LGPD vs GDPR Similarities: In-Depth Analysis

Introduction

The General Data Protection Regulation Act of 2016 (‘EU GDPR‘) and Lei Geral de Proteção de Dados of 2018 (‘LGPD‘) both aim to give strong protection for individuals regarding their personal data collected for business use, or share consumer data, whether the information is obtained online or offline.

The European Union General Data Protection Regulation (‘EU GDPR‘) is applicable as of May 25th, 2018, in all member states to adopt data privacy laws across Europe. According to this law, it is mandatory requirements for all the businesses operating within EU states to protect the personal data and privacy of the EU citizens for the transactions that occur between different EU member regions. GDPR compliance applies to the processing of personal data totally or notably by automated means of personal data which form part of a filing system or are intended to the filing a system.

Inspired by the European regulation (General Data Protection Regulation – GDPR), the Brazilian General Data Protection Act (in Portuguese, LGPD, Lei Geral de Proteção de Dados) establishes rules on collecting, handling, storing and sharing of personal data managed by organizations. The LGPD provides data subjects with nine rights, defines what constitutes personal data and creates ten legal bases for lawful processing of personal data.

LGPD vs GDPR Similarities

Business LocationLGPD applies to any business or organization that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located. So, if your company has any customers or clients in Brazil, you should begin preparing for LGPD compliance. 

Consumer AccessBusinesses must comply with a customer's request to access their data.

EnsureBoth Brazil and Europe based customers can request companies to delete their personal information from the organizations' database.

Personal data LGPD echoes of the GDPR’s definition of personal data.  Also, LGPD takes a broad view of what data qualifies as personal data, even more expansive than the GDPR.

Data subject rights While the GDPR is known for granting its data subjects eight fundamental rights, they are essentially the same rights the LGPD mentions.

Similar But in Different Ways

Data protection officers

Any organization that processes the data of people in Brazil will need to hire a DPO.

GDPR outlines certain situations when a DPO is required.

Legal basis for processing data

Article 7 of the LGPD lists ten lawful bases for processing and a data controller must choose one of them as a justification for using a data subject’s information.?

The GDPR has?six lawful bases for processing and a data controller must choose one of them as a justification for using a data subject’s information.?

Reporting data breaches

The controller must communicate to the national authority and to the data subject the occurrence of a security incident that may create risk or relevant damage to the data subject in a reasonable time period.

No clarification on “reasonable time period”.

An organization must?report a data breach within 72 hours?of its discovery (although different organizations are?already testing that deadline).?

Damages/Fines

The fines under the LGPD are much less severe. Article 52 states that the maximum fine for a violation is
“2% of a private legal entity’s, group’s, or conglomerate’s revenue in Brazil, for the prior fiscal year, excluding taxes, up to a total maximum of 50 million reals”.

GDPR fines are substantial, requiring organizations that commit grave GDPR violations to pay to up to €20 million or 4% of annual global revenue, whichever is higher.

Download free resource on California CCPA, Virginia CDPA, Colorado CPA and CPRA. - Mandatly Inc.

Related Blogs

What Is Sensitive Personal Information?20250528093426

DSAR Management
Data Subject requests per month	Unlimited
Web based intake form	Unlimited
Identity verification methods	Advanced
Workflow enabled Data discovery and deletion for systems (application, database, website, file system, products etc.)
Automated data discovery and data feeds from systems	Unlimited
Secured delivery with configurable expiration days
Standard workflow (configurable) and email integration
Standard notifications and response templates
Reporting and dashboards
Customized workflow and notification
Remove “Mandatly” Branding

Cookie Compliance
Number of Domains (additional cost for multiple domains)	1
Website Scanning (Pages and sub-domains)	2500+ pages
Periodic scanning	Automatic
Cookie categorization	Automatic
Predefined banners and layouts
Configurable banners and layouts
Configurable consent categories
Unlimited consent records
Multiple language support
Remove “Mandatly” Branding

Data Inventory
Data Asset (application, database, website, file system, products etc.)	Unlimited
Processing activites	Unlimited
Pre-built data inventory assessment templates
Auto risk detection
Data elements (Predefined and custom)
Standard workflow (configurable), e-mail Integration and notification
Standard notifications and response templates
Reporting and Dashboard
Create you own data inventory assessment templates, Set up risk rules and alerts
Custom workflow and notification
API integration with external systems
Remove “Mandatly” Branding

DSAR Management
Data Subject requests per month	Unlimited
Web based intake form	15
Identity verification methods	Advanced
Workflow enabled Data discovery and deletion for systems (application, database, website, file system, products etc.)
Automated data discovery and data feeds from systems	Upto 5 systems
Secured delivery with configurable expiration days
Standard workflow (configurable) and email integration
Standard notifications and response templates
Reporting and dashboards
Customized workflow and notification
Remove “Mandatly” Branding

Cookie Compliance
Number of Domains (additional cost for multiple domains)	1
Website Scanning (Pages and sub-domains)	Upto 2500 pages
Periodic scanning	Automatic
Cookie categorization	Automatic
Predefined banners and layouts
Configurable banners and layouts
Configurable consent categories
Unlimited consent records
Multiple language support
Remove “Mandatly” Branding

Intelligent Assessment
Assessments on Processing activities and Data Sources (Application, Database, Website, Manual, Products etc.)	Unlimited
Standard Assessment templates (PTA, PIA/DPIA, PbD)
Configure your own assessments and setup up risks and alerts
Integration with Data Inventory to link data sources and processing activities (RoPA)
Standard Workflow, Notification and Email Integration
Reporting and Dashboard
Custom workflow and notification
Risk assessment and Mitigation
Remove “Mandatly” Branding

Data Inventory
Data Asset (application, database, website, file system, products etc.)	100
Processing activites	1000
Pre-built data inventory assessment templates
Auto risk detection
Data elements (Predefined and custom)
Standard workflow (configurable), e-mail Integration and notification
Standard notifications and response templates
Reporting and Dashboard
Create you own data inventory assessment templates, Set up risk rules and alerts
Custom workflow and notification
API integration with external systems
Remove “Mandatly” Branding

Privacy Management

Data Governance

Data Solutions