What is the primary objective of LGPD?

The primary objective of LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is to protect the fundamental rights of privacy and freedom of natural persons by regulating the processing of personal data. Enacted August 14, 2018, and fully enforced since August 1, 2021, it establishes 10 core principles (Art. 6)—including purpose limitation, necessity, transparency, security, prevention, non-discrimination, and accountability—while granting data subjects rights to access, correction, deletion, portability, anonymization, and objection to automated decisions (Art. 18).

Who is legally or professionally required to comply with LGPD?

All controllers and operators processing personal data of Brazilian residents must comply with LGPD, regardless of company size or location. Its extraterritorial scope (Art. 3) applies to any processing in Brazil, targeting Brazilian residents for goods/services, or collecting data there. Controllers decide purposes/means (Art. 5, VI); operators execute instructions (Art. 5, VII). No size thresholds exempt entities; public/private sectors included, with partial exemptions for journalism, security, or non-economic private use (Art. 4).

Does LGPD require an external audit or third-party certification?

LGPD does not mandate external audits or third-party certification. The Autoridade Nacional de Proteção de Dados (ANPD) conducts audits (Arts. 55-56), but organizations must maintain Records of Processing Activities (RoPAs, Art. 37), perform Data Protection Impact Assessments (DPIAs) for high-risk activities (Art. 38), and demonstrate accountability via internal governance. Voluntary certifications like ISO 27701 may support compliance but are not required.

How often should an assessment for LGPD be performed?

LGPD assessments, including RoPAs and DPIAs, should be performed continuously with annual reviews and updates for material changes. ANPD regulations (e.g., CD/ANPD No. 02/2022) require ongoing records maintenance; DPIAs for high-risk processing like legitimate interests must be on-demand or prior to initiation (Art. 38). Quarterly internal audits and ad-hoc reviews post-incidents or process changes ensure alignment with 10 principles (Art. 6).

What are the consequences of non-compliance with LGPD?

Non-compliance with LGPD triggers graduated ANPD sanctions, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction), data processing suspension, and deletion orders. Nine sanctions (Art. 52) factor gravity, cooperation, and reoccurrence: warnings, daily fines, publicity, partial/total suspension (up to 6 months, extendable), and prohibitions. Civil claims for damages (Art. 42) and reputational harm apply to B2B/employee data.

Can LGPD be mapped to other international frameworks?

Yes, LGPD maps closely to other international frameworks due to shared principles, rights, and structures. Its 10 principles, data subject rights (Art. 18), legal bases (Art. 7), and security mandates align with global regimes, enabling hybrid programs. ANPD-approved mechanisms like Standard Contractual Clauses (Resolution CD/ANPD No. 19/2024) facilitate transfers, though no adequacy decisions exist yet (Arts. 33-36).

What is the first step to begin implementing LGPD?

The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting a comprehensive data mapping/RoPA. Controllers must designate a DPO via public written act (Art. 41; though small agents are exempted per ANPD guidance), then inventory processing activities, flows, legal bases, sensitive data, and transfers (Art. 37) to enforce principles like minimization and accountability.

What is the primary objective of ISO 37301?

ISO 37301 specifies requirements for establishing, implementing, maintaining, and continually improving an effective Compliance Management System (CMS). Published on 13 April 2021 as the first certifiable standard replacing guidance-only ISO 19600, it follows the High-Level Structure (HLS) and Plan-Do-Check-Act (PDCA) cycle to identify compliance obligations, assess compliance risks, embed a compliance culture, and ensure leadership commitment through risk-based planning, whistleblower protections, performance evaluation, and resource allocation.

Who is legally or professionally required to comply with ISO 37301?

No organizations are legally required to comply with ISO 37301, as it is a voluntary, certifiable international standard applicable to all sizes, types, and sectors. It provides professional benefits for demonstrating systematic compliance management to stakeholders, regulators, investors, and partners, with proportionality based on organizational context, risks, and interested parties.

Does ISO 37301 require an external audit or third-party certification?

ISO 37301 enables but does not require external audits or third-party certification. Certification is available through accredited bodies like those approved by ANAB, involving initial conformity assessments and surveillance audits in a typical three-year cycle, providing verifiable evidence of CMS effectiveness via independent validation.

How often should an assessment for ISO 37301 be performed?

ISO 37301 requires organizations to conduct performance evaluations, including internal audits and management reviews, at planned intervals determined by compliance risks and objectives. Monitoring, measurement, and KPIs (aligned with ISO 37302 guidance) must be ongoing, with management reviews using inputs from audits, incidents, and changes to drive continual improvement.

What are the consequences of non-compliance with ISO 37301?

Non-compliance with ISO 37301 itself carries no direct penalties, as it is voluntary; however, certification withdrawal or failure to maintain a CMS increases organizational exposure to regulatory fines, litigation, and reputational damage from unaddressed compliance obligations. Effective CMS mitigates these by enabling prevention, detection, and response to nonconformities.

Can ISO 37301 be mapped to other international frameworks?

Yes, ISO 37301 follows the ISO High-Level Structure (HLS), enabling seamless mapping and integration with other HLS-based frameworks for Integrated Management Systems (IMS). Companion standards like ISO 37302 (effectiveness), ISO 37303 (competence), and ISO 37002 (whistleblowing) enhance its ecosystem, supporting unified audits and risk management.

What is the first step to begin implementing ISO 37301?

The first step is to secure top management buy-in and perform contextual analysis to map internal/external issues, interested parties, and compliance obligations. This initiates a centralized compliance register, prioritizing material risks per the risk-based approach, followed by defining CMS scope and leadership accountability.

Standards Comparison

LGPD vs ISO 37301

LGPD

Mandatory

2020

Brazil's comprehensive law for personal data protection

ISO 37301

Voluntary

2021

Certifiable international standard for compliance management systems

Quick Verdict

LGPD mandates data protection for Brazilian residents with fines up to 2% revenue, while ISO 37301 offers voluntary CMS certification for global compliance management. Companies adopt LGPD for legal compliance in Brazil; ISO 37301 for structured governance and stakeholder trust.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope targeting Brazilian residents' data processing
10 core principles including prevention and non-discrimination
Fines up to 2% Brazilian revenue capped at R$50M
Mandatory DPO appointment for controllers with public disclosure
ANPD-approved SCCs mandatory for cross-border transfers since 2025

Compliance Management

ISO 37301

ISO 37301:2021 Compliance management systems

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Certifiable CMS requirements replacing ISO 19600
Risk-based compliance obligations assessment
Leadership commitment and culture emphasis
Confidential whistleblowing channels and protections
HLS alignment for integrated management systems

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's comprehensive federal regulation for personal data processing. It protects privacy rights with extraterritorial scope, applying to any processing targeting Brazilian residents. Modeled on GDPR but adapted locally, it uses a risk-based approach with 10 principles like purpose limitation and accountability.

Key Components

**10 principlesPurpose limitation, necessity, transparency, security, prevention, non-discrimination, accountability.
**Data subject rightsAccess, correction, deletion, portability, objection to automated decisions.
**Legal bases10 options including consent, contracts, legitimate interests.
**GovernanceMandatory DPO for controllers, records of processing, DPIAs for high-risk activities.
EnforcementANPD** imposes graduated sanctions up to 2% Brazilian revenue (R$50M cap).

Why Organizations Use It

LGPD compliance avoids multimillion fines, operational halts, reputational damage. It builds trust, enables market access in Brazil's digital economy, supports AI innovation via anonymization exemptions, and aligns with global standards for efficiency.

Implementation Overview

Phased risk-based approach: governance setup, data mapping, policies, technical controls, DSR automation, vendor management, monitoring. Applies to all sizes/industries processing Brazilian data; no certification but ANPD audits required.

ISO 37301 Details

What It Is

ISO 37301:2021, officially "Compliance management systems – Requirements with guidance for use," is a certifiable international standard for establishing, implementing, maintaining, and improving effective compliance management systems (CMS). It replaces guidance-only ISO 19600, using a risk-based, PDCA cycle approach aligned with the ISO High-Level Structure (HLS) for integration with standards like ISO 9001 and 27001.

Key Components

Core clauses: context, leadership, planning, support, operation, performance evaluation, improvement.
Emphasizes leadership commitment, risk assessment, whistleblowing protections, competence, and continual improvement.
Built on HLS; supports certification via accredited bodies like ANAB.

Why Organizations Use It

Drives regulatory compliance, reduces risks, enhances culture of integrity, meets ESG demands, boosts stakeholder trust, and provides third-party validation for competitive edge.

Implementation Overview

Phased approach: gap analysis, obligation register, controls, training, audits. Applicable to all sizes/sectors; involves 3-year certification cycles with surveillance audits. (178 words)

Key Differences

Aspect	LGPD	ISO 37301
Scope	Personal data protection and processing	All compliance obligations and management systems
Industry	All sectors targeting Brazilian residents	All industries and organization sizes globally
Nature	Mandatory national data protection law	Voluntary certifiable management standard
Testing	DPIAs for high-risk, ANPD audits	Internal audits, management reviews, certification audits
Penalties	Fines up to 2% Brazilian revenue (R$50M cap)	Loss of certification, no legal fines

Scope

LGPD

Personal data protection and processing

ISO 37301

All compliance obligations and management systems

Industry

LGPD

All sectors targeting Brazilian residents

ISO 37301

All industries and organization sizes globally

Nature

LGPD

Mandatory national data protection law

ISO 37301

Voluntary certifiable management standard

Testing

LGPD

DPIAs for high-risk, ANPD audits

ISO 37301

Internal audits, management reviews, certification audits

Penalties

LGPD

Fines up to 2% Brazilian revenue (R$50M cap)

ISO 37301

Loss of certification, no legal fines

Frequently Asked Questions

Common questions about LGPD and ISO 37301

LGPD FAQ

ISO 37301 FAQ

You Might also be Interested in These Articles...

NIST CSF 2.0 Supply Chain Risk Management: Complete Playbook with Profiles, Tiers, and Vendor Assessment Templates

Master NIST CSF 2.0 ID.SC supply chain risk management with vendor assessment templates, profile gap analysis, and tier strategies. Mitigate third-party threats

Beyond the Burden: How Intuitive Compliance Software Transforms Daily Workflows

Explore intuitive compliance software that automates workflows, simplifies onboarding, and reduces stress. Cut non-compliance costs 3x and boost efficiency for

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

Unlock human-AI synergy with modern compliance tools. Automate monitoring, cut non-compliance risks 3x, and boost strategic decision-making. Elevate your team's

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how LGPD and ISO 37301 compare against other standards

Other LGPD Comparisons

Other ISO 37301 Comparisons

What It Is

Key Components

**10 principlesPurpose limitation, necessity, transparency, security, prevention, non-discrimination, accountability.

**Data subject rightsAccess, correction, deletion, portability, objection to automated decisions.

**Legal bases10 options including consent, contracts, legitimate interests.

**GovernanceMandatory DPO for controllers, records of processing, DPIAs for high-risk activities.

EnforcementANPD** imposes graduated sanctions up to 2% Brazilian revenue (R$50M cap).

What It Is

Aspect

LGPD

ISO 37301

Scope

Personal data protection and processing

All compliance obligations and management systems

Industry

All sectors targeting Brazilian residents

All industries and organization sizes globally

Nature

Mandatory national data protection law

Voluntary certifiable management standard

Testing

DPIAs for high-risk, ANPD audits

Internal audits, management reviews, certification audits

Penalties

Fines up to 2% Brazilian revenue (R$50M cap)

Loss of certification, no legal fines