What is the primary objective of **LGPD**?

**The primary objective of LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is to protect the fundamental rights of freedom, intimacy, and personal data of natural persons through comprehensive regulation of processing activities.** Enacted August 14, 2018, with full sanctions from August 1, 2021, it unifies prior fragmented laws under 10 core principles (Art. 6), including purpose limitation, necessity, transparency, security, prevention, non-discrimination, and accountability, while granting data subjects rights like access, correction, deletion, portability, and objection to automated decisions (Art. 18).

Who is legally or professionally required to comply with **LGPD**?

**All controllers and operators processing personal data in Brazil, targeting Brazilian residents, or collected therein must comply with LGPD, regardless of organization size or location (Art. 3).** This extraterritorial scope applies to public/private entities in sectors like e-commerce, fintech, healthcare, and cloud services; no employee/revenue thresholds exist, capturing multinationals via B2B/employee data. Controllers decide purposes/means (Art. 5, VI); operators execute instructions (Art. 5, VII).

Does **LGPD** require an external audit or third-party certification?

**LGPD does not mandate external audits or third-party certification, but ANPD may conduct audits and require Records of Processing Activities (RoPAs) or DPIAs on demand (Arts. 37, 38).** Controllers must maintain internal governance, including DPO appointment (Art. 41, potentially universal with public disclosure), security measures, and incident logs (5 years). Voluntary certifications like ISO 27701 enhance maturity but are not compulsory.

How often should an assessment for **LGPD** be performed?

**LGPD requires ongoing assessments via continuous monitoring, with annual internal audits, quarterly RoPA reviews, and DPIAs for high-risk processing like legitimate interests or sensitive data (Art. 38).** ANPD guidance (e.g., CD/ANPD No. 15/2024) mandates regular vendor audits, risk scoring, and updates to data mappings/incident plans; ad-hoc triggers include new processing or ANPD inquiries.

What are the consequences of non-compliance with **LGPD**?

**Non-compliance with LGPD incurs graduated ANPD sanctions, including warnings, fines up to 2% of Brazilian revenue (capped at R$50 million per infraction), data blocking/deletion, processing suspension (up to 6 months, extendable), and publicity of infractions (Art. 52).** Factors like gravity, cooperation, and safeguards influence severity; civil claims for damages (Art. 42) add reputational/operational risks.

Can **LGPD** be mapped to other international frameworks?

**Yes, LGPD maps closely to international frameworks due to shared principles, rights, and risk-based approaches, enabling hybrid compliance programs.** Its 10 principles and data subject rights align with GDPR (e.g., purpose limitation, minimization), while legal bases (Art. 7) and security mandates support NIST/ISO 27001 adaptations; ANPD resolutions facilitate cross-mapping for multinationals.

What is the first step to begin implementing **LGPD**?

**The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting enterprise-wide data mapping to create a Record of Processing Activities (RoPA) (Arts. 37, 41).** Secure executive sponsorship, inventory data flows/purposes/legal bases, identify sensitive data/cross-border transfers, and prioritize high-risk areas for gap analysis.

What is the primary objective of **TISAX**?

**TISAX's primary objective is to standardize information security assessments and enable secure exchange of results across the automotive supply chain via the ENX portal.** Developed by the ENX Association using the VDA ISA catalog (version 5.0.4 or later), it verifies protection of sensitive data like IP, prototypes, and personal information against cyber threats, emphasizing the CIA triad at Basic, Significant, and Very High maturity levels.

Who is legally or professionally required to comply with **TISAX**?

**TISAX compliance is a contractual requirement for automotive OEMs, Tier 1/Tier 2 suppliers, service providers, and logistics firms handling sensitive automotive data.** Mandated by OEMs like Volkswagen and BMW in RFPs and agreements, it applies to any entity processing OEM IP (e.g., ADAS software, prototypes), regardless of size—scalable from SMEs via self-assessments to multinationals requiring full audits.

Does **TISAX** require an external audit or third-party certification?

**Yes, TISAX requires assessments by ENX-accredited providers (e.g., DQS, TÜV) for Significant and Very High levels, issuing labels valid for three years.** AL1 allows self-assessment without labels; AL2 involves remote plausibility checks; AL3 mandates on-site audits with interviews, facility inspections, and evidence review per VDA ISA's 70+ controls across seven groups.

How often should an assessment for **TISAX** be performed?

**TISAX assessments must be performed every three years to renew labels on the ENX portal.** No annual surveillance audits are required, but continuous monitoring via internal audits, PDCA cycles, and quarterly reviews ensures maturity; reassessments apply after major changes like new scopes or VDA ISA updates.

What are the consequences of non-compliance with **TISAX**?

**Non-compliance with TISAX results in contractual termination, lost OEM portal access, and revenue forfeiture (e.g., €10-50M for mid-tier suppliers).** ENX-partnered OEMs impose penalties up to 5% of contract value, plus €20K-€100K re-audit costs; reputational damage and production halts cascade through just-in-time chains.

Can **TISAX** be mapped to other international frameworks?

**Yes, TISAX maps directly to ISO 27001 and ISO 27002 via the VDA ISA catalog, enabling control reuse and integrated audits.** It extends ISO with automotive-specific modules (e.g., prototype protection), achieving 70-90% audit efficiency gains and 20-30% cost savings for dual implementations.

What is the first step to begin implementing **TISAX**?

**The first step is registering on the ENX portal (enx.com) and defining the Assessment Scope and Leadership Profile (ASLP).** Collaborate with OEMs to classify protection needs (Normal/High/Very High), then download VDA ISA 5.0.4 for gap analysis across policy, access, and operations controls.

LGPD vs TISAX | GRADUM

Standards Comparison

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

TISAX

Mandatory

2017

Automotive framework for standardized information security assessments

Quick Verdict

LGPD mandates personal data protection for Brazilian residents across industries with ANPD fines, while TISAX provides voluntary security assessments for automotive suppliers via ENX labels. Companies adopt LGPD for legal compliance, TISAX for OEM contracts and supply chain trust.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law No. 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope targeting Brazilian residents worldwide
10 core principles including prevention and non-discrimination
Fines up to 2% Brazilian revenue capped at R$50M
Mandatory DPO appointment for controllers with disclosure
3-business-day breach notifications to ANPD and subjects

Cybersecurity

TISAX

Trusted Information Security Assessment Exchange (TISAX)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Standardized assessments exchanged via ENX portal
Automotive-specific prototype protection controls
Three risk-based assessment levels AL1-AL3
70+ VDA ISA controls based on ISO 27001
Three-year labels reduce duplicate OEM audits

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

Lei Geral de Proteção de Dados Pessoais (LGPD), Law No. 13.709/2018, is Brazil's comprehensive federal regulation for personal data processing. It protects data subjects' rights with extraterritorial scope, applying to any processing targeting Brazilian residents. Adopting a risk-based approach, it mandates 10 principles like purpose limitation, necessity, and accountability.

Key Components

10 core principles (e.g., transparency, security, non-discrimination)
10 legal bases for processing (consent, legitimate interests, etc.)
Data subject rights (access, deletion, portability)
ANPD enforcement with graduated sanctions
DPIAs for high-risk activities; no formal certification but records and DPO required

Why Organizations Use It

LGPD compliance avoids fines up to 2% Brazilian revenue (R$50M cap), operational halts, and reputational harm. It builds trust, enables market access in Brazil's digital economy, reduces breach risks, and supports AI innovation via anonymization exemptions.

Implementation Overview

Phased risk-based methodology: governance/DPO appointment, data mapping/RoPAs, policies, technical controls, DSR/incident processes, vendor SCCs. Applies to all sizes/industries processing Brazilian data; ANPD audits enforce, no certification but ongoing monitoring essential.

TISAX Details

What It Is

TISAX (Trusted Information Security Assessment Exchange) is an industry-specific assessment framework and exchange platform for information security in the automotive supply chain. Developed by the ENX Association based on the VDA ISA catalog (version 5.0.4+), it verifies protection of sensitive data like IP, prototypes, and personal information against cyber threats. It uses a risk-based approach with three maturity levels: Basic, Significant, Very High.

Key Components

70+ controls across 7 groups: Policy, Organization, Personnel, Physical Security, Access, Cryptography, Operations.
Built on ISO 27001 with automotive extensions like prototype protection.
Assessment levels (AL1 self-assess, AL2 remote, AL3 on-site) and modular objectives (e.g., prototype parts/vehicles).
3-year labels shared via ENX portal.

Why Organizations Use It

Contractual mandates from OEMs (e.g., BMW, VW) prevent revenue loss.
Reduces duplicate audits (70-90% efficiency), enhances market access, mitigates €4.5M breach costs.
Builds trust, enables IP protection in €2.5T supply chain.

Implementation Overview

Phased (6-18 months): gap analysis, control remediation, tabletop exercises, accredited audits (e.g., DQS, TÜV). Targets automotive suppliers/OEMs globally; scalable for SMEs to enterprises.

Key Differences

Aspect	LGPD	TISAX
Scope	Personal data protection, rights, processing principles	Information security, prototype protection, supply chain
Industry	All sectors, Brazil-focused, extraterritorial for residents	Automotive supply chain, primarily European OEMs/suppliers
Nature	Mandatory national law, ANPD enforcement, fines	Voluntary industry assessment, ENX/VDA governed, contractual
Testing	DPIAs for high-risk, ANPD audits, no certification	AL1-AL3 assessments, on-site audits, 3-year labels
Penalties	2% Brazilian revenue fines (R$50M cap), suspensions	Contract loss, no direct fines, audit failure

Scope

LGPD

Personal data protection, rights, processing principles

TISAX

Information security, prototype protection, supply chain

Industry

LGPD

All sectors, Brazil-focused, extraterritorial for residents

TISAX

Automotive supply chain, primarily European OEMs/suppliers

Nature

LGPD

Mandatory national law, ANPD enforcement, fines

TISAX

Voluntary industry assessment, ENX/VDA governed, contractual

Testing

LGPD

DPIAs for high-risk, ANPD audits, no certification

TISAX

AL1-AL3 assessments, on-site audits, 3-year labels

Penalties

LGPD

2% Brazilian revenue fines (R$50M cap), suspensions

TISAX

Contract loss, no direct fines, audit failure

Frequently Asked Questions

Common questions about LGPD and TISAX

LGPD FAQ

TISAX FAQ

You Might also be Interested in These Articles...

SOC 2 for Bootstrapped SaaS: Lazy Founder's Automation Roadmap with Vanta/Drata Templates

Bootstrapped SaaS founders: Achieve SOC 2 Type 2 in 3 months with Vanta automation (cuts 70% manual work). Free templates, workflows, screenshots, metrics & Sig

Thailand PDPA Enforcement Trends 2025: Analyzing 1,048 Complaints, Breach Volumes, and Hidden Lessons for Proactive Compliance

Decode PDPC Thailand's 1,048 complaints & 610 breaches. Uncover consent/security violations, project 2025 enforcement. Risk heatmap, self-assessment & playbook

TISAX Tabletop Exercises for ADAS Suppliers: Simulating Prototype IP Leaks and Ransomware in Hybrid Supply Chains (2025 Edition with Hero Scenario Visual)

Master TISAX 'Very High' tabletop exercises for ADAS suppliers with 2024 breach simulations like CAD leaks and ransomware. Get scripts, AAR templates, hybrid ti

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

WEEE vs FDA 21 CFR Part 11

Discover WEEE vs FDA 21 CFR Part 11: Compare EU e-waste rules with US electronic records compliance. Master strategies for global producers to ensure regulatory alignment and risk reduction.

ISO 31000 vs ISO 14064

Compare ISO 31000 vs ISO 14064: Risk mgmt guidelines meet GHG standards. Principles, frameworks & implementation decoded for resilient, sustainable decisions. Dive in now!

OSHA vs APRA CPS 234

Unlock OSHA vs APRA CPS 234: Compare US workplace safety regs with Australia's financial info security standard. Gain compliance strategies, pitfalls & best practices now!

LGPD

TISAX

Quick Verdict

LGPD

Key Features

TISAX

Key Features

Detailed Analysis

LGPD Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

TISAX Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

LGPD FAQ

What is the primary objective of LGPD?

Who is legally or professionally required to comply with LGPD?

Does LGPD require an external audit or third-party certification?

How often should an assessment for LGPD be performed?

What are the consequences of non-compliance with LGPD?

Can LGPD be mapped to other international frameworks?

What is the first step to begin implementing LGPD?

TISAX FAQ

What is the primary objective of TISAX?

Who is legally or professionally required to comply with TISAX?

Does TISAX require an external audit or third-party certification?

How often should an assessment for TISAX be performed?

What are the consequences of non-compliance with TISAX?

Can TISAX be mapped to other international frameworks?

What is the first step to begin implementing TISAX?

You Might also be Interested in These Articles...

SOC 2 for Bootstrapped SaaS: Lazy Founder's Automation Roadmap with Vanta/Drata Templates

Thailand PDPA Enforcement Trends 2025: Analyzing 1,048 Complaints, Breach Volumes, and Hidden Lessons for Proactive Compliance

TISAX Tabletop Exercises for ADAS Suppliers: Simulating Prototype IP Leaks and Ransomware in Hybrid Supply Chains (2025 Edition with Hero Scenario Visual)

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

WEEE vs FDA 21 CFR Part 11

ISO 31000 vs ISO 14064

OSHA vs APRA CPS 234