What is the primary objective of **LGPD**?

**The primary objective of LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is to protect the fundamental rights of freedom and privacy of natural persons through regulation of personal data processing by public and private entities.** It unifies fragmented norms, mandates 10 core principles (e.g., **purpose limitation**, **necessity**, **accountability** under Art. 6), grants data subjects rights like access, deletion, and portability (Art. 18), and enforces via ANPD since full sanctions on August 1, 2021.

Who is legally or professionally required to comply with **LGPD**?

**All controllers and processors handling personal data of Brazilian residents must comply with LGPD, regardless of company size or location, due to its extraterritorial scope (Art. 3).** This includes any processing in Brazil, targeting Brazilian residents for goods/services, or collecting data there; applies to public/private entities in sectors like e-commerce, fintech, healthcare; no employee/revenue thresholds—B2B/employee data included.

Does **LGPD** require an external audit or third-party certification?

**LGPD does not mandate external audits or third-party certification, but ANPD can conduct audits and requires controllers to maintain processing records and DPIAs for high-risk activities (Arts. 37-38).** Processors must follow controller instructions with security measures; voluntary certifications (e.g., codes of conduct) demonstrate compliance, aiding sanction mitigation.

How often should an assessment for **LGPD** be performed?

**LGPD requires ongoing assessments via records of processing activities (RoPAs, Art. 37) and DPIAs for high-risk processing (Art. 38), with annual internal audits and updates recommended for changes.** ANPD demands incident logs for 5 years (Res. CD/ANPD 15/2024); quarterly reviews for risks, continuous monitoring for data flows, breaches, and ANPD guidance.

What are the consequences of non-compliance with **LGPD**?

**Non-compliance with LGPD incurs graduated ANPD sanctions, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction), data processing suspension up to 6 months, and publicity of violations (Art. 52).** Factors like gravity, cooperation, and safeguards influence penalties; civil claims for damages (Art. 42) and operational disruptions also apply.

Can **LGPD** be mapped to other international frameworks?

**Yes, LGPD maps closely to international frameworks due to shared principles, rights, and extraterritoriality, enabling hybrid compliance programs.** Aligns on 80% of data subject rights, legal bases (LGPD's 10 exceed others), DPIAs, and transfers (e.g., SCCs); differences include Brazil revenue-based fines vs. global, broader principles like **prevention** and **non-discrimination** (Art. 6).

What is the first step to begin implementing **LGPD**?

**The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting a comprehensive data mapping/RoPA to inventory processing activities, flows, legal bases, and risks (Arts. 37, 41).** Secure executive sponsorship, prioritize high-risk/sensitive data, and establish governance for principles compliance.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security.** It operationalizes a Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions, interdependencies), define scope including external processes, integrate SMS into business processes, and ensure top management leadership for risk treatment and performance evaluation.

Who is legally or professionally required to comply with **ISO 28000**?

**ISO 28000 applies to all organization types and sizes across any activity, internal or external, but is not legally mandatory.** It is professionally relevant for entities influencing supply chain security, such as logistics providers, manufacturers, retailers, ports, and government agencies handling transport, storage, or procurement. Compliance is driven by customer requirements, contractual obligations, insurance needs, or market access in high-risk sectors.

Does **ISO 28000** require an external audit or third-party certification?

**ISO 28000 supports conformity verification via internal or external auditing but does not require third-party certification.** Certification follows ISO 28003 guidelines through accredited bodies via Stage 1 (documentation) and Stage 2 (effectiveness) audits, with surveillance thereafter. Organizations typically pursue it after internal audits and management review to demonstrate maturity to stakeholders.

How often should an assessment for **ISO 28000** be performed?

**Risk assessments under ISO 28000 must be maintained as an ongoing process per Clause 8.3, with internal audits conducted at planned intervals per Clause 9.2.** Frequency is risk-based, considering prior results and changes; management reviews occur at planned intervals (Clause 9.3), typically annually, with continual monitoring of performance metrics and nonconformities.

What are the consequences of non-compliance with **ISO 28000**?

**Non-compliance with ISO 28000 exposes organizations to operational disruptions, financial losses from security incidents, and failure to meet contractual or stakeholder expectations.** As a voluntary standard, it carries no direct legal penalties, but gaps in SMS can lead to supply chain failures, increased insurance costs, loss of market access, or regulatory scrutiny in trade facilitation programs.

Can **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000:2022 aligns structurally with Annex SL management system standards, enabling mapping to frameworks like ISO 31000 for risk processes and ISO 22301 for security plans.** Its PDCA structure, Clause 4 principles, and Clause 8 risk treatment support integrated systems, sharing documentation, audits, and reviews without duplication.

What is the first step to begin implementing **ISO 28000**?

**The first step is determining the organization's context, interested parties, and SMS scope per Clause 4.** This includes mapping internal/external issues, supply chain dependencies, legal requirements, and externally provided processes, documented as the foundation for policy, risk assessment, and leadership commitment.

LGPD vs ISO 28000

Standards Comparison

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

ISO 28000

Voluntary

2022

International standard for supply chain security management systems

Quick Verdict

LGPD mandates data protection for Brazilian residents' personal data with fines up to 2% revenue, while ISO 28000 is a voluntary standard for supply chain security management via risk-based systems. Companies adopt LGPD for legal compliance, ISO 28000 for resilience and certification.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope targets processing for Brazilian residents
10 core principles include prevention and non-discrimination
Fines up to 2% Brazilian revenue capped at R$50 million
Mandatory DPO appointment and public disclosure for controllers
3-business-day breach notifications to ANPD and subjects

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management
PDCA cycle for continual improvement
Leadership commitment and policy requirements
Operational controls for suppliers and processes
Integration with ISO 22301 and 31000

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is Brazil's comprehensive federal data protection regulation, enacted in 2018 and fully enforced since 2021. It protects personal and sensitive data with extraterritorial scope, applying to any processing targeting Brazilian residents or occurring in Brazil. Adopts a risk-based approach emphasizing accountability, mirroring GDPR but with local adaptations like 10 principles.

Key Components

**10 core principlespurpose limitation, necessity, transparency, security, prevention, accountability.
**10 legal basesconsent, contracts, legitimate interests, credit protection.
Data subject **rightsaccess, correction, deletion, portability, objection to automated decisions.
ANPD oversight with graduated sanctions; mandatory records, DPIAs for high-risk processing. Compliance via self-assessment, DPO appointment, no formal certification.

Why Organizations Use It

Mandatory compliance avoids fines up to 2% Brazilian revenue (R$50M cap), operational halts. Enables market access in Brazil's digital economy, builds stakeholder trust, mitigates breach risks amid cyber threats. Yields efficiencies via data minimization, competitive edges through privacy-by-design.

Implementation Overview

**Phased, risk-basedgovernance/DPO setup, data mapping/RoPA, policies/contracts/SCCs, technical controls/training, monitoring/audits. Applies universally across sizes/industries/geographies processing Brazilian data; ANPD enforces via audits/sanctions.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international certification standard for security management systems (SMS) focused on supply chain security. It specifies requirements to establish, implement, maintain, and improve SMS using a risk-based PDCA (Plan-Do-Check-Act) approach, aligned with ISO 31000 and other management standards.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, performance evaluation, and improvement.
Emphasizes risk assessment/treatment, security policies, operational controls, audits, and continual improvement.
Built on harmonized ISO structure for integration; no fixed controls, but tailored to threats like theft, sabotage.
Certification via accredited bodies per ISO 28003.

Why Organizations Use It

Reduces supply chain risks, ensures compliance, meets partner demands.
Enhances resilience, lowers insurance costs, boosts market access.
Builds stakeholder trust through auditable governance.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, training, audits.
Applicable to all sizes/industries; 12-18 months typical.
Involves leadership commitment, supplier controls, certification audits.

Key Differences

Aspect	LGPD	ISO 28000
Scope	Personal data protection and privacy	Supply chain security management
Industry	All sectors processing Brazilian data	Logistics, manufacturing, all supply chains
Nature	Mandatory national law with ANPD enforcement	Voluntary ISO management system standard
Testing	DPIAs for high-risk, ANPD audits	Internal audits, management reviews, certification
Penalties	Fines up to 2% Brazilian revenue (R$50M cap)	No legal penalties, loss of certification

Scope

LGPD

Personal data protection and privacy

ISO 28000

Supply chain security management

Industry

LGPD

All sectors processing Brazilian data

ISO 28000

Logistics, manufacturing, all supply chains

Nature

LGPD

Mandatory national law with ANPD enforcement

ISO 28000

Voluntary ISO management system standard

Testing

LGPD

DPIAs for high-risk, ANPD audits

ISO 28000

Internal audits, management reviews, certification

Penalties

LGPD

Fines up to 2% Brazilian revenue (R$50M cap)

ISO 28000

No legal penalties, loss of certification

Frequently Asked Questions

Common questions about LGPD and ISO 28000

LGPD FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

ISO 27701 2025 Update: Navigating Standalone Certification Myths, Audit Realities, and a 90-Day PIMS Launch Plan

Debunk ISO 27701 2025 standalone certification myths vs ISO 27001. Get a 90-day PIMS launch roadmap, checklists & audit prep to certify faster amid global priva

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Explore intuitive compliance software that automates workflows, simplifies onboarding, and reduces stress. Cut non-compliance costs 3x and boost efficiency for

Beyond the Boardroom: 5 Ways Modern Compliance Software Elevates Every Department

Discover 5 ways modern compliance software boosts HR, IT, finance & more: automate risks, enhance efficiency, ensure data integrity, stay audit-ready. Elevate y

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

PDPA vs EMAS

Unlock PDPA vs EMAS: Compare Asia's data privacy laws (Singapore, Thailand, Taiwan PDPA) with EU's rigorous environmental scheme. Master compliance for global success!

WCAG vs AS9100

Explore WCAG vs AS9100: Web accessibility meets aerospace quality. Uncover differences, compliance strategies & implementation for enterprise success. Boost standards now!

MLPS 2.0 (Multi-Level Protection Scheme) vs MAS TRM

Unpack MLPS 2.0 vs MAS TRM: China's graded cyber regime meets Singapore's tech risk guidelines. Key compliance diffs, controls & enforcement for Asia ops. Compare now!

LGPD

ISO 28000

Quick Verdict

LGPD

Key Features

ISO 28000

Key Features

Detailed Analysis

LGPD Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

LGPD FAQ

What is the primary objective of LGPD?

Who is legally or professionally required to comply with LGPD?

Does LGPD require an external audit or third-party certification?

How often should an assessment for LGPD be performed?

What are the consequences of non-compliance with LGPD?

Can LGPD be mapped to other international frameworks?

What is the first step to begin implementing LGPD?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

Can ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

ISO 27701 2025 Update: Navigating Standalone Certification Myths, Audit Realities, and a 90-Day PIMS Launch Plan

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Beyond the Boardroom: 5 Ways Modern Compliance Software Elevates Every Department

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

PDPA vs EMAS

WCAG vs AS9100

MLPS 2.0 (Multi-Level Protection Scheme) vs MAS TRM