GDPR X LGPD: the paths we have to go

By June 22, 2022 No Comments

*Nathalia Soares

The General Data Protection Regulation – GDPR (or General Data Protection Regulation – GDPR) is a provision of European Law that deals with the protection of the personal data of citizens and residents of the European Union and European Economic Area. It was approved on April 15, 2016 and, after a two-year transition period, entered into force on May 25, 2018, replacing the 1995 Personal Data Protection Directive (95/46/EC). The GDPR aims to give citizens and residents ways to control their personal data, in addition to unifying regulations on this topic.

It is known that in 2012 the European Union was the bloc that took the forefront and started the discussion on data protection, which would become the GDPR, and that this Regulation became a reference for other personal data protection laws of other countries, including Brazil.

In Brazil, the General Data Protection Law - LGPD (Law No. 13,709/2018) was enacted on August 14, 2018. Its advent is the result of internal discussions about incidents involving data protection, such as, for example, the Carolina Dieckmann Law (Law No. 12,737/2012), which criminalizes the obtaining and misuse of personal data obtained through electronic devices.

In 2013, what became known as the “Edward Snowden scandal” over personal data exposure took place. Snowden was a technician at National Security Agency (NSA) and the CIA, American security and spy agencies, respectively, and revealed spy schemes and data theft by the Americans against the Americans themselves, countries such as Brazil and its president at the time, and representations of the European Union. This fact accelerated the discussion and implementation of the Marco Civil da Internet in Brazil (Law No. secrecy of the flow of your communications over the Internet and stored private communications, except by court order.

In 2015, it was reported that Cambridge Analytica had been collecting personally identifiable data through Facebook since 2014. This data was used to influence voters' opinions in several countries. The case gained greater notoriety in 2018 and further heated up discussions about the need for data protection and privacy.

In Brazil, in 2019, Law 13,853/2019 extended the entry into force of the LGPD for another six months, that is, on August 14, 2018. However, Law 14,010/2020 was approved, defining in its article 20 that sanctions administrative provisions provided for in the LGPD would only come into force in August 2021.


Both apply to any company or person that processes personal data within their jurisdictions, the RGPD being within the European Union and the LGPD in Brazilian territory.

The definition of personal data – contained in Article 4 of the GDPR and in Article 5 of the LGPD – is similar and refers to information related to or referring to an identified or identifiable natural person.

There are nine principles of treatment and privacy in the RGDP, namely: Lawfulness, Loyalty, Transparency, Limitation of purposes, Minimization of data, Accuracy, Limitation of conservation, Integrity and reliability, and Responsibility. In the LGPD, there are ten, namely: Purpose, Adequacy, Necessity, Free Access, Data Quality, Transparency, Security, Prevention, Non-discrimination and Accountability. In addition, the Legal Basis for Treatment in the RGPD are six and in the LGPD there are ten.

Regarding the relationship between the Data Controller and the Data Operator, the RGDP establishes the requirement of a contract between the Controller and the Data Operator that explains the treatment of the data, while the LGPD only requires the Operator to perform the processing of data as directed by the Controller, without the requirement of said contract.

In International Transfers of Personal Data, the GDPR imposes restrictions on the transfer of personal data to third countries, so specific agreements and adjustments are necessary for such sharing. In the LGPD, restrictions are also imposed, but the National Data Authority (ANPD) is still responsible for establishing transfer rules.

Regarding the Data Processing Registry, the RGDP requires the registration of the processing of personal data and also specifies the information subject to record keeping, while the LGPD only requires the registration of the processing of personal data.

Regarding the Data Protection Impact Assessment, the GDPR requires the Data Controller to carry out an Impact Assessment to measure the risks, in addition to detailing when it requires this assessment and what exactly it should cover. The LGPD requires the Data Controller to carry out an Impact Assessment to estimate the risks of certain processing activities. However, it left it up to the ANPD to determine when such an assessment is necessary.

As for the Position of DPO or Data Protection Officer, the GDPR requires the Controller and the Operator of personal data to appoint a Data Officer (DPO). The GDPR spells out when DPOs are not required. The LGPD requires the Personal Data Controller to appoint a Data Officer (DPO).

With regard to Data Security and Violations, the GDPR requires the Data Controller to implement data security measures. The RGPD regulates the measures and determines that communication with the data authority takes place within 72 hours in the event of an event, waiving this communication according to the severity of the event. Likewise, the LGPD requires the Data Controller to implement data security measures. However, the LGPD determines that the ANPD will issue guidelines and must be informed, as well as the data subject, in the event of an event.

Regarding Penalties and Sanctions, both establish fines, sanctions and civil proceedings for controllers and operators, according to the type of event and severity.


It is notable that the GDPR is a more restrictive device with more details, since it has greater specifications and requirements, and is also highlighted by the responsibilities performed by the Data Protection Officer, which has its most well-defined role in it. It should be noted that it is reasonable for this to be more advanced, since it is a more mature regulation with more time for discussion than the LGPD.

Another relevant point is the need or not to prepare a Risk Assessment - also known as a Data Protection Impact Report - which is nothing more than an analysis of personal data security risks, that is, the activity of a particular company or person and the risks of data exposures inherent in that activity. Subsequently, the existing protection system is evaluated to verify whether or not there are vulnerabilities that allow the identified risk events to materialize.

However, risk assessment has been causing concern and confusion within the LGPD, especially for micro and small companies, due to the costs involved in this type of technical work. At this point, the GDPR defines much more clearly when this assessment should be carried out.

In addition, the LGPD left many spaces for the ANPD to monitor, which ends up demonstrating that the aforementioned instrument is not self-sufficient, requiring an inspection body to verify compliance with the law.

Finally, it is evident that the debate is very recent and will certainly need further maturity and adaptation, which will only come with time and a lot of dedication to the topic.

— Nathalia Soares is a Cyber Security Consultant Trainee at [SAFEWAY]

How can we help?

THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.

In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law SuitPeople and Technology.

through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!