What is the primary objective of **LGPD**?

**The primary objective of LGPD is to protect the fundamental rights of privacy and freedom of natural persons by establishing rules for the processing of personal data.** Enacted as Law No. 13.709/2018, LGPD safeguards personal data (information relating to identified or identifiable natural persons) and sensitive data (e.g., racial/ethnic origin, health, biometrics) through 10 core principles under Article 6, including purpose limitation, necessity, transparency, security, prevention, non-discrimination, and accountability. It empowers data subjects with rights under Article 18, such as access, correction, deletion, portability, and objection to automated decisions.

Who is legally or professionally required to comply with **LGPD**?

**All controllers and operators processing personal data of individuals located in Brazil must comply with LGPD, regardless of company size or location.** Article 3 establishes extraterritorial scope for any processing in Brazil, targeting Brazilian residents, or collected there. Controllers (deciding purposes/means, Article 5 VI) bear primary liability; operators (processing on instructions, Article 5 VII) share duties. No employee/revenue thresholds apply; public/private entities in sectors like e-commerce, fintech, healthcare are included, with ANPD enforcement since 2021.

Does **LGPD** require an external audit or third-party certification?

**LGPD does not mandate external audits or third-party certification.** Article 55-J grants ANPD audit powers, but organizations self-assess via Records of Processing Activities (Article 37, simplified for small entities per CD/ANPD 02/2022) and Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 38). Controllers must demonstrate accountability through internal governance, DPO appointment (Article 41), and security measures (Article 46), with ANPD able to request records/DPIAs on demand.

How often should an assessment for **LGPD** be performed?

**LGPD assessments, including Records of Processing Activities and DPIAs, must be maintained continuously and updated for changes in high-risk processing.** No fixed frequency is prescribed; Article 37 requires ongoing records, with DPIAs (Article 38) for legitimate interests or high-risk activities like large-scale sensitive data. ANPD guidance (e.g., Resolution CD/ANPD 15/2024) implies regular reviews via incident logs (5 years retention), quarterly internal audits, and annual refreshes for evolving data flows, transfers, or ANPD regulations.

What are the consequences of non-compliance with **LGPD**?

**Non-compliance with LGPD incurs graduated administrative sanctions by ANPD, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction).** Article 52 outlines 9 sanctions: warnings, daily fines, publicity of infractions, data blocking/deletion, partial/total suspension of processing (up to 6 months, extendable), and activity prohibitions. Factors include gravity, cooperation, and reoccurrence; civil claims for damages (Article 42) and reputational harm apply additionally, with B2B/employee data fully scoped.

Can **LGPD** be mapped to other international frameworks?

**Yes, LGPD can be mapped to other international frameworks due to shared principles, rights, and structures.** Its 10 principles (Article 6), data subject rights (Article 18), legal bases (Article 7), and extraterritoriality align closely with GDPR (e.g., purpose limitation, minimization, accountability), enabling hybrid programs. ANPD-approved Standard Contractual Clauses (Resolution CD/ANPD 19/2024) facilitate transfers, though nuances like 10 bases (vs. GDPR's 6) and Brazil revenue-based fines require gap analysis; no adequacy decisions issued yet.

What is the first step to begin implementing **LGPD**?

**The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting data mapping for a Record of Processing Activities (RoPA).** Article 41 mandates DPO for controllers (public disclosure, exemptions limited to small/low-risk per CD/ANPD 02/2022) to oversee compliance, ANPD liaison, and training. Phase 1 involves inventorying data flows, purposes, legal bases (Article 7), sensitive data, and transfers (Article 33) to enforce principles (Article 6) and identify high-risk areas for DPIAs.

What is the primary objective of **ISO 19600**?

**ISO 19600 provides guidelines for establishing, developing, implementing, evaluating, maintaining, and improving an effective compliance management system (CMS).** Published in 2014 as a principles-based, scalable framework, it applies to all organization types and sizes, emphasizing proportionality to structure, nature, and complexity. The standard uses a Plan-Do-Check-Act (PDCA) cycle and high-level structure, focusing on translating compliance obligations—laws, regulations, voluntary codes, and contracts—into processes, controls, and culture via leadership commitment, risk assessment, and continual improvement. Withdrawn in 2021 and replaced by ISO 37301, it remains a foundational governance tool.

Who is legally or professionally required to comply with **ISO 19600**?

**No organization is legally required to comply with ISO 19600, as it provides non-mandatory guidelines rather than requirements.** It applies voluntarily to all types—public, private, non-profit—regardless of size, structure, nature, or complexity, with implementation proportionate to risks and context. Professionals such as C-suite executives, compliance officers, and boards adopt it for benchmarking CMS effectiveness, demonstrating governance to regulators, and integrating with management processes, though certification is unavailable.

Does **ISO 19600** require an external audit or third-party certification?

**ISO 19600 does not require external audits or third-party certification, being a guidance standard without mandatory requirements.** Organizations conduct internal, planned audits at intervals (Clause 9.2) using systematic, independent processes per ISO 19011. It recommends monitoring, measurement, and management reviews for CMS effectiveness, with documented evidence, but external validation is optional for self-benchmarking.

How often should an assessment for **ISO 19600** be performed?

**ISO 19600 requires compliance risk assessments to be performed initially and reassessed whenever changes or issues occur.** Clause 4.6 mandates ongoing identification, analysis, and evaluation of compliance risks, with processes to detect new/changed obligations (Clause 4.5). Performance evaluation (Clause 9) includes planned audits at intervals, continual monitoring of indicators, and management reviews considering updates, nonconformities, and stakeholder feedback.

What are the consequences of non-compliance with **ISO 19600**?

**Non-compliance with ISO 19600 carries no direct penalties, as it is a voluntary guidance standard.** However, weak CMS alignment may expose organizations to regulatory fines, reputational damage, or operational disruptions from unmet obligations. Courts in some jurisdictions consider CMS evidence when assessing penalties for contraventions, making strong alignment a governance mitigator.

Can **ISO 19600** be mapped to other international frameworks?

**Yes, ISO 19600 can be mapped to other international frameworks due to its high-level structure and PDCA logic.** It integrates with management systems like quality or risk via shared clauses on context, leadership, planning, support, operation, evaluation, and improvement, enabling unified processes while preserving compliance independence.

What is the first step to begin implementing **ISO 19600**?

**The first step to implement ISO 19600 is understanding the organization's context and determining CMS scope (Clauses 4.1–4.3).** This involves analyzing internal/external issues, interested parties' needs, boundaries, and documented scope availability, followed by identifying compliance obligations and risks (Clauses 4.5–4.6).

LGPD vs ISO 19600

Standards Comparison

LGPD

Mandatory

2020

Brazil's comprehensive personal data protection regulation

ISO 19600

Voluntary

2014

International guidelines for compliance management systems

Quick Verdict

LGPD mandates data protection for Brazilian residents with fines up to 2% revenue, while ISO 19600 offers voluntary CMS guidelines for all compliance. Companies adopt LGPD for legal compliance, ISO 19600 for structured governance.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope targets Brazilian residents' data
10 core principles expand beyond GDPR's seven
Fines up to 2% Brazilian revenue capped R$50M
Mandatory DPO for controllers with public disclosure
3-business-day breach notifications to ANPD subjects

Compliance Management

ISO 19600

ISO 19600:2014 Compliance management systems — Guidelines

Cost

€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Principles of good governance for compliance function
Risk-based identification of compliance obligations
PDCA cycle for continual improvement
Scalable and proportionate to organization size
Integration with other management systems

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's landmark data protection regulation. Enacted in 2018 with full enforcement since 2021, it protects personal data via a risk-based approach, applying extraterritorially to processing in Brazil, targeting residents, or collected there.

Key Components

**10 core principlespurpose limitation, necessity, transparency, security, prevention, accountability, etc.
**Data subject rightsaccess, correction, deletion, portability, anonymization, objection to automated decisions.
**10 legal basesconsent, contracts, legitimate interests, legal obligations, sensitive data restrictions.
GovernanceANPD** enforcement, mandatory DPO for controllers, DPIAs for high-risk, records of processing. Compliance model enforced by ANPD audits and graduated sanctions; no formal certification.

Why Organizations Use It

Mandatory for data processors, avoiding fines up to 2% Brazilian revenue (R$50M cap), suspensions.
Builds trust, enables market access in Brazil's digital economy.
Enhances security, efficiency via data mapping, breach readiness.
Competitive edge through privacy-by-design, partnerships.

Implementation Overview

**Phased risk-basedgovernance/DPO, data mapping/RoPA, policies/contracts, technical controls, DSR/incident ops, monitoring.
Applies universally: all sizes, industries processing Brazilian data.
ANPD-focused audits, no certification but ongoing compliance essential.

ISO 19600 Details

What It Is

ISO 19600:2014 is an international guideline standard for compliance management systems (CMS). It provides scalable guidance for organizations to establish, implement, evaluate, maintain, and improve CMS, using a principles-based, risk-based approach applicable to all sizes and sectors.

Key Components

Follows high-level structure and PDCA cycle with 10 clauses: context, leadership, planning, support, operation, performance evaluation, improvement.
Core principles: good governance, proportionality, transparency, sustainability.
Covers obligations identification, risk assessment, controls, training, monitoring; no fixed controls, non-certifiable.

Why Organizations Use It

Mitigates compliance risks, reduces penalties, enhances governance.
Builds culture, integrates with other ISO systems (e.g., 9001, 14001).
Demonstrates commitment to regulators, stakeholders; supports ethical standards.

Implementation Overview

Phased: gap analysis, policy design, controls rollout, monitoring.
Scalable for SMEs (6-12 months) to enterprises (12-36 months); voluntary, no certification but aligns to ISO 37301 successor.

Key Differences

Aspect	LGPD	ISO 19600
Scope	Personal data protection and processing	General compliance management systems
Industry	All sectors, Brazil residents extraterritorial	All organizations worldwide, any sector
Nature	Mandatory national data protection law	Voluntary compliance guidelines (withdrawn)
Testing	DPIAs for high-risk, ANPD audits	Internal audits, management reviews
Penalties	2% revenue fines up to R$50M	No penalties, loss of alignment

Scope

LGPD

Personal data protection and processing

ISO 19600

General compliance management systems

Industry

LGPD

All sectors, Brazil residents extraterritorial

ISO 19600

All organizations worldwide, any sector

Nature

LGPD

Mandatory national data protection law

ISO 19600

Voluntary compliance guidelines (withdrawn)

Testing

LGPD

DPIAs for high-risk, ANPD audits

ISO 19600

Internal audits, management reviews

Penalties

LGPD

2% revenue fines up to R$50M

ISO 19600

No penalties, loss of alignment

Frequently Asked Questions

Common questions about LGPD and ISO 19600

LGPD FAQ

ISO 19600 FAQ

You Might also be Interested in These Articles...

NIST SP 800-53 Rev 5.1 Private Sector Tailoring Blueprint: First 5 Steps to Overlay-Driven Compliance with Infographic

Step-by-step blueprint for private sector NIST SP 800-53 Rev 5.1 tailoring using overlays for AI & supply chain risks. Infographic + first 5 steps for ROI-drive

Why the SEC Stepped In: The Investor-Driven Push for Cybersecurity Transparency

Discover why the SEC's 2023 cybersecurity rules treat cyber risks as material financial threats. Explore the 'stick and carrot' approach for standardized disclo

NIST 800-53 Private Sector ROI Reality Check: Isolating Control Family Impacts on 2024 Breach Costs

Discover NIST 800-53 ROI in private sector: control families like RA, SI, SR reduce median breach costs from $100K to under $50K. Get benchmarks to prioritize i

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

NIST 800-53 vs U.S. SEC Cybersecurity Rules

Compare NIST 800-53 controls vs U.S. SEC cybersecurity rules: key differences in risk management, governance, incident disclosure & compliance. Boost your strategy now! (152 chars)

BRC vs ISO 13485

Compare BRC vs ISO 13485: Food safety powerhouse meets medical device QMS rigor. Key differences in HACCP, audits, risk controls & compliance. Boost your strategy now.

ISO 14001 vs PIPEDA

Compare ISO 14001 vs PIPEDA: Decode environmental EMS vs privacy law differences. Boost compliance, cut risks, integrate strategies for sustainable success now!

LGPD

ISO 19600

Quick Verdict

LGPD

Key Features

ISO 19600

Key Features

Detailed Analysis

LGPD Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 19600 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

LGPD FAQ

What is the primary objective of LGPD?

Who is legally or professionally required to comply with LGPD?

Does LGPD require an external audit or third-party certification?

How often should an assessment for LGPD be performed?

What are the consequences of non-compliance with LGPD?

Can LGPD be mapped to other international frameworks?

What is the first step to begin implementing LGPD?

ISO 19600 FAQ

What is the primary objective of ISO 19600?

Who is legally or professionally required to comply with ISO 19600?

Does ISO 19600 require an external audit or third-party certification?

How often should an assessment for ISO 19600 be performed?

What are the consequences of non-compliance with ISO 19600?

Can ISO 19600 be mapped to other international frameworks?

What is the first step to begin implementing ISO 19600?

You Might also be Interested in These Articles...

NIST SP 800-53 Rev 5.1 Private Sector Tailoring Blueprint: First 5 Steps to Overlay-Driven Compliance with Infographic

Why the SEC Stepped In: The Investor-Driven Push for Cybersecurity Transparency

NIST 800-53 Private Sector ROI Reality Check: Isolating Control Family Impacts on 2024 Breach Costs

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

NIST 800-53 vs U.S. SEC Cybersecurity Rules

BRC vs ISO 13485

ISO 14001 vs PIPEDA