What is the primary objective of LGPD?

The primary objective of LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is to protect the fundamental rights of freedom, intimacy, and personal data of natural persons through comprehensive regulation of processing activities. Enacted August 14, 2018, with full enforcement from August 1, 2021, it unifies prior fragmented laws, mandating 10 core principles (Art. 6)—including purpose limitation, necessity, transparency, security, prevention, non-discrimination, and accountability—to ensure ethical data handling by controllers and operators. LGPD grants data subjects rights like access, correction, deletion, portability, and objection to automated decisions (Art. 18), while imposing obligations on entities processing personal or sensitive data (e.g., health, biometrics).

Who is legally or professionally required to comply with LGPD?

All controllers and operators processing personal data of Brazilian residents must comply with LGPD, regardless of company size or location, due to its extraterritorial scope (Art. 3). This includes any processing in Brazil, targeting Brazilian residents for goods/services, or collecting data therein—impacting global firms in e-commerce, fintech, healthcare, and cloud services. No employee/revenue thresholds apply; public/private entities qualify, with controllers (deciding purposes/means, Art. 5 VI) bearing primary liability and operators (executing instructions, Art. 5 VII) sharing duties. Exemptions (Art. 4) cover non-economic private uses, journalism, and public security.

Does LGPD require an external audit or third-party certification?

LGPD does not mandate external audits or third-party certification, but ANPD may conduct audits and requires controllers to maintain processing records and submit DPIAs on demand (Art. 37, 38). Operators must adhere to controller instructions with verifiable security measures. ANPD enforces via graduated sanctions, incentivizing voluntary certifications (e.g., ISO 27701) for demonstrating accountability, though records and incident logs (5 years) enable internal/external verification.

How often should an assessment for LGPD be performed?

LGPD assessments, including Records of Processing Activities (RoPAs) and DPIAs for high-risk processing, must be maintained continuously and updated as needed, with annual reviews recommended for ongoing compliance (Art. 37, 38). ANPD requires incident logs for 5 years and breach notifications within 3 business days (Resolution CD/ANPD No. 15/2024). Quarterly internal audits and risk reassessments align with principles like accountability and prevention.

What are the consequences of non-compliance with LGPD?

Non-compliance with LGPD incurs graduated ANPD sanctions, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction), data processing suspension (up to 6 months, extendable), and publicity of violations (Art. 52-53). Factors like gravity, cooperation, and safeguards influence penalties; civil claims for damages (Art. 42) and operational disruptions add risks, applying to B2B/employee data.

Can LGPD be mapped to other international frameworks?

Yes, LGPD maps closely to international frameworks due to shared principles, rights, and structures like purpose limitation, minimization, and data subject rights, enabling hybrid compliance programs. Its 10 principles and bases align with global standards, though ANPD-specific rules (e.g., SCCs mandatory since August 23, 2025 per Resolution 19/2024) require adaptations for transfers and enforcement.

What is the first step to begin implementing LGPD?

The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting a comprehensive data mapping to create a Record of Processing Activities (RoPA) (Art. 41, 37). This identifies flows, legal bases, sensitive data, and risks, securing executive sponsorship for governance, followed by DPIAs for high-risk activities.

What is the primary objective of PMBOK?

The primary objective of PMBOK is to codify generally accepted principles, performance domains, processes, and practices for delivering consistent project value. The Project Management Body of Knowledge (PMBOK® Guide), maintained by the Project Management Institute (PMI), provides a global standard blending twelve core principles (e.g., focus on value, lead accountably) and eight performance domains (e.g., governance, stakeholders, risk) with tailored processes from its process-based legacy (five process groups, ten knowledge areas).

Who is legally or professionally required to comply with PMBOK?

No organizations are legally required to comply with PMBOK, as it is a voluntary global standard, not a regulatory law. Professional requirements apply to practitioners pursuing PMI certifications like PMP®, which mandate PMBOK knowledge. Contractually, public-sector bids and client procurements often demand PMI-compliant methodologies, while C-suite executives, PMO directors, project managers, and sectors like construction, IT, and healthcare adopt it for governance, risk reduction, and value delivery.

Does PMBOK require an external audit or third-party certification?

PMBOK does not require external audits or third-party certification, as it lacks formal certification mechanisms. Organizations implement it via internal gap analysis, tailoring guides, and PMO assurance (e.g., periodic audits of Earned Value Management metrics like CPI/SPI). PMI credentials (e.g., PMP®) involve individual exams, but enterprise adoption relies on self-assessments like OPM3® maturity models for performance domains and process groups.

How often should an assessment for PMBOK be performed?

PMBOK assessments should be performed initially via gap analysis, then periodically through Phase 6 assurance cycles, such as quarterly audits and annual OPM3® maturity reviews. Implementation frameworks recommend pilot validation post-Phase 4, followed by continuous improvement in Phase 6, using KPIs like Schedule Performance Index (SPI) trends and risk exposure. Mature organizations conduct six-month health checks tied to performance domains.

What are the consequences of non-compliance with PMBOK?

Non-compliance with PMBOK risks contractual disqualification, audit findings, project overruns, and reputational damage, though no direct legal penalties exist. Clients reject non-PMI-compliant bids; inadequate scope, cost, or risk controls trigger financial restatements, litigation, and talent attrition. High-profile failures erode brand equity, while missed Earned Value baselines increase variance, delaying benefits realization.

Can PMBOK be mapped to other international frameworks?

Yes, PMBOK can be mapped to other international frameworks through its principles, performance domains, and processes. The Seventh Edition supports convergence with standards like ISO 21500 via shared governance, tailoring, and value delivery. OPM3® dependencies align with maturity models, enabling hybrid integration for agile, predictive, or sector-specific adaptations while preserving knowledge areas like procurement and stakeholder management.

What is the first step to begin implementing PMBOK?

The first step to implement PMBOK is Phase 0: secure executive alignment and sponsorship via a PMBOK adoption charter. Establish a cross-functional steering committee (PMO, finance, HR) to define KPIs (e.g., % projects on budget) and governance. This frames value delivery and risk reduction before Phase 1 gap analysis mapping current processes to principles and domains.

Standards Comparison

LGPD vs PMBOK

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

PMBOK

Voluntary

2021

Global standard for project management practices

Quick Verdict

LGPD mandates data protection for Brazilian residents' info with fines, while PMBOK provides voluntary project management framework for reliable delivery. Companies adopt LGPD for legal compliance, PMBOK for strategic execution and risk reduction.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope for processors targeting Brazilian residents
10 core principles including prevention and non-discrimination
Data subject rights with anonymization and automated objection
Graduated fines up to 2% Brazilian revenue (R$50M cap)
ANPD-approved SCCs mandatory for cross-border transfers since 2025

Project Management

PMBOK

Project Management Body of Knowledge (PMBOK® Guide)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Tailoring to project size, complexity, and delivery approach
Principles and performance domains for value delivery
Earned Value Management for cost/schedule control
Hybrid predictive-agile process guidance
Risk registers and stakeholder engagement matrices

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's comprehensive data protection regulation enacted in 2018, fully enforced since 2021. It protects personal data of natural persons with extraterritorial scope, applying to processing in Brazil, targeting residents, or collected there. Employs a risk-based approach with 10 principles like purpose limitation, necessity, and accountability.

Key Components

**10 principlesPurpose limitation, adequacy, necessity, transparency, security, prevention, non-discrimination, accountability.
**Data subject rightsAccess, correction, deletion, portability, anonymization, objection to automated decisions.
**10 legal basesConsent, contracts, legitimate interests, sensitive data restrictions.
**GovernanceMandatory DPO for controllers, Records of Processing Activities (RoPAs), DPIAs for high-risk processing.
ANPD enforcement with graduated sanctions including fines.

Why Organizations Use It

Mandatory for compliance, avoiding fines up to 2% Brazilian revenue (R$50M cap).
Builds customer trust, enables market access, reduces breach risks.
Strategic advantages: operational efficiency, innovation via anonymization, competitive edge in Brazil's digital economy.

Implementation Overview

Phased risk-based methodology: governance/DPO appointment, data mapping/RoPAs, policies/DSRs, technical controls, vendor management/SCCs, monitoring/audits. Applies to all organizations processing Brazilian data, no formal certification but ANPD oversight.

PMBOK Details

What It Is

PMBOK® Guide—Project Management Body of Knowledge, authored by Project Management Institute (PMI), is a global framework for project management practices. It provides principles, performance domains, and processes for delivering value through projects, evolving from process groups/knowledge areas to principle-based approaches in recent editions.

Key Components

Twelve core principles (e.g., value focus, stewardship) and eight performance domains (governance, stakeholders, team, etc.).
Legacy: five process groups, ten knowledge areas, ~49 processes.
Tools like WBS, EVM, risk registers.
Tailoring model; no formal certification for the guide, but aligns with PMP®.

Why Organizations Use It

Enhances predictability, reduces overruns via standardized governance.
Meets contractual/audit needs; boosts reputation.
Enables hybrid agile/predictive delivery; competitive edge in bids.

Implementation Overview

Phased rollout: assessment, tailoring, pilots, training, PMO setup. Suits all sizes/industries; 12-24 months for enterprises. Focuses on change management, tools integration.

Key Differences

Aspect	LGPD	PMBOK
Scope	Personal data protection, processing, rights	Project management principles, processes, governance
Industry	All sectors processing Brazilian data	All industries delivering projects globally
Nature	Mandatory law with ANPD enforcement	Voluntary standard and best practices guide
Testing	DPIAs for high-risk, ANPD audits	Internal audits, maturity assessments, pilots
Penalties	Fines up to 2% Brazilian revenue	No legal penalties, reputational risks

Scope

LGPD

Personal data protection, processing, rights

PMBOK

Project management principles, processes, governance

Industry

LGPD

All sectors processing Brazilian data

PMBOK

All industries delivering projects globally

Nature

LGPD

Mandatory law with ANPD enforcement

PMBOK

Voluntary standard and best practices guide

Testing

LGPD

DPIAs for high-risk, ANPD audits

PMBOK

Internal audits, maturity assessments, pilots

Penalties

LGPD

Fines up to 2% Brazilian revenue

PMBOK

No legal penalties, reputational risks

Frequently Asked Questions

Common questions about LGPD and PMBOK

LGPD FAQ

PMBOK FAQ

You Might also be Interested in These Articles...

Evidential Readiness Blueprint: Mapping Multi-Cloud Access Controls to Cyber Essentials Audit Requirements

Step-by-step blueprint for IT managers to document and verify access control plus patch management evidence across Microsoft 365, AWS, and Azure for first-time

NIST CSF 2.0 Supply Chain Risk Management: Complete Playbook with Profiles, Tiers, and Vendor Assessment Templates

Master NIST CSF 2.0 ID.SC supply chain risk management with vendor assessment templates, profile gap analysis, and tier strategies. Mitigate third-party threats

SOC 2 Audit Survival Guide: Auditor Questions, Red Flags, and Evidence Prep for First-Time Pass

Ace your SOC 2 audit with predicted auditor questions, model answers, red flags, and evidence checklists from CPA best practices & SignWell's journey. Reduce st

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how LGPD and PMBOK compare against other standards

Other LGPD Comparisons

Other PMBOK Comparisons

What It Is

Key Components

**10 principlesPurpose limitation, adequacy, necessity, transparency, security, prevention, non-discrimination, accountability.

**Data subject rightsAccess, correction, deletion, portability, anonymization, objection to automated decisions.

**10 legal basesConsent, contracts, legitimate interests, sensitive data restrictions.

**GovernanceMandatory DPO for controllers, Records of Processing Activities (RoPAs), DPIAs for high-risk processing.

ANPD enforcement with graduated sanctions including fines.

What It Is

Key Components

Twelve core principles (e.g., value focus, stewardship) and eight performance domains (governance, stakeholders, team, etc.).

Legacy: five process groups, ten knowledge areas, ~49 processes.

Tools like WBS, EVM, risk registers.

Tailoring model; no formal certification for the guide, but aligns with PMP®.

Aspect

LGPD

PMBOK

Scope

Personal data protection, processing, rights

Project management principles, processes, governance

Industry

All sectors processing Brazilian data

All industries delivering projects globally

Nature

Mandatory law with ANPD enforcement

Voluntary standard and best practices guide

Testing

DPIAs for high-risk, ANPD audits

Internal audits, maturity assessments, pilots

Penalties

Fines up to 2% Brazilian revenue

No legal penalties, reputational risks