Download our FREE ebook on GDPR compliance. Download Now

LGPD vs. GDPR: The Biggest Differences

The General Data Protection Regulation (GDPR) is the world’s flagship data protection regulation. Its comprehensive approach to data privacy and wide-ranging implications make it a benchmark for all new data privacy and protection laws. Lei Geral de Proteção de Dados (LGPD) is the Brazilian answer to GDPR which unifies 40 different laws that regulate the processing of personal data.

With populations of 214 million and 448 million in Brazil and the EU respectively, both are large-scale pieces of data privacy legislation that play a pivotal role in modern data protection. Here’s a deep dive into LGPD compliance and, specifically, how the regulation differs from GDPR.

Scope

Both LGPD and GDPR protect the personal data of natural persons – or identifiable natural persons in GDPR. And both apply special protection measures to sensitive personal data. A minor difference is that LGDP extends certain rights to the data of deceased individuals that allow family members and heirs to access and manage data. GDPR only applies to living natural persons.

Lawful bases

One of the key differences between the two regulations is that Brazil’s version provides four additional legal bases for the processing of data that the GDPR doesn’t. These additional legal bases include

  1. Conducting studies by a research body where the anonymization of data is guaranteed (e.g., academic purposes),
  2. Exercising regular rights in judicial, administrative, or arbitral proceedings,
  3. Protecting health, and
  4. When it’s necessary for the protection of credit.

Data subject rights

An interesting way in which LGPD is more comprehensive in terms of fundamental rights to data subjects is anonymized data. The LGPD explicitly includes the right to request the anonymization of data, but GDPR doesn’t. In GDPR, the reference to anonymization comes as a useful data security measure.

Another slight difference between the two is that while Brazilian data subjects can request the review of decisions taken solely based on the automated processing of personal data, LGPD doesn’t specify the extent of this right or the process for challenging any decisions. The GDPR provides more detailed provisions and explicit rights for individuals to challenge and review the adequacy of automated decision-making – including the right to human intervention – to express their point of view and to contest the decision.

Both laws come with important rights such as the right to deletion of subjects’ data, the right to data portability, and the right to be informed.

Data breach notifications

GDPR is more stringent and prescriptive in designating the timeframe that organizations have to notify the relevant data protection authority after security incidents causing data breaches. LGPD applies a more ambiguous timeframe with the law stating that the data subject and authority should be notified within a “reasonable time period.” The Autoridade Nacional de Proteção de Dados (ANPD), Brazil’s national data protection authority, has the power to decide what reasonable means to notification times. GDPR bluntly says organizations have 72 hours to notify the relevant supervisory authority in case of a breach.

Fines

Penalties for non-compliance are capped at a maximum fine of up to 2% of revenues for the previous year or R$50 million per infraction. Europe’s governing bodies are more strict with GDPR non-compliance sanctions being split into two categories: 2% of global annual turnover or €10 million for some violations, or €20 million or 4% of the annual worldwide turnover of the previous financial year for more severe violations.

Processors and controllers

In both regulations, the data processor is the legal entity that determines the purposes and means of personal data processing. The data controller is a person or legal entity that processes personal data on behalf of the controller. Although LGPD refers to both of these together as processing agents. These processors and controllers could be businesses, public authorities/bodies, or not-for-profit organizations.

But where the two differ is that GDPR is tougher in that it mandates a contract between the controller and processor that sets out specific details of processing activities, including the duration of the processing. LGPD contains no such regulatory obligation for contracts in processor and controller relationships.

Data transfers

The two laws allow for the transfer of personal data to other countries or international organizations on specific grounds, one of which is the adequacy of data protection in those places. A difference here is that GDPR comes with extra grounds for allowing international transfers, including cases where the transfer is based on the legitimate interest of the controller.

Data protection officer

GDPR and LGPD provide for the appointment of a Data Protection Officer (DPO). One difference is that only controllers need to appoint a DPO in LGPD, while GDPR states that processors and controllers must appoint one in certain circumstances. Another difference is that GDPR states that the DPO must be provided with monetary and human resources to fulfill their tasks while LGPD has no such wording.

Data protection impact assessments

The need for Data protection impact assessments (DPIA) is mentioned in both GDPR and LGPD, but there are some inconsistencies between the two. As a reminder, a DPIA is an assessment of the potential impact of processing operations on the protection of personal data. GDPR specifically outlines situations that call for a DPIA, while LGPD says that the ANPD can request one.

Non-discrimination

LGPD treats non-discrimination as a basic principle for the protection of personal data. GDPR does not explicitly mention non-discrimination. This principle forbids the processing of personal data for unlawful or abusive discriminatory purposes.

Conclusion

Brazil’s LGPD is not the only data privacy regulation to follow the example set by the European Union’s GDPR. Much of California’s CCPA regulation – and the more recent CPRA update – uses GDPR as its basic framework.

Over time, with the use of personal data under more scrutiny than ever, more regulations and public policies will globally emerge based on GDPR. Understanding the intricacies and nuances of compliance is vital, and part of any cybersecurity strategy should include appropriate technical safeguards to prevent data loss.

Frequently Asked Questions

Which regions or countries do the LGPD and GDPR apply to?
The LGPD applies specifically to Brazil. It governs the processing of personal data of individuals in Brazil, regardless of where the data processor is located. On the other hand, the GDPR applies within the EU and the European Economic Area (EEA).
What rights are granted to individuals under the LGPD compared to the GDPR?
Under the LGPD and GDPR, individuals (data subjects) have similar rights concerning their personal data. Both regulations provide people with the right to access their data, correct inaccuracies, and request data deletion.
How do the fines and penalties differ between the two regulations for non-compliance?
Under the GDPR, fines can reach up to €20 million or 4% of the company’s global annual turnover for the most serious infractions, whichever is higher (the figures are €10 million or 2% for less serious violations). In contrast, the LGPD's penalties are slightly more lenient, with fines capped at 2% of a company's revenue in Brazil, up to a total of R$50 million per violation.
explainer-c_compliant-industry

Download our free ebook on
GDPR compliance

A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.

In this article:

    Request Demo
    * Your privacy is important to us. Check out our Privacy Policy for more information.