What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's comprehensive data protection regulation. It governs collection, processing, and transfer of personal data, with extraterritorial scope for any processing targeting Brazilian residents. Adopts a risk-based approach emphasizing accountability, minimization, and data subject rights, enforced by ANPD.

Key Components

• **Ten core principlespurpose limitation, adequacy, necessity, transparency, security, prevention, non-discrimination, accountability, plus free access and data quality.
• Ten legal bases for processing, including consent, legitimate interest, credit protection.
• Data subject rights: access, correction, deletion, portability, anonymization.
• Mandatory records (RoPA), DPIAs for high-risk activities, DPO for controllers; compliance via governance and audits, no formal certification but ANPD oversight.

Why Organizations Use It

LGPD compliance avoids fines up to 2% Brazilian revenue (R$50M cap), operational suspensions, litigation. Builds trust, enables market access, reduces AI risks, drives efficiency via data inventories. Strategic for e-commerce, fintech, healthcare targeting Brazil.

Implementation Overview

Phased risk-based methodology: governance, data mapping, policies, controls, DSRs, monitoring. Applies to all sizes processing Brazilian data; involves cross-functional teams, vendor DPAs, training. Ongoing program with ANPD guidance updates.

What It Is

NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations) is a U.S. government cybersecurity framework providing recommended security requirements for safeguarding CUI confidentiality. Tailored from NIST SP 800-53 Moderate baseline, it uses a control-based approach focused on nonfederal systems processing, storing, or transmitting CUI.

Key Components

• 17 families in Rev 3 (e.g., Access Control, Audit, Supply Chain Risk Management), with ~97-110 requirements.
• Built on FIPS 200 and SP 800-53; includes SSP, POA&M, and SP 800-171A assessment procedures (examine/interview/test).
• Compliance via self-assessment or third-party (e.g., CMMC Level 2).

Why Organizations Use It

• Mandatory for federal contractors via DFARS 252.204-7012; enables DoD contract eligibility.
• Reduces breach risk, builds supply chain trust, supports FedRAMP equivalence.

Implementation Overview

Phased: scope CUI enclave, gap analysis, implement controls (MFA, SIEM), document SSP/POA&M. Applies to contractors globally; audits via SPRS/CMMC. (178 words)