Brazil’s Version of GDPR is LGPD


Brazil initially passed LGPD (Lei Geral de Proteção de Dados) in 2018 to go into effect in February 2020. The implementation date pushed to August 16, 2020, which is about a month away. Is your company ready?

Let's compare LGPD to the European Union's General Data Protection Regulation (GDPR).

Personal Data

  • Both LGPD and GDPR have a similar scope of personal data. LGPD is technically a broader definition that includes any data that, by itself or combined with other data, could identify a natural person or subject them to a specific treatment.

Data subject rights

  • These are necessarily the same. LGPD broke our 'the right to information about public and private entities with which the controller has shared data' out of the more generic GDPR 'right to be informed' right.

Data protection officers

  • LGPD implies that any organization processing data require a data protection officer (DPO). GDPR has precise rules for when a DPO is required.

Legal basis for processing

  • GDPR lists six lawful bases for processing data. LGPD lists ten, and the most unique from GDPR is 'to protect credit (referring to a credit score).'

Reporting data breaches

  • GDPR has a specific 72-hour notification requirement. LGPD does not have a firm deadline.


  • A GDPR violation can cost companies up to 20 million Euros or 4% of the annual global revenue, whichever is higher. LGPD is less severe. Maximum fines in Brazil are 2% of the company’s revenue in Brazil from the prior fiscal year, excluding taxes, up to a maximum of 11 million Euros. The 11 million Euro fine is not a concern for any of the world's largest data processors.

At the highest level, LGPD and GDPR are the same with small differences.  It will be worth watching how Brazil enforces LGPD since GDPR is not enforced strictly in Europe.

Other GDPR and regulation-based articles

Insider Threats

Data protection needs to be agnostic like Switzerland

California Consumer Privacy

Brazil’s Version of GDPR is LGPD