What is the primary objective of LGPD?

The primary objective of LGPD is to protect the fundamental rights of freedom and privacy by regulating the processing of personal data of natural persons. Enacted as Law No. 13.709/2018, LGPD establishes 10 core principles under Article 6—including purpose limitation, necessity, transparency, security, prevention, non-discrimination, and accountability—to ensure ethical data handling. It unifies prior fragmented regulations, empowering data subjects with rights like access, correction, deletion, portability, and objection to automated decisions (Article 18), while imposing obligations on controllers and operators.

Who is legally or professionally required to comply with LGPD?

LGPD applies to any entity processing personal data in Brazil, targeting Brazilian residents, or collected in Brazil, with no size-based exemptions. Its extraterritorial scope (Article 3) mandates compliance for controllers (deciding purposes/means, Article 5 VI) and operators (processing on instructions, Article 5 VII), public or private, including multinationals in e-commerce, fintech, healthcare, and cloud services. All organizations handling identified/identifiable natural persons' data or sensitive data (e.g., health, biometrics; Article 5 II) must comply, with DPOs mandatory for controllers.

Does LGPD require an external audit or third-party certification?

LGPD does not mandate external audits or third-party certification. The ANPD conducts audits under its supervisory powers (Articles 55-56), but organizations must maintain Records of Processing Activities (RoPAs, Article 37), conduct DPIAs for high-risk processing (Article 38), and demonstrate accountability via internal governance. Voluntary certifications like ISO 27701 may support compliance, but ANPD enforcement relies on self-reported records and incident logs retained for 5 years.

How often should an assessment for LGPD be performed?

LGPD requires ongoing assessments, with Records of Processing Activities (RoPAs) and DPIAs updated continuously for high-risk activities. ANPD regulations (e.g., CD/ANPD No. 02/2022) mandate simplified records for small entities, refreshed for changes in processing. Security incidents demand 3-business-day notifications (Resolution CD/ANPD 15/2024), while annual internal audits, quarterly risk reviews, and ad-hoc DPIAs for new high-risk processing (e.g., profiling, sensitive data) ensure sustained compliance.

What are the consequences of non-compliance with LGPD?

Non-compliance with LGPD triggers graduated sanctions by ANPD, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction). Article 52 outlines 9 measures: warnings, daily fines, publicity of infractions, data blocking/deletion, partial/total suspension of processing (up to 6 months, extendable), and activity prohibitions. Factors like gravity, cooperation, and reoccurrence influence penalties, plus civil liability for damages (Article 42) and operational disruptions.

Can LGPD be mapped to other international frameworks?

Yes, LGPD can be mapped to other international frameworks due to shared principles like purpose limitation, minimization, and data subject rights. Its 10 principles (Article 6) and 10 legal bases (Article 7) align closely with global regimes, facilitating hybrid programs. ANPD-approved mechanisms like SCCs (Resolution CD/ANPD 19/2024) support transfers, enabling convergence while adapting to LGPD's nuances such as broader bases (e.g., credit protection) and Brazil revenue-based fines.

What is the first step to begin implementing LGPD?

The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting data mapping for a Record of Processing Activities (RoPA). Per Article 41, controllers must designate a DPO (publicly disclosed, potentially universal), who oversees governance. Phase 1 involves inventorying data flows, purposes, legal bases, sensitive data, and transfers (Article 37), prioritizing high-risk areas to enforce 10 principles and identify gaps.

What is the primary objective of ISO 26000?

ISO 26000 provides voluntary international guidance on social responsibility to help organizations integrate sustainable practices into their operations. Published in November 2010 and confirmed current in 2021, it defines social responsibility as an organization's accountability for its impacts on society and the environment through transparent, ethical behavior that contributes to sustainable development, respects stakeholder expectations, complies with law, aligns with international norms, and embeds SR throughout the organization.

Who is legally or professionally required to comply with ISO 26000?

No organizations are legally required to comply with ISO 26000, as it is voluntary guidance applicable to all types regardless of size, location, or sector. It targets private, public, and non-profit entities, including SMEs, multinationals, hospitals, schools, and charities, encouraging contextual adoption through stakeholder engagement rather than mandatory conformance.

Does ISO 26000 require an external audit or third-party certification?

ISO 26000 explicitly prohibits external audits or third-party certification. Its Scope (Clause 1) states it is not a management system standard, contains no requirements, and any certification claims constitute misrepresentation or misuse, emphasizing self-assessment, transparent reporting, and stakeholder validation instead.

How often should an assessment for ISO 26000 be performed?

ISO 26000 recommends periodic self-assessments at appropriate intervals aligned with organizational needs and stakeholder expectations. It advocates ongoing integration via Plan-Do-Check-Act cycles, with reporting on objectives, achievements, shortfalls, and improvements, without specifying fixed frequencies to allow contextual prioritization across its seven core subjects.

What are the consequences of non-compliance with ISO 26000?

There are no direct legal consequences for non-compliance with ISO 26000, as it imposes no enforceable requirements. Indirect risks include reputational damage, stakeholder distrust, lost market access, or misalignment with international norms, but credibility relies on transparent use rather than penalties.

Can ISO 26000 be mapped to other international frameworks?

Yes, ISO 26000 aligns with frameworks like OECD Guidelines, UN Global Compact, GRI, and UN SDGs through official ISO linkage documents. It complements them by providing SR principles and core subjects for materiality assessments, due diligence, and reporting, with IWA 26:2017 guiding integration into management systems.

What is the first step to begin implementing ISO 26000?

The first step is recognizing social responsibility and engaging stakeholders (Clause 5) to identify relevant issues across the seven core subjects. This involves understanding organizational impacts, mapping stakeholders, and prioritizing significant SR risks and opportunities contextually.

Standards Comparison

LGPD vs ISO 26000

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

ISO 26000

Voluntary

2010

International guidance standard for social responsibility.

Quick Verdict

LGPD mandates data protection for Brazilian residents with fines up to 2% revenue, while ISO 26000 offers voluntary social responsibility guidance for all organizations. Companies adopt LGPD for legal compliance, ISO 26000 for ethical strategy and stakeholder trust.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope targeting Brazilian residents worldwide
10 core principles including prevention and non-discrimination
Fines up to 2% Brazilian revenue per violation
Mandatory Data Protection Officer for controllers
3-business-day breach notifications to ANPD and subjects

Social Responsibility

ISO 26000

ISO 26000:2010 Guidance on social responsibility

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Seven core subjects spanning governance to community development
Seven principles underpinning accountable, transparent SR
Non-certifiable guidance applicable to all organizations
Stakeholder engagement for materiality and prioritization
Integration with ISO management systems like 14001

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Brazil's Law No. 13.709/2018, is a comprehensive data protection regulation enacted in 2018 and fully enforced since 2021. It safeguards personal data of natural persons with extraterritorial scope, applying to any processing in Brazil, targeting residents, or collecting data there. LGPD employs a risk-based approach with 10 core principles like purpose limitation, necessity, and accountability.

Key Components

10 principles governing all processing activities.
Data subject rights: access, correction, deletion, portability, anonymization, objection to automated decisions.
Legal bases: 10 options including consent, contracts, legitimate interests.
Governance: mandatory DPO for controllers, DPIAs for high-risk processing, enforced by ANPD with graduated sanctions up to 2% Brazilian revenue (R$50M cap).

Why Organizations Use It

LGPD compliance is mandatory to avoid fines, operational suspensions, and reputational harm. It drives trust-building, market access in Brazil's digital economy, and synergies with GDPR. Benefits include risk reduction, efficient data practices, and competitive edges via privacy-by-design.

Implementation Overview

Phased approach: governance setup, data mapping (RoPA), policies, technical controls, training, monitoring. Applies to all sizes/industries processing Brazilian data; no certification but ANPD audits and records required. Prioritize high-risk areas like sensitive data and transfers.

ISO 26000 Details

What It Is

ISO 26000:2010 is an international guidance standard providing a framework for social responsibility (SR). It offers voluntary principles and practices applicable to all organizations, focusing on impacts on society and the environment through a holistic, stakeholder-driven approach.

Key Components

Seven core subjects: organizational governance, human rights, labor practices, environment, fair operating practices, consumer issues, community involvement.
Seven principles: accountability, transparency, ethical behavior, respect for stakeholder interests, rule of law, international norms, human rights.
No certifiable requirements; emphasizes integration and self-assessment.

Why Organizations Use It

Enhances sustainability commitment, risk management, and stakeholder trust.
Aligns with SDGs, OECD, GRI for credibility without certification burdens.
Drives operational resilience, reputation, and competitive edge in ESG contexts.

Implementation Overview

Phased: materiality assessment, stakeholder engagement, policy integration, training, reporting.
Suited for all sizes/sectors; integrates with ISO 14001/45001.
No audits/certification; uses transparent reporting and Communication Protocol. (178 words)

Key Differences

Aspect	LGPD	ISO 26000
Scope	Personal data protection and privacy	Broad social responsibility and sustainability
Industry	All sectors targeting Brazilian residents	All organizations worldwide, all sectors
Nature	Mandatory law with ANPD enforcement	Voluntary non-certifiable guidance
Testing	DPIAs for high-risk, ANPD audits	Self-assessments, no formal certification
Penalties	Fines up to 2% Brazilian revenue	No legal penalties, reputational risks

Scope

LGPD

Personal data protection and privacy

ISO 26000

Broad social responsibility and sustainability

Industry

LGPD

All sectors targeting Brazilian residents

ISO 26000

All organizations worldwide, all sectors

Nature

LGPD

Mandatory law with ANPD enforcement

ISO 26000

Voluntary non-certifiable guidance

Testing

LGPD

DPIAs for high-risk, ANPD audits

ISO 26000

Self-assessments, no formal certification

Penalties

LGPD

Fines up to 2% Brazilian revenue

ISO 26000

No legal penalties, reputational risks

Frequently Asked Questions

Common questions about LGPD and ISO 26000

LGPD FAQ

ISO 26000 FAQ

You Might also be Interested in These Articles...

Asset-Backed Issuers and SEC Cybersecurity Rules: Applicability, Disclosures, and Compliance Roadmap

How SEC cybersecurity rules apply to asset-backed issuers (ABS): Form 10-D disclosures, ABS-EE risk management, Inline XBRL tagging, exemptions. Roadmap for tru

Top 5 Reasons HITRUST CSF's MyCSF Platform Crushes Evidence Overload for R2 Assessments in Hybrid Cloud Environments

Explore top 5 advantages of HITRUST MyCSF for 1,400+ R2 controls in hybrid clouds. Slash docs by 30%, dodge under-scoping, achieve continuous compliance for hea

Top 10 SOC 2 Mistakes Startups Make (and Fixes with Automation)

Avoid top 10 SOC 2 mistakes like scope creep & evidence gaps. See fail/pass visuals, client quotes, Vanta/Drata automation fixes for bootstrapped startups. Quic

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how LGPD and ISO 26000 compare against other standards

Other LGPD Comparisons

Other ISO 26000 Comparisons

What It Is

Key Components

10 principles governing all processing activities.

Data subject rights: access, correction, deletion, portability, anonymization, objection to automated decisions.

Legal bases: 10 options including consent, contracts, legitimate interests.

Governance: mandatory DPO for controllers, DPIAs for high-risk processing, enforced by ANPD with graduated sanctions up to 2% Brazilian revenue (R$50M cap).

Key Components

Seven core subjects: organizational governance, human rights, labor practices, environment, fair operating practices, consumer issues, community involvement.

Seven principles: accountability, transparency, ethical behavior, respect for stakeholder interests, rule of law, international norms, human rights.

No certifiable requirements; emphasizes integration and self-assessment.

Aspect

LGPD

ISO 26000

Scope

Personal data protection and privacy

Broad social responsibility and sustainability

Industry

All sectors targeting Brazilian residents

All organizations worldwide, all sectors

Nature

Mandatory law with ANPD enforcement

Voluntary non-certifiable guidance

Testing

DPIAs for high-risk, ANPD audits

Self-assessments, no formal certification

Penalties

Fines up to 2% Brazilian revenue

No legal penalties, reputational risks