Data Protection in Brazil: LGPD, What it means and how to manage compliance (Part 3)

Parts 1 and 2 explained in some depth what the regulation was about and in this part we hope to provide some insight into how to go about taking measures to become compliant.

Data processors are required to put in place measures that will protect sensitive personal data from:

· loss,

· unauthorized access,

· accidental or lawful destruction and exposure

The focus should be on the following four key steps:

• Visibility: you can’t analyze what you can’t see. Visibility across the organization provides the accurate data it needs to make informed decisions. Access to data and visibility provides insights into the locations and types of data held by an organization (Article 50)
• Analysis: identifies the risk of exposure to guide an effective data protection strategy (Article 50)
• Protection: establishes and applies technical security policies to address any vulnerabilities in how sensitive data is currently being managed (Article 46). It also mentions that anonymized or pseudonymized data with the proper treatment and separation of roles is not considered personal data under the law (Articles 12 and 13)
• Reporting: demonstrates compliance and facilitates the administrative procedures required by LGPD (Article 50)

The following graphic highlights key considerations for each step, and includes two important actions for organizations to be compliant:

LGPD Compliance Self Assessment

The Assessment is designed for monitoring and auditing of data protection and data security compliance. Assessment is based on user answers to 46 statements.

They are grouped under the following categories

Maintain Data Governance — this covers the processes and procedures defining who within an organization has authority and control over data assets and how those data assets may be used. It encompasses the people, processes, and technologies required to manage and protect data assets.

Acquire, Identify and Classify Personal Data — this covers the processes and procedures around the acquisition and management of personal data
Manage Personal Data Risk — This covers the procedures and processes that are or aren’t in place to manage the risk of a personal data breech. A risk assessment, in personal data breach terms, is where you think about how seriously you think people might be harmed and the probability of this happening..
Manage Personal Data Security — Security is central for the protection of confidentiality, integrity and availability of personal data. This covers all aspects of the policies and procedures to assess whether there is a thorough and continuously monitored framework of controls, both technical and organisational, appropriate to the nature of the data processing and the associated risks.
Manage the Personal Data Supply Chain — this covers an assessment of the controls in place to support the compliant flow of personal data between parties involved in a supply chain
Manage Incidents and Breaches — this covers an assessment of the controls in place for the management of data breeches and incidents that might have or could lead to a personal data breech.
Create and Maintain Awareness — this covers an assessment of the activities undertaken to train and educate employees, contractors and suppliers on Data Protection Compliance and the policies, procedures and controls in place within the organization to maintain and manage compliance
Organize DPO Function — this is designed to assess whether the role in the organization is in place with all the appropriate responsibilities assigned
Maintain Internal Controls — the objective here is to establish if the management systems are in place to monitor, maintain and enforce the internal controls for compliance

The answers are multiple choice with four alternatives to assess progress towards compliance in each case. They range from having done nothing at all in the particular area in question to fully accomplished all requirements for compliance.

The results draw on the Capability Maturity Model Integration (CMMi), appraisal scoring methods to deliver actionable insights to organizations regarding compliance. As their implementation moves forward, users can retake the assessment to gauge progress.

CMMI V2.0 helps organizations quickly understand their current level of capability and performance in the context of their own business objectives and compared to similar organizations. CMMi aligns business goals directly with operations and capabilities to drive measurable improved performance. The output from the tool provides the organization with data on their compliance status currently along with guidance on how to improve. As a result, the tool can be used to establish effective procedures and controls, or serve as a benchmark for existing processes in the organization.

The Tool furthermore provides support to identifying when there might be a need to carry out a DPIA. The tool helps to systematically analyse and identify risks in the data protection arrangements within the organisation which can be used as input to a DPIA to help minimise and determine whether or not the level of risk is acceptable in the circumstances.

Operational advantage comes from increased data awareness and reduced risk of exposure. Article 38 of LGPD requires every organization to have a clear understanding of their data and a formal process must be defined to manage it- where it’s located, the type of data that is being held and the type of protection being applied. Organizations also need to apply the appropriate security techniques in line with Article 46, (such as encryption, tokenization, access control), to protect data from unauthorized access and unlawful situations. Individuals have the fundamental right as part of the legal framework to know how their personal data is being processed or shared. This can be a major challenge for organizations due to the amount of data they hold as well as identifying the best approach for protecting it.

CipherTrust Data Discovery and Classification is part of the CipherTrust Data Security Platform[2]. In addition to unifying data discovery, classification and data protection, the CipherTrust Platform also provides unprecedented granular access controls, all with centralized key management. This simplifies data security operations, accelerates time to compliance and reduces risk across your business.

To find out more get in touch at http://www.cyberseguroglobal.com

[1] https://cpl.thalesgroup.com/blog/encryption/road-to-lgpd-compliance

[2] https://cpl.thalesgroup.com/en-gb/encryption/data-security-platform