| Scope and covered activity | LGPD: define the exact products, services, processing, claims, entities, assets, or activities that bring this side into scope; record out-of-scope facts separately. | GDPR: test its own scope boundary, exclusions, and covered activity; do not copy the LGPD conclusion without a separate source-linked finding. | Write two scope findings first: where LGPD applies, where GDPR applies, and which facts are outside one side even if evidence can be reused. |
|---|
| Who must act | LGPD: identify the controlador, operador, encarregado, joint controller, public body, international transfer recipient, or contracted service provider that owns the duty. | GDPR: assign the comparator duty to its own accountable actor and note when counterparties, subsidiaries, importers, providers, or customers differ. | Name each role separately because one entity can hold different obligations in different workflows. |
|---|
| Trigger or threshold | LGPD: state the fact that starts the obligation, such as market placement, processing, designation, incident, reporting period, transfer, data request, supplier change, or public claim. | GDPR is triggered only by the facts named in its source, such as thresholds, regulated status, risk tier, designation, incident, market placement, certification need, or supervisory notice. | Start with the trigger so teams do not apply the wrong regime to the wrong facts. |
|---|
| Core obligations | LGPD requires a lawful basis for each processing activity, appointment of a DPO, response to data subject requests within 15 days, notification of security incidents to the ANPD, and implementation of technical and administrative security measures proportionate to the risk and sensitivity of the data. | GDPR requires a documented lawful basis for each processing purpose, appointment of a DPO where required, a Record of Processing Activities, Data Protection Impact Assessments for high-risk processing, 72-hour breach notification to the supervisory authority, and data subject request responses within one month. | Translate obligations into tickets, notices, records, controls, or contract terms. |
|---|
| Evidence and records | LGPD: keep the evidence that proves this side of the decision, including cited text, registers, policies, test records, contracts, notices, reports, approvals, or audit artifacts. | GDPR: keep comparator evidence in a distinct record set and link only the artifacts that genuinely satisfy both source-linked requirements. | Keep source links, factual analysis, owner approval, and implementation evidence together. |
|---|
| Timing and cadence | LGPD: capture the application date, commencement date, transition period, reporting clock, review cadence, remediation window, or certification renewal that controls this side. | GDPR: track the comparator schedule separately so a later deadline, recurring audit, or incident timer is not hidden by the other workstream. | Use current source dates; do not reuse old project plans after amendments or guidance updates. |
|---|
| Enforcement or assurance route | LGPD: identify the competent authority, regulator, assessor, customer audit, certification body, contractual remedy, penalty, or supervisory process tied to this side. | GDPR: identify the comparator enforcement or assurance route and record where supervision, penalties, market access, certification, or contract leverage differs. | Escalate when enforcement routes differ because a regulator, market-surveillance authority, certification body, customer, or contract counterparty may require different proof. |
|---|
| Overlap and reuse | LGPD: reuse controls only where the source-linked duty, evidence standard, owner, and timing align with the comparator; otherwise keep a bridge note. | GDPR can reuse evidence from the other side only when the same fact pattern, system boundary, control, owner, and source-linked requirement are genuinely aligned. | Document overlap explicitly instead of merging both tests into one vague compliance label. |
|---|
| Practical decision rule | LGPD: treat this as the controlling workstream when its scope trigger, deadline, regulator, or required artifact is the immediate blocker. | GDPR: run a parallel or follow-on workstream when this side adds separate actors, evidence, timing, penalties, customer assurances, or implementation constraints. | Choose one practical next step: proceed under LGPD, proceed under GDPR, run both in parallel, or document why neither side controls the present fact pattern. |
|---|