What is the primary objective of **LGPD**?

**The primary objective of LGPD is to protect the fundamental rights of privacy and freedom of natural persons by establishing rules for personal data processing.** Enacted as Law No. 13.709/2018, LGPD unifies fragmented regulations, mandates **10 core principles** (Article 6)—including purpose limitation, necessity, transparency, security, prevention, non-discrimination, and accountability—and grants data subjects rights like access, correction, deletion, portability, and objection to automated decisions (Article 18).

Who is legally or professionally required to comply with **LGPD**?

**All controllers and operators processing personal data of Brazilian residents must comply with LGPD, regardless of company size or location.** Territorial scope (Article 3) covers processing in Brazil, targeting Brazilian residents for goods/services, or data collected there—extraterritorial like any global entity. **Controllers** decide purposes/means (Article 5, VI); **operators** execute instructions (Article 5, VII); no thresholds exempt micro/small firms if data is processed.

Does **LGPD** require an external audit or third-party certification?

**LGPD does not mandate external audits or third-party certification.** The **ANPD** conducts audits (Articles 55-56), but organizations must maintain internal records of processing activities (Article 37), perform DPIAs for high-risk activities (Article 38), and demonstrate accountability via technical/administrative measures—no formal certification is required, though voluntary alignments enhance compliance evidence.

How often should an assessment for **LGPD** be performed?

**LGPD assessments, including Records of Processing Activities and DPIAs, must be maintained continuously and updated as needed.** ANPD regulations imply ongoing monitoring (e.g., Resolution CD/ANPD No. 02/2022 for simplified records); high-risk processing requires DPIAs on demand or changes; practical best practice involves quarterly internal reviews and annual full audits to address evolving data flows, incidents, and ANPD guidance.

What are the consequences of non-compliance with **LGPD**?

**Non-compliance with LGPD triggers graduated administrative sanctions by ANPD, including fines up to 2% of Brazilian revenue (capped at R$50 million per infraction).** Nine sanctions (Article 52) range from warnings and publicity to daily fines, data blocking/deletion, operational suspension (up to 6 months, extendable), and prohibitions; factors include gravity, cooperation, and safeguards—plus civil liability for damages (Article 42) and reputational harm.

Can **LGPD** be mapped to other international frameworks?

**Yes, LGPD can be mapped to other international frameworks due to shared principles like purpose limitation, minimization, and data subject rights.** Its 10 principles and bases align closely with global regimes, enabling hybrid programs; however, nuances like Brazil revenue-based fines (vs. global), 10 legal bases, and ANPD-specific mechanisms (e.g., SCCs per Resolution 19/2024) require tailored gap analyses.

What is the first step to begin implementing **LGPD**?

**The first step to implement LGPD is appointing a Data Protection Officer (DPO) and conducting data mapping for a Record of Processing Activities (RoPA).** DPO is mandatory for controllers (Article 41, public disclosure); mapping inventories data flows, purposes, legal bases, and risks (Article 37), prioritizing high-risk/sensitive data to enforce principles and identify gaps.

What is the primary objective of **WELL**?

**The primary objective of WELL is to advance human health and well-being in buildings through performance-based design, operations, and policies.** Administered by the International WELL Building Institute (IWBI), WELL v2 organizes requirements across **10 concepts**—Air, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, and Community—comprising **24 Preconditions** (mandatory pass/fail) and **102 Optimizations** (point-earning). It mandates on-site performance verification for metrics like CO₂ ≤900 ppm and requires continuous monitoring for sustained outcomes.

Who is legally or professionally required to comply with **WELL**?

**WELL is voluntary with no legal mandates but is professionally required for organizations pursuing certification.** Applicable to owners, developers, and operators of new/existing buildings via pathways like WELL Certification (owner-controlled), WELL Core (≥75% leased), and WELL for Residential. Corporate real estate, facilities, HR, and ESG teams in offices, healthcare, education, and hospitality adopt it for occupant health metrics, tenant demands, and ESG reporting.

Does **WELL** require an external audit or third-party certification?

**Yes, WELL requires third-party documentation review and on-site performance verification by authorized WELL Performance Testing Agents.** This includes two rounds of review (preliminary/final) via IWBI's platform and testing for air, water, light, sound, and thermal comfort at ≥50% occupancy. Certification levels—**Bronze (40 points)**, **Silver (50, min 1/concept)**, **Gold (60, min 2/concept)**, **Platinum (80, min 3/concept)**—demand verified compliance.

How often should an assessment for **WELL** be performed?

**WELL assessments occur during initial certification, with recertification every three years and annual reporting for select features.** Ongoing continuous monitoring (e.g., CO₂, PM2.5) supports compliance; performance verification repeats at recertification, including updated testing and documentation submission.

What are the consequences of non-compliance with **WELL**?

**Non-compliance results in certification denial, additional curative review fees, and delayed timelines.** Failed Preconditions block all levels; verification gaps trigger rework. No statutory fines exist, but reputational/operational risks include lost ESG value, tenant churn, and productivity losses from unaddressed IEQ issues.

Can **WELL** be mapped to other international frameworks?

**Yes, IWBI provides official crosswalks mapping WELL features to frameworks like LEED.** These align overlapping requirements (e.g., air quality, materials), enabling streamlined dual certification and reduced documentation for portfolios pursuing integrated ESG strategies.

What is the first step to begin implementing **WELL**?

**The first step is project enrollment on IWBI's digital platform and scorecard development.** Register to access tools, define project boundaries/space types, select pathways (e.g., Certification/Core), and model Preconditions/Optimizations targeting a certification tier; conduct pre-testing for high-risk features like Air/Water.

LGPD vs WELL | GRADUM

Standards Comparison

LGPD

Mandatory

2020

Brazil's comprehensive regulation for personal data protection

WELL

Voluntary

2014

Performance-based certification for occupant health and well-being.

Quick Verdict

LGPD mandates data protection for Brazilian residents with fines up to 2% revenue, while WELL is voluntary certification enhancing building occupant health via performance testing. Companies adopt LGPD for legal compliance, WELL for wellness differentiation and ESG advantages.

Data Privacy

LGPD

Lei Geral de Proteção de Dados Pessoais (Law 13.709/2018)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Extraterritorial scope targeting Brazilian residents worldwide
10 core principles expanding beyond GDPR's seven
Fines up to 2% Brazilian revenue per violation
Mandatory DPO appointment for controllers with public disclosure
SCCs mandatory for cross-border transfers by 2025

Building Health & Wellness

WELL

WELL Building Standard v2

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

10 core concepts for comprehensive health optimization
Mandatory preconditions and point-based optimizations
On-site performance verification testing required
Tiered certifications Bronze to Platinum levels
Continuous monitoring and annual reporting pathways

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

LGPD Details

What It Is

LGPD (Lei Geral de Proteção de Dados Pessoais, Law No. 13.709/2018) is Brazil's comprehensive data protection regulation. It governs personal data processing with extraterritorial scope, applying to any entity targeting Brazilian residents. Primary purpose: safeguard privacy rights via risk-based principles like purpose limitation and accountability.

Key Components

10 core principles (e.g., necessity, transparency, prevention, non-discrimination)
10 legal bases for processing (consent, legitimate interests, etc.)
Data subject rights (access, deletion, portability)
ANPD enforcement with graduated sanctions up to 2% Brazilian revenue (R$50M cap)
Mandatory DPO, DPIAs, breach notifications

Why Organizations Use It

Mandatory compliance avoids multimillion fines, operational halts, reputational damage. Benefits include trust-building, market access in Brazil's digital economy, GDPR synergies, AI risk reduction. Enhances efficiency via data minimization.

Implementation Overview

**Phased approachgovernance/DPO appointment, data mapping/RoPA, policies, technical controls, training, audits. Applies to all sizes/industries processing Brazilian data globally. No certification; ANPD audits enforce via resolutions like CD/ANPD 15/2024.

WELL Details

What It Is

The WELL Building Standard (WELL v2) is a performance-based certification framework administered by the International WELL Building Institute (IWBI). It focuses on designing, operating, and verifying buildings to advance human health and well-being through evidence-based strategies across indoor environments and organizational policies.

Key Components

**10 core conceptsAir, Water, Nourishment, Light, Movement, Thermal Comfort, Sound, Materials, Mind, Community (plus Innovation).
24 Preconditions (mandatory pass/fail) and 102 Optimizations (point-earning).
Built on public health and building science research.
Tiered certification: Bronze (40 points), Silver (50), Gold (60), Platinum (80), with concept minimums at higher levels.

Why Organizations Use It

Enhances occupant health, productivity, and ESG reporting.
Differentiates assets with verified performance metrics.
Mitigates risks like poor IEQ; boosts rents and retention.
Builds stakeholder trust via third-party verification.

Implementation Overview

Phased: gap analysis, scorecard, documentation, on-site verification, recertification every 3 years.
Applies to new/existing buildings, all sizes/industries.
Requires third-party review and performance testing.

Key Differences

Aspect	LGPD	WELL
Scope	Personal data protection and processing	Building health, wellness, and performance
Industry	All sectors, Brazil-focused, extraterritorial	Real estate, offices, global building types
Nature	Mandatory national law with ANPD enforcement	Voluntary performance-based certification
Testing	DPIAs for high-risk, ANPD audits	On-site performance verification, annual monitoring
Penalties	Fines up to 2% Brazilian revenue, R$50M cap	Loss of certification, no legal fines

Scope

LGPD

Personal data protection and processing

WELL

Building health, wellness, and performance

Industry

LGPD

All sectors, Brazil-focused, extraterritorial

WELL

Real estate, offices, global building types

Nature

LGPD

Mandatory national law with ANPD enforcement

WELL

Voluntary performance-based certification

Testing

LGPD

DPIAs for high-risk, ANPD audits

WELL

On-site performance verification, annual monitoring

Penalties

LGPD

Fines up to 2% Brazilian revenue, R$50M cap

WELL

Loss of certification, no legal fines

Frequently Asked Questions

Common questions about LGPD and WELL

LGPD FAQ

WELL FAQ

You Might also be Interested in These Articles...

The SOC Maturity Roadmap: A 5-Step Blueprint for Scaling from Ad-Hoc to Optimized Operations

Unlock SOC excellence with our 5-step maturity roadmap. Compare SOC-CMM, NIST CSF, and CMMC frameworks to scale from ad-hoc to automated operations. Start your

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

Unlock human-AI synergy with modern compliance tools. Automate monitoring, cut non-compliance risks 3x, and boost strategic decision-making. Elevate your team's

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Operationalize CIS Controls v8.1 with compliance monitoring software. Turn checklists into dashboards, tickets, and audit-proof workflows. Top 10 reasons it acc

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

BREEAM vs AS9110C

Compare BREEAM vs AS9110C: Building sustainability certification meets aerospace QMS excellence. Uncover key differences, benefits & strategies for optimal compliance. Choose wisely today!

EN 1090 vs U.S. SEC Cybersecurity Rules

Compare EN 1090 steel/aluminium execution standards vs U.S. SEC cybersecurity rules: risk classes, FPC/CE marking, governance & 4-day incident disclosure. Navigate both for compliance mastery!

NIST CSF vs DORA

Compare NIST CSF vs DORA: Flexible US cyber framework meets EU financial resilience mandate. Key diffs, benefits & implementation tips for compliance success!

LGPD

WELL

Quick Verdict

LGPD

Key Features

WELL

Key Features

Detailed Analysis

LGPD Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

WELL Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

LGPD FAQ

What is the primary objective of LGPD?

Who is legally or professionally required to comply with LGPD?

Does LGPD require an external audit or third-party certification?

How often should an assessment for LGPD be performed?

What are the consequences of non-compliance with LGPD?

Can LGPD be mapped to other international frameworks?

What is the first step to begin implementing LGPD?

WELL FAQ

What is the primary objective of WELL?

Who is legally or professionally required to comply with WELL?

Does WELL require an external audit or third-party certification?

How often should an assessment for WELL be performed?

What are the consequences of non-compliance with WELL?

Can WELL be mapped to other international frameworks?

What is the first step to begin implementing WELL?

You Might also be Interested in These Articles...

The SOC Maturity Roadmap: A 5-Step Blueprint for Scaling from Ad-Hoc to Optimized Operations

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

BREEAM vs AS9110C

EN 1090 vs U.S. SEC Cybersecurity Rules

NIST CSF vs DORA