What is the primary objective of **LGPD**?

**The primary objective of LGPD is to protect the fundamental rights of natural persons regarding the processing of personal data, unifying fragmented regulations into a comprehensive framework.** Enacted as Law No. 13.709/2018 on August 14, 2018, it safeguards privacy and personality rights through 10 core principles (Article 6), including purpose limitation, necessity, transparency, security, prevention, non-discrimination, and accountability, while balancing innovation and data subject rights like access, correction, deletion, portability, and objection to automated decisions (Article 18).

Who is legally or professionally required to comply with **LGPD**?

**All controllers and processors handling personal data of individuals located in Brazil must comply with LGPD, regardless of company size or location.** Its extraterritorial scope (Article 3) applies to any processing in Brazil, targeting Brazilian residents for goods/services, or collecting data there, including B2B and employee data. Controllers decide purposes/means (Article 5, VI); processors execute instructions (Article 5, VII). No employee/revenue thresholds exempt entities; public/private sectors included, with partial exemptions for journalism/security (Article 4).

Does **LGPD** require an external audit or third-party certification?

**LGPD does not mandate external audits or third-party certification.** The ANPD conducts audits (Articles 55-56), but organizations must maintain Records of Processing Activities (RoPAs, Article 37, simplified for small entities per CD/ANPD 02/2022), perform Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 38), and demonstrate accountability via internal governance. Voluntary certifications like ISO 27701 enhance maturity but are not required.

How often should an assessment for **LGPD** be performed?

**LGPD assessments, including RoPAs and DPIAs, should be performed continuously with regular reviews, such as quarterly for risks and annually for full audits.** ANPD regulations (e.g., CD/ANPD 15/2024) require ongoing monitoring, incident logs for 5 years, and updates for new processing or ANPD guidance. High-risk activities trigger immediate DPIAs; gap analyses precede implementation, followed by periodic internal audits to align with 10 principles (Article 6).

What are the consequences of non-compliance with **LGPD**?

**Non-compliance with LGPD incurs graduated administrative sanctions by ANPD, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction), data processing suspension up to 6 months (extendable), and publicity of violations.** Factors like gravity, cooperation, and safeguards influence penalties (Article 53); civil claims for damages (Article 42) and operational disruptions also apply, with full enforcement since August 1, 2021.

Can **LGPD** be mapped to other international frameworks?

**Yes, LGPD can be mapped to other international frameworks due to shared principles like purpose limitation, minimization, transparency, and data subject rights.** Its 10 principles (Article 6) and 10 legal bases (Article 7) align closely with global regimes, enabling hybrid programs; however, nuances like Brazil revenue-based fines (vs. global), 3-day breach notifications (Resolution 15/2024), and no adequacy decisions require tailored adaptations.

What is the first step to begin implementing **LGPD**?

**The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting a comprehensive data mapping to create a Record of Processing Activities (RoPA).** DPO (Article 41, public disclosure) oversees governance; mapping inventories flows, purposes, legal bases, and risks (Article 37), prioritizing high-risk/sensitive data for DPIAs, enabling phased compliance.

What is the primary objective of **ISO 37001**?

**ISO 37001 establishes requirements for an Anti-Bribery Management System (ABMS) to prevent, detect, and respond to bribery.** It follows the PDCA cycle across Clauses 4–10, requiring proportionate controls like risk assessment, due diligence, financial controls, training, and continual improvement, applicable to all organization sizes and sectors.

Who is legally or professionally required to comply with **ISO 37001**?

**ISO 37001 is voluntary and applicable to any public, private, or not-for-profit organization regardless of size or sector.** High-risk entities—such as multinationals in extractives, construction, or public procurement—adopt it for regulatory alignment (e.g., FCPA, UK Bribery Act), tender requirements, or investor demands, with 99% of surveyed firms using third-party due diligence.

Does **ISO 37001** require an external audit or third-party certification?

**ISO 37001 certification is optional but involves accredited third-party audits.** It features Stage 1 (documentation review) and Stage 2 (effectiveness verification), issuing a 3-year certificate with annual surveillance audits every 12–24 months, amplifying evidentiary value for liability mitigation.

How often should an assessment for **ISO 37001** be performed?

**Bribery risk assessments under ISO 37001 must be conducted initially, then periodically and when significant changes occur.** Mature programs align with 56% of firms performing independent third-party reviews, internal audits at planned intervals (Clause 9.2), and management reviews (Clause 9.3), integrated into the PDCA cycle.

What are the consequences of non-compliance with **ISO 37001**?

**Non-conformance with ISO 37001 risks certification denial, surveillance audit failures, or certificate withdrawal.** Operationally, it exposes organizations to bribery enforcement (e.g., fines, debarment), with certification providing mitigation evidence but no absolute immunity; up to 95% of cases involve third parties.

Can **ISO 37001** be mapped to other international frameworks?

**Yes, ISO 37001 aligns with the Harmonized Structure (HS) for integration with standards like ISO 9001 and ISO/IEC 27001.** Its PDCA architecture (Clauses 4–10) enables unified audits, shared risk assessments, and streamlined governance, reducing compliance costs by up to 15% in mature programs.

What is the first step to begin implementing **ISO 37001**?

**The first step is determining organizational context and scope per Clause 4, including bribery risk assessment (Clause 4.5).** Secure leadership commitment (Clause 5), appoint a compliance function, and conduct a gap analysis against Clauses 4–10 to prioritize proportionate controls.

LGPD vs ISO 37001

Standards Comparison

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

ISO 37001

Voluntary

2025

International standard for anti-bribery management systems

Quick Verdict

LGPD mandates data protection for Brazilian residents with fines up to 2% revenue, while ISO 37001 is a voluntary anti-bribery standard offering certification. Companies adopt LGPD for legal compliance, ISO 37001 for risk mitigation and trust.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope for Brazilian residents' data
10 core principles including prevention, non-discrimination
Fines up to 2% Brazilian revenue, R$50M cap
Mandatory DPO appointment for controllers
10 legal bases including credit protection

Anti-Bribery/Compliance

ISO 37001

ISO 37001 Anti-Bribery Management Systems

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Third-party due diligence and monitoring
Risk-based bribery assessments
Leadership commitment and policy
Financial and non-financial controls
PDCA continual improvement cycle

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's comprehensive data protection regulation. Enacted in 2018 and fully enforced since 2021, it safeguards personal data of natural persons with extraterritorial scope, applying to processing in Brazil, targeting residents, or collected there. It adopts a risk-based approach with 10 principles like purpose limitation, necessity, and accountability.

Key Components

10 core principles governing all processing activities.
**Data subject rightsaccess, correction, deletion, portability, anonymization, objection to automated decisions.
10 legal bases for processing, including consent, contracts, legitimate interests.
**Governancemandatory DPO for controllers, records of processing, DPIAs for high-risk activities.
Enforcement by ANPD with graduated sanctions; compliance via self-assessment, no formal certification.

Why Organizations Use It

LGPD compliance avoids fines up to 2% Brazilian revenue (R$50M cap), operational suspensions, and litigation. It builds trust, enables market access in Brazil's digital economy, enhances security, and supports innovation via anonymization exemptions.

Implementation Overview

Phased risk-based approach: governance setup, data mapping, policies, technical controls, training, monitoring. Applies to all sizes/industries processing Brazilian data; involves RoPAs, vendor DPAs, SCCs for transfers by 2025.

ISO 37001 Details

What It Is

ISO 37001: Anti-Bribery Management Systems is an international certifiable standard for establishing, implementing, maintaining, and improving an Anti-Bribery Management System (ABMS). Its primary purpose is to enable organizations to prevent, detect, and respond to bribery proportionate to risks, covering direct/indirect bribery by/for the organization, personnel, and business associates across sectors. It employs a risk-based PDCA (Plan-Do-Check-Act) methodology via Clauses 4-10, aligned with ISO's Harmonized Structure.

Key Components

Core pillars: context/risk assessment, leadership/policy, planning, support/training, operations/controls, evaluation/audits, improvement.
Key controls: due diligence, financial/non-financial safeguards, reporting/investigations, compliance function.
Built on proportionality, leadership accountability; ~8 auditable control clusters.
**Certification modelvoluntary, 3-year cycle with surveillance audits by accredited bodies.

Why Organizations Use It

Mitigates legal risks (FCPA, UK Bribery Act); evidentiary defense in prosecutions.
Enhances reputation, stakeholder trust, ESG alignment.
Drives efficiencies (15% compliance cost cuts), third-party risk reduction (95% cases involve them).
Competitive tender advantages, cultural transformation.

Implementation Overview

Phased: gap analysis, risk assessment, control design/training, monitoring/audits.
Scalable for all sizes/industries/geographies.
Certification optional but recommended for assurance. (178 words)

Key Differences

Aspect	LGPD	ISO 37001
Scope	Personal data protection and privacy	Anti-bribery management systems
Industry	All sectors targeting Brazilian residents	All sectors worldwide
Nature	Mandatory national data protection law	Voluntary certifiable management standard
Testing	DPIAs for high-risk, ANPD audits	Internal audits, certification audits
Penalties	Fines up to 2% Brazilian revenue	No legal penalties, certification loss

Scope

LGPD

Personal data protection and privacy

ISO 37001

Anti-bribery management systems

Industry

LGPD

All sectors targeting Brazilian residents

ISO 37001

All sectors worldwide

Nature

LGPD

Mandatory national data protection law

ISO 37001

Voluntary certifiable management standard

Testing

LGPD

DPIAs for high-risk, ANPD audits

ISO 37001

Internal audits, certification audits

Penalties

LGPD

Fines up to 2% Brazilian revenue

ISO 37001

No legal penalties, certification loss

Frequently Asked Questions

Common questions about LGPD and ISO 37001

LGPD FAQ

ISO 37001 FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1 for Cloud & SaaS: A Practical Safeguard Playbook for AWS/Azure/GCP and Microsoft 365

Turn CIS Controls v8.1 into a cloud-first playbook for AWS, Azure, GCP & Microsoft 365. Get actionable IaaS/PaaS/SaaS safeguards, automation patterns, evidence

Singapore PDPA Implementation Guide: Mastering Part 6A Breach Notification Thresholds and Timelines from Primary Statute

Master Singapore PDPA Part 6A breach notifications: statutory thresholds (risk of significant harm), 72-hour timelines, checklists, templates & frameworks. Comp

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Fail CIS Controls v8.1 audits due to missing evidence? Get the blueprint: exact artifacts auditors want, repository structure, and automation from security tool

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 13485 vs ISO 27017

Explore ISO 13485 vs ISO 27017: Medical device QMS for regulatory compliance & risk control vs cloud security extensions. Key differences, benefits & implementation guide.

DORA vs ISO 9001

Discover DORA vs ISO 9001: EU finance resilience regs meet global QMS standards. Compare scopes, mandates & benefits for compliance mastery. Explore now!

APPI vs HIPAA

Compare APPI vs HIPAA: Japan's broad personal data law vs US health info rules. Uncover scope, consent, breach & enforcement diffs for global compliance mastery. Dive in now!

LGPD

ISO 37001

Quick Verdict

LGPD

Key Features

ISO 37001

Key Features

Detailed Analysis

LGPD Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 37001 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

LGPD FAQ

What is the primary objective of LGPD?

Who is legally or professionally required to comply with LGPD?

Does LGPD require an external audit or third-party certification?

How often should an assessment for LGPD be performed?

What are the consequences of non-compliance with LGPD?

Can LGPD be mapped to other international frameworks?

What is the first step to begin implementing LGPD?

ISO 37001 FAQ

What is the primary objective of ISO 37001?

Who is legally or professionally required to comply with ISO 37001?

Does ISO 37001 require an external audit or third-party certification?

How often should an assessment for ISO 37001 be performed?

What are the consequences of non-compliance with ISO 37001?

Can ISO 37001 be mapped to other international frameworks?

What is the first step to begin implementing ISO 37001?

You Might also be Interested in These Articles...

CIS Controls v8.1 for Cloud & SaaS: A Practical Safeguard Playbook for AWS/Azure/GCP and Microsoft 365

Singapore PDPA Implementation Guide: Mastering Part 6A Breach Notification Thresholds and Timelines from Primary Statute

The CIS Controls v8.1 Evidence Pack: What Auditors Ask For (and How to Produce Proof Fast)

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 13485 vs ISO 27017

DORA vs ISO 9001

APPI vs HIPAA