What is the primary objective of LGPD?

The primary objective of LGPD (Law No. 13.709/2018) is to protect the fundamental rights of freedom and privacy by establishing rules for the processing of personal data of natural persons. Enacted on August 14, 2018, it unifies Brazil's data protection framework with 10 core principles (Art. 6), including purpose limitation, necessity, transparency, security, prevention, non-discrimination, and accountability, while granting data subjects rights like access, correction, deletion, portability, and objection to automated decisions (Art. 18).

Who is legally or professionally required to comply with LGPD?

All controllers and processors handling personal data of Brazilian residents must comply with LGPD, regardless of company size or location. Its extraterritorial scope (Art. 3) applies to any processing in Brazil, targeting Brazilian residents for goods/services, or data collected there; no employee/revenue thresholds exempt entities, including public/private organizations, with controllers bearing primary liability (Art. 5, VI-VII).

Does LGPD require an external audit or third-party certification?

LGPD does not mandate external audits or third-party certification. The Autoridade Nacional de Proteção de Dados (ANPD) conducts audits (Art. 55), but organizations must maintain Records of Processing Activities (Art. 37), perform Data Protection Impact Assessments (DPIAs) for high-risk processing (Art. 38), and demonstrate accountability via internal governance, with voluntary certifications possible for maturity.

How often should an assessment for LGPD be performed?

LGPD requires ongoing assessments through continuous monitoring, Records of Processing Activities updates, and recurring internal audits. DPIAs are mandatory for high-risk activities like legitimate interests processing (Art. 38); practical guidance recommends quarterly reviews of risks, RoPAs, and incidents, with annual full audits to align with ANPD enforcement evolution.

What are the consequences of non-compliance with LGPD?

Non-compliance with LGPD triggers graduated sanctions by ANPD, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction), data processing suspension, and deletion orders. Nine sanctions (Art. 52) consider gravity, cooperation, and safeguards; additional civil liabilities for damages (Art. 42), reputational harm, and operational disruptions apply, with B2B/employee data fully scoped.

Can LGPD be mapped to other international frameworks?

Yes, LGPD can be mapped to other international frameworks due to shared principles like purpose limitation, minimization, and data subject rights. Its 10 principles (Art. 6) and bases (Art. 7) align closely with global regimes, enabling hybrid programs; cross-border tools like ANPD-approved Standard Contractual Clauses (Resolution CD/ANPD No. 19/2024, mandatory since August 23, 2025) facilitate transfers without adequacy decisions.

What is the first step to begin implementing LGPD?

The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting data mapping to create a Record of Processing Activities (RoPA). Per Art. 41 and Art. 37, the DPO (mandatory for controllers, public disclosure required) oversees governance; map data flows, purposes, legal bases, and risks to prioritize high-risk processing like sensitive data or transfers.

What is the primary objective of ISO 13485?

ISO 13485:2016 specifies requirements for a quality management system (QMS) enabling organizations to consistently provide medical devices and related services that meet customer and applicable regulatory requirements. It applies across the device lifecycle, from design and development through production, distribution, installation, servicing, and decommissioning. The standard emphasizes documented processes, risk-based controls, validation, traceability, and post-market surveillance to ensure device safety and performance, distinguishing it as regulatory-ready.

Who is legally or professionally required to comply with ISO 13485?

ISO 13485 applies to organizations whose activities include one or more stages of the medical device lifecycle, including manufacturers, suppliers, and service providers. Target entities encompass medical device manufacturers, contract manufacturers, importers, distributors, sterilization services, calibration providers, and those handling installation or servicing. Organizations must identify their regulatory roles and incorporate applicable requirements into the QMS, particularly for market access in regimes like EU MDR or FDA alignments.

Does ISO 13485 require an external audit or third-party certification?

ISO 13485 certification involves external audits by accredited certification bodies, typically in two stages: Stage 1 for documentation review and Stage 2 for implementation verification. Ongoing surveillance audits occur annually, with recertification every three years. While the standard itself mandates internal audits (Clause 8.2.4), third-party certification demonstrates conformity and is often required for regulatory market access or supplier qualification.

How often should an assessment for ISO 13485 be performed?

Internal audits for ISO 13485 must be conducted at planned intervals to determine QMS effectiveness, with frequency based on process risks and status (Clause 8.2.4). Management reviews occur at planned intervals (Clause 5.6), typically annually. External surveillance audits follow certification, usually yearly, with full recertification every three years. Organizations must also perform gap analyses or re-assessments triggered by changes in processes, products, or regulations.

What are the consequences of non-compliance with ISO 13485?

Non-compliance with ISO 13485 can result in failed certification audits, regulatory enforcement, product holds, recalls, fines, market withdrawal, and legal liability. Auditors issue nonconformities requiring corrective actions; unresolved issues lead to certification suspension. Regulators like EU Notified Bodies or FDA may cite QMS gaps (e.g., weak CAPA or validation), escalating to warning letters, import alerts, or device seizures, with records retained at least device lifetime or two years post-release amplifying traceability failures.

Can ISO 13485 be mapped to other international frameworks?

Yes, ISO 13485 provides Annex B correspondence to ISO 9001:2015, though it excludes certain ISO 9001 elements for regulatory focus. It aligns with ISO 14971 for risk management, IEC 62366-1 for usability, and supports regulatory mappings like EU MDR/IVDR annexes (ZA-ZC). Conformity to ISO 13485 does not imply ISO 9001 compliance, but the process approach enables integration with complementary standards for device lifecycle controls.

What is the first step to begin implementing ISO 13485?

The first step is to establish and document the QMS scope, including justification for any exclusions (Clause 4.1 and Scope). Define organizational roles under regulations, identify applicable processes and outsourced activities, and perform a gap analysis against Clauses 4-8. Develop the quality manual detailing scope, process interactions, and exclusions (e.g., Clause 7.3 for non-designers), ensuring alignment with device activities and regulatory requirements.

Standards Comparison

LGPD vs ISO 13485

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

ISO 13485

Mandatory

2016

International standard for medical device quality management systems

Quick Verdict

LGPD mandates data protection for Brazilian residents across industries, enforced by ANPD fines. ISO 13485 certifies voluntary QMS for medical devices, ensuring safety via audits. Companies adopt LGPD for legal compliance, ISO 13485 for market access and quality.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope targets Brazilian residents' data processing
10 core principles expand GDPR with prevention, non-discrimination
Fines up to 2% Brazilian revenue capped at R$50M
Mandatory DPO appointment and public disclosure for controllers
3-business-day breach notifications to ANPD and subjects

Quality Management

ISO 13485

ISO 13485:2016 Medical devices Quality management systems

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based QMS for medical device lifecycle
Regulatory compliance and post-market surveillance
Design development and process validation controls
Supplier evaluation and outsourcing management
Traceability and documentation requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's landmark comprehensive data protection regulation. Enacted in 2018 with full enforcement from 2021, it protects personal data of natural persons via extraterritorial scope, applying to processing in Brazil, targeting residents, or collected there. It employs a risk-based approach with principles, rights, and obligations enforced by ANPD.

Key Components

**10 core principlespurpose limitation, adequacy, necessity, transparency, security, prevention, non-discrimination, accountability.
Data subject rights (Art. 18): access, correction, deletion, portability, anonymization, objection to automated decisions.
10 legal bases (Art. 7): consent, contracts, legitimate interests, sensitive data restrictions.
**Governance toolsmandatory DPO, Records of Processing Activities (RoPAs), DPIAs for high-risk, 3-day breach notifications.
**ANPD sanctionsgraduated fines to 2% Brazilian revenue (R$50M cap).

Why Organizations Use It

Mandatory for compliance, avoiding multimillion fines, operational halts, reputational harm. Builds stakeholder trust, enables market access in Brazil's digital economy, reduces cyber risks, leverages anonymization for innovation.

Implementation Overview

**Phased, risk-basedgovernance/DPO appointment, data mapping/RoPAs, policies/contracts/SCCs, technical controls/training/DSRs, monitoring/audits. Applies universally to public/private entities, all sizes, industries like fintech/healthcare/e-commerce; ANPD audits, no formal certification.

ISO 13485 Details

What It Is

ISO 13485:2016 is the international standard titled Medical devices — Quality management systems — Requirements for regulatory purposes. It establishes a risk-based framework for QMS to ensure organizations consistently provide safe medical devices meeting customer and regulatory needs across the device lifecycle, from design to post-market surveillance.

Key Components

Organized into Clauses 4–8: QMS/documentation, management responsibility, resources, product realization, measurement/analysis/improvement.
Emphasizes documented procedures, validation, traceability, risk management (per ISO 14971), supplier controls, and post-market activities.
Built on process approach; certification via accredited bodies through staged audits (Stage 1 readiness, Stage 2 implementation).

Why Organizations Use It

Facilitates market access (EU MDR, FDA QMSR alignment effective 2026), reduces compliance risks.
Enhances patient safety, operational efficiency, supply chain resilience.
Builds stakeholder trust, competitive edge via certification as regulatory maturity proxy.

Implementation Overview

Phased approach: gap analysis, documentation/process design, training/validation, internal audits/management review, certification.
Suited for manufacturers/suppliers globally; 9–18 months typical, scalable by size/complexity.

Key Differences

Aspect	LGPD	ISO 13485
Scope	Personal data protection and processing	Medical device quality management systems
Industry	All sectors processing Brazilian data	Medical devices and related services
Nature	Mandatory Brazilian data protection law	Voluntary QMS certification standard
Testing	ANPD audits and DPIAs for high-risk	Certification body audits, process validation
Penalties	Fines up to 2% Brazilian revenue	Loss of certification, no direct fines

Scope

LGPD

Personal data protection and processing

ISO 13485

Medical device quality management systems

Industry

LGPD

All sectors processing Brazilian data

ISO 13485

Medical devices and related services

Nature

LGPD

Mandatory Brazilian data protection law

ISO 13485

Voluntary QMS certification standard

Testing

LGPD

ANPD audits and DPIAs for high-risk

ISO 13485

Certification body audits, process validation

Penalties

LGPD

Fines up to 2% Brazilian revenue

ISO 13485

Loss of certification, no direct fines

Frequently Asked Questions

Common questions about LGPD and ISO 13485

LGPD FAQ

ISO 13485 FAQ

You Might also be Interested in These Articles...

Image this: What if GDPR would have NOT been implemented by the EU

What if the EU never implemented GDPR? Explore this hypothetical: consumer data protection in Dec 2025, key differences, pros/cons for users & companies. Read t

HITRUST CSF MyCSF Platform Mastery: Infograph of Evidence Tagging Workflows and Top 5 Maturity Tier Acceleration Takeaways

Master MyCSF platform with infographics on evidence tagging for 1,400+ HITRUST controls across 19 domains. Cut documentation by 30%, boost Measured/Managed tier

SOC 2 Audit Survival Guide: First 5 Steps to Ace Your Type 2 Audit with Infographic

Ace your SOC 2 Type 2 audit with the first 5 essential steps: evidence collection, auditor tips, red flags from SignWell's experience. Get checklists & infograp

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how LGPD and ISO 13485 compare against other standards

Other LGPD Comparisons

Other ISO 13485 Comparisons

What It Is

Key Components

**10 core principlespurpose limitation, adequacy, necessity, transparency, security, prevention, non-discrimination, accountability.

Data subject rights (Art. 18): access, correction, deletion, portability, anonymization, objection to automated decisions.

10 legal bases (Art. 7): consent, contracts, legitimate interests, sensitive data restrictions.

**Governance toolsmandatory DPO, Records of Processing Activities (RoPAs), DPIAs for high-risk, 3-day breach notifications.

**ANPD sanctionsgraduated fines to 2% Brazilian revenue (R$50M cap).

What It Is

Key Components

Organized into Clauses 4–8: QMS/documentation, management responsibility, resources, product realization, measurement/analysis/improvement.

Emphasizes documented procedures, validation, traceability, risk management (per ISO 14971), supplier controls, and post-market activities.

Built on process approach; certification via accredited bodies through staged audits (Stage 1 readiness, Stage 2 implementation).

Aspect

LGPD

ISO 13485

Scope

Personal data protection and processing

Medical device quality management systems

Industry

All sectors processing Brazilian data

Medical devices and related services

Nature

Mandatory Brazilian data protection law

Voluntary QMS certification standard

Testing

ANPD audits and DPIAs for high-risk

Certification body audits, process validation

Penalties

Fines up to 2% Brazilian revenue

Loss of certification, no direct fines