LGPD vs. GDPR - How to Keep Pace with Global Regulation

The task of tracking and complying with every new data privacy law is becoming increasingly daunting. For those of you keeping score at home, 128 out of 194 countries have now put into place some type of data privacy legislation. 

What has resulted is a patchwork quilt of sectorial regulations that make it impossible for organizations to keep up. It is akin to building a new home while city and state officials keep changing the zoning and construction codes. 

In response to this confusing jumble of regulations, governing entities are moving to create omnibus privacy legislation to harmonize across territories. While this makes it somewhat easier for businesses to coordinate their privacy programs, there are still significant differences between the regional variants that need to be understood and addressed, and the rising wave of regulation presents enterprises with an escalating challenge.

Comparing privacy laws: The devil is in the detail

After much internal wrangling, retroactive to August 16, 2020, another comprehensive federal data privacy law — Brazil’s Lei Geral de Proteção de Dados (LGPD) — went into effect, with enforcement starting on August 1, 2021. For companies that do business in the burgeoning South American and Latin American markets, the enactment of this legislation will have a major impact.   

Like the European Union’s General Data Protection Regulation (GDPR), the LGPD applies extraterritorially — that is, to companies outside of Brazil. Specifically, if your company collects or processes data from website users in Brazil, your company is subject to the law, even though your business may have no physical presence in Brazil.

While the drafters of LGPD were heavily influenced by GDPR, there are a number of differences between the two pieces of legislation, which means that compliance with the GDPR does not equal compliance with the LGPD — and vice versa. 

We set out the key differences below — but even if this article could provide a complete understanding of these two laws, that conceptual grasp would be only the first step an international company would have to take in managing its data privacy. 

The company would also have to gather information about other data privacy laws, like California’s Consumer Privacy Act (CCPA), Maine’s Act to Protect the Privacy of Online Customer Information, and many other local and international data privacy laws and regulations. 

Even if a company had the patience to create a master spreadsheet of legal rules for every location, the next step would be figuring out how to program your website to serve up data privacy experiences that were customized to the laws of each user’s location. 

Such an undertaking would be extremely challenging and costly for in-house staff. That’s why an enterprise-grade, SaaS approach to data privacy makes the most sense.

More about that later. 

For now, though, just so that you can see firsthand the kinds of nuances and subtleties your legal and IT teams would have to parse to independently comply with multiple laws, we present a comparison of the LGPD and the GDPR:

Similarities and differences between the LGPD and GDPR

Personal data definition

Both laws define personal data in similar ways, referring to information relating to an identified or identifiable natural person. But the GDPR provides examples of personal data, while the LGPD doesn’t. As a result, the LGPD’s definition of personal data may take on a broader meaning over time.

Controllers and processors

The LGPD and the GDPR both regulate “controllers” and “processors” of personal data. The two laws also define these terms in a similar way. In essence, a controller makes decisions about what data to collect and how to collect it, while the processor executes the data-collection vision of the controller.

Legal bases for processing data

Controllers do not have unfettered discretion in how they process data. They may only process data for certain lawful reasons. 

The LGPD and the GDPR differ in the number of categories they recognize as lawful bases for the processing of data. The GDPR recognizes six lawful bases, while the LGPD recognizes 10 lawful bases. One of the additional bases the LGPD recognizes is the protection of credit.

In addition, although both laws recognize the legitimate interest of the controller as a lawful basis for collecting user data, the laws differ slightly in the exceptions to this basis. 

The GDPR has a stricter limitation: the controller’s legitimate interest can be “overridden by the interests or fundamental rights and freedoms of the data subject,” particularly when the data subject is a child.  

In contrast, the LGPD recognizes the legitimate interest of the controller “except when the data subject’s fundamental rights and liberties . . . prevail.” Some commentators view this as a standard that is more lenient for the controller.

Data subject rights

Under both laws, data subjects have the right to request access to their data. In addition, subjects can request deletion, correction, or transfer of their data. 

One difference between the two laws is that the GDPR allows organizations 30 days to respond to data access requests, while the LGPD provides 15 days. 

Another difference is that certain rights that are implicit in the GDPR are made explicit in the LGPD, such as the right to information about public and private entities with which the controller has shared data.

Privacy policy

Neither law explicitly refers to a privacy policy, but both the GDPR and the LGPD require controllers to inform data subjects about processing activities. The two laws differ, however, in the exact information that controllers must provide to data subjects. 

For example, unlike the LGPD, the GDPR requires companies to inform data subjects of the categories of personal data that are processed, the lawful basis for processing each category of personal data, and the safeguards for international transfers of personal data. 

The LGPD requires organizations to inform data subjects of the responsibilities of controllers and processors in carrying out processing, but the GDPR does not require this.

Thus, companies that have website users in both Brazil and the EU must serve up differing privacy information to these two categories of data subjects.

Data security

The two laws differ in their approach to data security. The GDPR is much more detailed, prescribing particular practices. The LGPD, in contrast, leaves it to Brazil’s National Data Protection Authority to work out the details of data security requirements. 

Similarly, although both laws require organizations to inform the relevant Data Protection Authority of data breaches, the GDPR specifies such notification be made within 72 hours, whereas the LGPD requires notification within a reasonable time period. Brazil’s National Data Protection Authority hasn’t yet defined what constitutes a reasonable time period.

Another difference is that the GDPR requires organizations to notify breach-affected data subjects under certain circumstances, whereas, under the LGPD, the National Data Protection Authority may require disclosure of the event to the media.

Data Protection Officer

The GDPR requires data controllers and processors to appoint a Data Protection Officer (DPO) under certain circumstances, such as where the controller and processor engage in regular and systematic monitoring of data subjects on a large scale. 

In contrast, under the LGPD, all data controllers must appoint a DPO even if data monitoring and processing are not a core function of the organization.

Penalties for noncompliance

Both laws impose fines for violations. The GDPR requires those in violation of the law to pay up to 4% of global annual revenue or 20M euros—whichever is higher. 

The LGPD, on the other hand, has a slightly less steep fine. The maximum fine is 2% of an organization’s fiscal-year revenue in Brazil but cannot exceed approximately $9 million.

How was that information dump for you? Need a refreshment or refresher?

That was a lot to digest, wasn’t it? That’s why we made a handy recap table below.

Article skimmers, this table is for you too:

How to navigate the data privacy landscape’s many borders

The LGPD and GDPR, of course, are just two of the latest data protection laws to go into effect in recent years. Other recently enacted laws include —

• Turkey’s Personal Data Protection Law No. 6698, also known as Kişisel Verileri Koruma Kanunu (KVKK), in 2016;
• Thailand’s Personal Data Protection Act (PDPA) in 2019;
• and Nevada’s data protection law (2019), which differs substantially from California’s law. 

With these developments and other court decisions, we have now reached a tipping point in the data privacy landscape. Whether your company does business only in the United States or sells to customers across the world, it’s too challenging for any business to keep reacting to each new legal development. Instead, companies need a proactive data management strategy as well as the tools that help them future-proof their company from legal and regulatory changes.

Crownpeak’s Universal Consent Platform offers this capability, enabling organizations to simultaneously comply with multiple legal regimes. With easy-to-use templates, your organization can become compliant with the GDPR, LGPD, CCPA and other privacy regulations in fewer than seven days. 

In addition, as the privacy market evolves, so too do Crownpeak’s tools, helping you maintain compliance and keep in step with  new regulations. For example, the latest update of the Universal Consent Platform added support for the LGPD along with Thailand’s PDPA, Turkey’s KVKK, and Nevada’s data protection law.

In other words, our Universal Consent Platform is like a FastPass that lets you bypass taxing in-house work and gets you right into the most dynamic markets in the world, where you satisfy each location’s laws and impress their consumers. 

If that kind of efficiency and effectiveness appeals to you, we invite you to request a demo, or try the Universal Consent Platform for free.