What is the primary objective of **LGPD**?

**The primary objective of LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is to protect the fundamental rights of privacy and freedom of natural persons by regulating the processing of personal data.** Enacted August 14, 2018, it unifies prior fragmented laws, mandating 10 principles (Art. 6: purpose limitation, adequacy, necessity, transparency, security, prevention, non-discrimination, accountability) for controllers and processors handling data of identified/identifiable individuals, including extraterritorial processing targeting Brazilian residents (Art. 3).

Who is legally or professionally required to comply with **LGPD**?

**All public and private entities acting as controllers or processors are required to comply with LGPD when processing personal data in Brazil, targeting Brazilian residents, or collected therein.** No size thresholds exempt organizations; applies to multinationals via extraterritorial scope (Art. 3). Controllers decide purposes/means (Art. 5, VI); processors execute under instructions (Art. 5, VII). Exemptions limited to non-economic private uses, journalism, public security (Art. 4).

Does **LGPD** require an external audit or third-party certification?

**LGPD does not mandate external audits or third-party certification.** ANPD conducts audits (Art. 55); controllers/processors must maintain records of activities (Art. 37, simplified for small entities per CD/ANPD 02/2022) and perform DPIAs for high-risk processing (Art. 38). Voluntary certifications enhance compliance demonstration.

How often should an assessment for **LGPD** be performed?

**LGPD assessments, including Records of Processing Activities and DPIAs, should be performed continuously with annual reviews and updates for material changes.** ANPD requires ongoing monitoring; incident logs retained 5 years (Resolution CD/ANPD 15/2024). Quarterly internal audits recommended for high-risk activities like legitimate interests balancing tests.

What are the consequences of non-compliance with **LGPD**?

**Non-compliance with LGPD incurs graduated sanctions by ANPD, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction), data processing suspension up to 6 months, and publicity of violations (Art. 52-53).** Factors include gravity, cooperation, reoccurrence; applies to B2B/employee data. Civil claims for damages also possible (Art. 42).

Can **LGPD** be mapped to other international frameworks?

**Yes, LGPD can be mapped to other international frameworks due to shared principles like purpose limitation, minimization, and data subject rights.** Its 10 principles expand GDPR's 7; 10 legal bases exceed GDPR's 6 (adding credit protection). Multinationals leverage synergies for hybrid programs, though ANPD-specific rules (e.g., SCCs by Aug 23, 2025) require adaptations.

What is the first step to begin implementing **LGPD**?

**The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting data mapping for a Record of Processing Activities (RoPA).** DPO mandatory for controllers (Art. 41, public disclosure); RoPA inventories flows, purposes, legal bases (Art. 37), enabling risk prioritization per Phase 1 guidance.

What is the primary objective of **MLPS 2.0 (Multi-Level Protection Scheme)**?

**MLPS 2.0 (Multi-Level Protection Scheme) establishes a graded cybersecurity framework to protect information systems based on potential harm to national security, social order, and public interests.** It classifies systems into five levels (1-5) via impact assessment, mandating commensurate technical, management, physical, and personnel controls per GB/T 22239-2020, GB/T 25070-2020, and GB/T 28448-2020. Objectives include consistent nationwide baselines, law enforcement oversight, and integration with China's Cybersecurity Law Article 21.

Who is legally or professionally required to comply with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**All network operators in mainland China must comply with MLPS 2.0 (Multi-Level Protection Scheme), including domestic firms, foreign-invested enterprises, and multinationals with local systems.** This covers operators of IT networks, cloud platforms, IoT, big data, and industrial controls, especially in critical sectors like energy, finance, telecom. Virtually all entities qualify; Level 2+ systems require PSB filing.

Does **MLPS 2.0 (Multi-Level Protection Scheme)** require an external audit or third-party certification?

**Yes, MLPS 2.0 (Multi-Level Protection Scheme) mandates external security reviews by licensed Chinese firms for Level 2+ systems, targeting a minimum 75/100 score.** PSBs review results for certification approval. Level 3+ needs annual evaluations; documentation includes policies, architectures, and risk assessments.

How often should an assessment for **MLPS 2.0 (Multi-Level Protection Scheme)** be performed?

**MLPS 2.0 (Multi-Level Protection Scheme) requires re-evaluations for Level 2+ systems: biennially for Level 2, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5.** Triggered by major changes (e.g., cloud migration); includes self-inspections and third-party audits by PSBs.

What are the consequences of non-compliance with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**Non-compliance with MLPS 2.0 (Multi-Level Protection Scheme) incurs fines up to 100,000 RMB, operational suspensions, system shutdowns, and intensified PSB inspections.** Enforcement links to license renewals; severe cases involve blacklisting or criminal liability under Cybersecurity Law.

Can **MLPS 2.0 (Multi-Level Protection Scheme)** be mapped to other international frameworks?

**Yes, MLPS 2.0 (Multi-Level Protection Scheme) maps structurally to frameworks like ISO 27001 and NIST CSF via shared domains (governance, physical, technical controls).** Leverage ISO Statement of Applicability for MLPS gap analysis, though MLPS adds prescriptive grading, PSB oversight, and data localization.

What is the first step to begin implementing **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The first step for MLPS 2.0 (Multi-Level Protection Scheme) implementation is conducting an impact-based self-classification of systems into Levels 1-5.** Inventory assets, assess harm to security/social order per GB/T 22240-2020, document rationale, then file with local PSB (within 30 days for Level 2+).

LGPD vs MLPS 2.0 (Multi-Level Protection Scheme)

Standards Comparison

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

N/A

Chinese regulation for graded cybersecurity protection scheme

Quick Verdict

LGPD safeguards personal data privacy for Brazilian residents via rights and DPIAs, while MLPS 2.0 mandates graded cybersecurity for China's networks with audits. Companies adopt LGPD for Brazil compliance, MLPS for China operations to avoid fines and ensure market access.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope applies to Brazilian residents' data worldwide
10 core principles including prevention and non-discrimination
Fines up to 2% of Brazilian revenue per violation
Mandatory Data Protection Officer for controllers
3-business-day breach notifications to ANPD and subjects

Standard

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five-level impact-based system classification
Mandatory third-party audits for Level 2+
PSB registration and ongoing enforcement
Extended controls for cloud, IoT, big data
Governance, personnel, supply chain requirements

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's comprehensive data protection regulation. It governs personal data processing with extraterritorial scope targeting Brazilian residents, emphasizing privacy as a fundamental right via a risk-based approach with 10 principles.

Key Components

**10 core principlespurpose limitation, necessity, transparency, security, prevention, non-discrimination, accountability.
**Data subject rightsaccess, correction, deletion, portability, anonymization, objection to automated decisions.
10 legal bases for processing, stricter for sensitive data.
**Governancemandatory DPO for controllers, records of processing, DPIAs for high-risk activities.
Enforcement by ANPD with graduated sanctions.

Why Organizations Use It

LGPD compliance avoids fines up to 2% Brazilian revenue (R$50M cap), operational halts, litigation. It builds trust, enables market access in Brazil's digital economy, enhances security against breaches, leverages anonymization for innovation.

Implementation Overview

Phased risk-based methodology: governance/DPO appointment, data mapping/RoPA, policies/DSRs, technical controls, training, audits. Applies to all sizes/sectors processing Brazilian data; no certification but ANPD audits/enforcement.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's mandatory regulatory framework under the 2017 Cybersecurity Law for hierarchical protection of networks and information systems. It uses an impact-based classification model, grading systems into five levels (1-5) based on potential harm to national security, social order, and public interests, with escalating technical, organizational, and governance controls.

Key Components

Core domains: physical security, network protection, data security, access control, monitoring, and operations.
Common controls for all levels; extended requirements for cloud, IoT, big data, industrial systems.
Defined in GB/T standards (e.g., GB/T 22239-2019); compliance via self-assessment, third-party audits (Level 2+), PSB approval.

Why Organizations Use It

Legal mandate for China-based network operators; non-compliance risks fines, suspensions, license issues.
Enhances cyber resilience, risk management; required for market access, vendor contracts.
Builds regulator trust, competitive edge in critical sectors like finance, energy.

Implementation Overview

Phased: scoping, classification, gap analysis, remediation, external audits, ongoing re-evaluations.
Applies to all sizes in China; intensive for multinationals, Level 3+ systems need annual audits.

Key Differences

Aspect	LGPD	MLPS 2.0 (Multi-Level Protection Scheme)
Scope	Personal data protection and privacy rights	Graded cybersecurity for all networks/systems
Industry	All sectors, Brazil residents' data	All network operators in mainland China
Nature	Mandatory data protection law, ANPD enforcement	Mandatory graded protection, PSB enforcement
Testing	DPIAs for high-risk, no mandatory audits	Third-party audits Level 2+, periodic re-evals
Penalties	Fines up to 2% Brazilian revenue, R$50M cap	Fines, operational suspension, license issues