What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's landmark comprehensive data protection regulation. Enacted in 2018 with full enforcement since 2021, it safeguards personal data of natural persons via extraterritorial scope, applying to processing in Brazil, targeting residents, or collected there. Adopts a risk-based approach with accountability, mirroring GDPR but tailored to Brazilian rights.

Key Components

• **10 core principlespurpose limitation, necessity, transparency, security, prevention, non-discrimination, accountability.
• **Data subject rightsaccess, correction, deletion, portability, anonymization, objection to automated decisions.
• **10 legal basesconsent, contracts, legitimate interests, sensitive data restrictions.
• **Governance toolsmandatory DPO for controllers, Records of Processing Activities (RoPAs), DPIAs for high-risk, ANPD enforcement with graduated sanctions.

Why Organizations Use It

Mandatory for entities processing Brazilian data to avoid fines up to 2% Brazilian revenue (R$50M cap), suspensions, reputational harm. Drives trust, market access in $2T digital economy, innovation via anonymization exemptions, GDPR synergies for multinationals.

Implementation Overview

**Phased risk-based methodologygovernance/DPO appointment, data mapping/RoPAs, policies/contracts/SCCs, technical controls/training/DSRs, breach response, monitoring/audits. Applies universally across sizes/industries/geographies; ANPD audits, no formal certification.

What It Is

ISO/IEC 20000-1:2018 is the international certifiable standard for establishing, implementing, and improving a service management system (SMS). It focuses on managing the full service lifecycle—planning, design, transition, delivery, and improvement—to ensure consistent service quality. Built on Annex SL high-level structure and PDCA cycle, it aligns with other ISO standards like ISO 9001 and ISO/IEC 27001.

Key Components

• Clauses 4–10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
• Clause 8 details operational domains: service portfolio, relationships, supply/demand, design/transition, resolution/fulfilment, assurance.
• Core processes include incident/problem management, change/release, configuration/asset, availability/continuity, security.
• Certifiable via accredited bodies with Stage 1/2 audits, surveillance, recertification.

Why Organizations Use It

• Drives reliability, risk reduction, customer trust (e.g., 69% report inspired trust).
• Enables market differentiation, integration with ITIL/DevOps.
• Supports compliance, governance in IT/cloud/services.

Implementation Overview

• Phased: gap analysis, design, deploy, audit, certify (12-18 months typical).
• Applies to all sizes/industries; requires leadership, training, tools.
• Evidence-based audits ensure ongoing PDCA improvement.