceptable, high-risk, limited-risk, or minimal-risk.

Key Components

Prohibited practices (Article 5), high-risk obligations (Articles 9-15: risk management, data governance, documentation, human oversight, cybersecurity).
GPAI model rules (Chapter V), transparency duties (Article 50).
Conformity assessments, CE marking, EU database registration.
Built on product safety principles; compliance via self-assessment or notified bodies.

Why Organizations Use It

Mandatory for EU market access, avoiding fines up to 7% global turnover.
Enhances risk management, builds trust, enables competitive differentiation.
Supports innovation through sandboxes and codes of practice.

Implementation Overview

Phased rollout: prohibitions at 6 months, GPAI at 12, high-risk at 24-36 months.
Inventory AI assets, classify risks, build QMS, conduct assessments.
Applies to providers/deployers EU-wide; cross-sectoral, all sizes.

Key Differences

Aspect	LGPD	EU AI Act
Scope	Personal data processing and protection	AI systems by risk level (high-risk, prohibited)
Industry	All sectors, Brazil extraterritorial	All sectors with AI, EU extraterritorial
Nature	Mandatory data protection law, ANPD enforcement	Mandatory regulation, risk-based conformity assessments
Testing	DPIAs for high-risk processing, security audits	Conformity assessments, notified bodies for high-risk
Penalties	2% Brazilian revenue, max R$50M per infraction	Up to 7% global turnover for prohibited practices

Scope

LGPD

Personal data processing and protection

EU AI Act

AI systems by risk level (high-risk, prohibited)

Industry

LGPD

All sectors, Brazil extraterritorial

EU AI Act

All sectors with AI, EU extraterritorial

Nature

LGPD

Mandatory data protection law, ANPD enforcement

EU AI Act

Mandatory regulation, risk-based conformity assessments

Testing

LGPD

DPIAs for high-risk processing, security audits

EU AI Act

Conformity assessments, notified bodies for high-risk

Penalties

LGPD

2% Brazilian revenue, max R$50M per infraction

EU AI Act

Up to 7% global turnover for prohibited practices

Frequently Asked Questions

Common questions about LGPD and EU AI Act

LGPD FAQ

EU AI Act FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1 for Cloud & Kubernetes: A Practical Implementation Playbook (AWS/Azure/GCP + IaC)

Translate CIS Controls v8.1 to cloud-native: Kubernetes patterns for IAM, logging, vuln mgmt, hardening on AWS, Azure, GCP + IaC. Practical playbook for teams.

What is DORA and which Requirements does the Standard define?

Discover DORA requirements for info security, strict authority monitoring, and steps to achieve compliance. Build a resilient organization with our detailed gui

Top 10 Reasons CMMC Level 3 Certification Unlocks Competitive Edge for Primes Handling Critical DoD Programs

Discover top 10 reasons CMMC Level 3 certification unlocks competitive edge for DoD primes. Reduced APT risks, procurement prefs, NIST 800-172 compliance via v2

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

WCAG vs EU AI Act

Compare WCAG vs EU AI Act: Master web accessibility (POUR principles, AA conformance) & AI risk rules. Align compliance, reduce risks, boost inclusivity. Read now!

PRINCE2 vs ISO 55001

Compare PRINCE2 vs ISO 55001: Project governance mastery meets asset lifecycle excellence. Uncover principles, processes, key differences & benefits. Choose your framework now!

ISO 22301 vs EU AI Act

ISO 22301 vs EU AI Act: Align BCM resilience with AI risk rules for seamless compliance. Boost continuity amid disruptions—compare synergies now!

LGPD

EU AI Act

Quick Verdict

LGPD

Key Features

EU AI Act

Key Features

Detailed Analysis

LGPD Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EU AI Act Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

LGPD FAQ

What is the primary objective of LGPD?

Who is legally or professionally required to comply with LGPD?

Does LGPD require an external audit or third-party certification?

How often should an assessment for LGPD be performed?

What are the consequences of non-compliance with LGPD?

Can LGPD be mapped to other international frameworks?

What is the first step to begin implementing LGPD?

EU AI Act FAQ

What is the primary objective of EU AI Act?

Who is legally or professionally required to comply with EU AI Act?

Does EU AI Act require an external audit or third-party certification?

How often should an assessment for EU AI Act be performed?

What are the consequences of non-compliance with EU AI Act?

Can EU AI Act be mapped to other international frameworks?

What is the first step to begin implementing EU AI Act?

You Might also be Interested in These Articles...

CIS Controls v8.1 for Cloud & Kubernetes: A Practical Implementation Playbook (AWS/Azure/GCP + IaC)

What is DORA and which Requirements does the Standard define?

Top 10 Reasons CMMC Level 3 Certification Unlocks Competitive Edge for Primes Handling Critical DoD Programs

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

WCAG vs EU AI Act

PRINCE2 vs ISO 55001

ISO 22301 vs EU AI Act