What is the LGPD or General Personal Data Protection Law?
The LGPD (General Personal Data Protection Law) is law no. 13,709, passed in August 2018 and went into effect as of September 2020. It regulates the processing of personal data, with its objective being to protect the fundamental rights of freedom and privacy and a natural person’s ability to freely develop their personality.
In its content, the LGPD establishes the principles that must be respected in matters of personal data protection:
- Respect for privacy;
- Self-determination of information;
- Freedom of expression, information, communication, and opinion;
- The inviolability of privacy, honor, and image;
- Economic and technological development and innovation;
- Free enterprise, free competition, and consumer protection;
- Human rights, free development of personality, dignity, and the exercise of citizenship by natural persons.
Although the LGPD does not explicitly present the concept of a breach or incident, the National Data Protection Authority describes a security incident involving personal data as "any confirmed adverse event related to the breach in the security of personal data, such as unauthorized, accidental, or unlawful access resulting in destruction, loss, alteration, leakage or even, any form of improper or unlawful processing of data, which may pose a risk to the rights and freedoms of the holder of the personal data".
It is important to know the definition of “incident” to understand the events that involve personal data and that are present in the legislation, like what is stated in Article 42 of the LGPD, for example:
"The Controller or Operator who, due to the act of processing personal data, causes damage to others’ property, be it moral, individual, or collective, in violation of the legislation on protection of personal data, is obliged to repair it."
Article 46 of the LGPD serves as another example, which states that Personal Data Processing Agents must adopt security, technical, and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any form of improper or unlawful processing.
What Is the Purpose of the LGPD?
The LGPD was created with the purpose of providing greater protection to personal data and greater control over those that are interested in your personal information. To that effect, the LGPD establishes rules, principles, and guidelines applicable to the processing of data, in physical or digital media, carried out by natural persons, when it has economic purposes, and by public or private entities.
How Does the LGPD Define Personal Data?
Article 5 of the LGPD brings the definitions for two categories of data: personal data and sensitive personal data.
Personal data is any information relating to a natural person that makes it possible to identify him or her or that, in some way, may lead to the recognition of a person. For example, the following data are considered personal data: name, identification numbers (RG and CPF), e-mail, phone number, date of birth, geolocation, and device configuration (IP), among others.
Sensitive Personal Data
As for sensitive personal data, the law defines it as follows: personal data on racial or ethnic origin, religious convictions, political opinion, membership in a trade union or organization of a religious, philosophical, or political nature, data in relation to health or sex life, and genetic or biometric data that are linked to a natural person.
This category of data was treated by the legislation with greater rigor, because it is data that, by its nature, is related to information that merits greater care, mainly for protection against discrimination.
Who Does the LGPD Apply To?
The LGPD applies to any data processing operation carried out by a natural person or by a legal person under public or private law regardless of the medium, the country of its registered office, or the country where the data is located, provided that:
- The data processing operation is carried out in Brazil;
- The data processing activity is aimed at offering or providing services to individuals located in Brazil;
- The personal data was collected in Brazil.
Important Definitions in the LGPD
There are some very important definitions in the LGPD that help to understand the legal text:
The natural or legal person, under public or private law, who is responsible for decisions regarding the processing of personal data. The Controller is responsible for decisions on the processing of personal data in their possession.
The natural or legal person, under public or private law, who carries out the processing of personal data on behalf of the Controller, in accordance with the guidelines received.
There is a third role that the LGPD does not include in its text, but that the ANPD addresses in its Orientation Guide for Personal Data Processing Agents and the Controller: that of the Sub-operator. The Sub-operator is hired by the Operator to help process personal data on behalf of the Controller. The direct relationship of the Sub-operator is with the Operator and not with the Controller and, generally speaking, the Sub-operator works in subordination to the Operator.
The Data Protection Officer (DPO) is the person designated by the Controller and the Operator to act as a channel of communication between the controller, the data subjects, and the National Data Protection Authority (ANPD).
The 9 Rights of the LGPD
As it has the LGPD, the holder has the following rights regarding the processing of their personal data:
1. Confirmation of the existence of the processing
Taking into account that data processing is any activity related to personal data, such as collection, storage, use, and classification, the LGPD guarantees the data subject the right to confirm whether a company carries out the processing of their personal data. The LGPD also determines that the response to the existence of the data must indicate the origin, the criteria used, and the purpose of the processing.
2. Access to the data
Once the data has been processed by the Controller, the data subject may request access to his or her data, which will be provided through a physical or digital copy.
3. Correction of incomplete, inaccurate, or outdated data
Once the existence of data processing has been confirmed, the LGPS entitles the data subject to request the correction or deletion of any incomplete, inaccurate, or outdated data.
4. Right of anonymization, blocking or deletion
The owner may request the anonymization, blocking, or deletion of their data. The anonymization of data means that it can no longer be related to the holder, so it is no longer personal data. Blocking refers to the temporary suspension of processing for certain purposes. Finally, erasure refers to the exclusion of data that is unnecessary, excessive, or processed in breach of the intended purposes.
5. Data portability
Following the regulation of the ANPD or if there is a technical possibility, the holder may request that the Controller provide their data in a structured format for transfer to a third party, except those that have already been anonymized and excluded from the database and do not infringe intellectual and/or industrial property rights, nor are confidential by virtue of the concluded contracts.
6. Right to revoke consent
The owner of the data may cancel any consent he/she has accepted to use his/her personal data.
7. Right to information about the exchange of their data
The data subject has the right to know which types of public and private entities the Controller shares his or her data with.
8. Information on the possibility of not consenting to data processing
The data subject has the right to receive clear and complete information about the possibility and consequences of not consenting.
9. Opposition to data processing
The LGPD authorizes the processing of data even without the provision of consent by the data subject. In such cases, legitimate reasons are required for doing so, like in cases when it is necessary to ensure the security of a website and available resources. However, if the owner does not agree with any purpose of processing their data, they can report their opposition by requesting the discontinuation of the processing directly to the Controller.
LGDP Compliance Checklist
The LGPD brings a series of compliance measures so that Data Processing Agents can implement an adaptation process. The following measures are worth mentioning:
Although not expressly provided in the LGPD, its content is essential to verify the legality and sustainability of the operation, via the definition and attribution of legal bases, as well as for the preparation of the documents required by law.
The activity consists of identifying (and documenting) the path followed by all personnel within an organization.
Once the mapping of personal data has been completed, the appropriate legal bases must be adequately indicated in each processing flow, as laid out in Article 7 of the legislation.
Preparation of documentation required by the LGPD and the Legal Basis:
The LGPD requires the Controller and the Operator to carry out the Record Of Processing Activity ("ROPA"), especially with regard to processing flows based on the legal basis of "Legitimate Interest".
In addition, the law also requires the National Data Protection Authority ("NADP") to request the Controller to prepare the Data Protection Impact Assessment ("DPIA"), including confidential data related to its data processing operations.
Therefore, the preparation of the requested documents is essential in the adoption of LGPD compliance.
Adoption of contracts:
According to the LGPD, the Controller must "adopt security, technical, and administrative measures capable of protecting personal data from unauthorized access".
In this context, it will be up to the Controller to take all necessary measures to protect the personal data processed, which means even setting limits and mitigating risks in relation to the exchange of information with customers, partners, and suppliers through contracts.
Continuous mapping, verification, and adequacy of all contractual relationships are recommended in accordance with the guidelines already shared throughout the project.
Definition of deadlines and criteria for storage and disposal of personal data:
Another compliance document, called a "Personal Data Retention Policy," is completed so that the life cycle of each personal data (or set of data) is organized and, therefore, delimits the correct time limit for disposal (or, if applicable, anonymization of data).
Adoption of security, technical, and administrative measures:
Article 46 of the LGPD states that Data Processing Agents must adopt security, technical, and administrative measures capable of protecting personal data from unauthorized access, accidental or unlawful destruction, loss, alteration, disclosure, or any form of improper or unlawful processing.
Therefore, it is essential to implement security measures such as security policies and incident management; administrative measures such as awareness training; and technical measures such as access controls.
Privacy Governance and Best Practices Program:
Article 50 of the LGPD requires both the Controller and the Operator to formulate rules of good practice and data privacy governance within the scope of their duties in the processing of personal data. Such rules must be published and updated periodically and may be recognized and disclosed by the ANPD.
The Challenges of Compliance With the LGPD
Compliance with the LGPD is not an easy process. Like Brazil, many countries are developing GDPR-inspired compliance regulations, like the California Consumer Privacy Act (CCPA) and Canada's proposed Digital Charter Implementation Act, for example.
To comply with these regulations, organizations must do the hard work of protecting the rights of their stakeholders and conduct impact assessments, report security incidents, and ensure they have audit processes in place.
IT staff will not be able to use manual processes or even temporary controls to help meet the requirements because this approach is not sustainable. Instead, robust data protection technology that is automated and streamlined better meets stringent regulatory requirements to limit access to personal data and protect data at rest and in motion.
Three areas are of particular concern to IT teams:
With security incidents costing millions, in addition to the associated reputational and public relations costs, it is essential to ensure the security of data that falls under the LGPD. The best practice for IT teams is to invest in security solutions such as data classification, encryption, secure file transfer, and identity and access management.
Because the LGPD ensures that data subjects have the right to request the Controller to access, correct, delete or transfer to another controller through portability, IT teams are challenged to ensure efficient and transparent technical solutions to manage these requests. In addition, IT needs to ensure that any implemented solution is auditable to meet legal requirements.
IT must also ensure that the data Controller or Operator has adequate staff and training to implement measures that can mitigate the risks of an incident and provide the necessary support after an incident involving personal data.
Determining how to securely store and manage the consent and consent status of data subjects across the organization is another concern. Data mapping is a requirement of the LGPD, which dictates that processing activities be logged.
Initially, many companies did this manually, but because these logs need constant updating, automation helps keep information current and allows IT to focus on more critical tasks. Collaboration platforms and tools, as well as the configuration of workflows and business rules, can help keep records updated more easily.
Workflow automation can also be incorporated to ensure a quick IT response to incumbents who want their data removed or deleted from multiple internal and external systems. Applying automation can also help speed up the takeover of personal data from third parties that fall under the LGPD.
Cybersecurity Solutions for LGPD Compliance
For LGPD compliance, it is necessary to apply simple policies and pragmatic procedures that lead people to adopt a culture of information protection in your organization and accompany it with the implementation of a layered security approach to ensure compliance with established policies.
HelpSystems' approach consists of guaranteeing information security through granular controls in the information flow and throughout its life cycle, without this representing any drop in the organization's productivity. From intelligent and granular data classification capable of identifying the type of information and its location, to data loss prevention, digital data rights management, and file transfer security, we offer a comprehensive and integrated set of solutions for the execution of your security strategy:
Before personal data is ever exchanged, Clearswift applies the optimal security treatment based on your data’s content and GDPR privacy policies. It delivers real-time sanitation/redaction, encryption, and blocking or deleting of sensitive data based on the business rules you define to meet LGPD regulations.
Fortra's data classification solutions help meet LGPD standards by applying both visual labels and labelling to a file’s meta data to protect and control its use. By adding classification, users can better determine how a given piece of data should be treated, handled, stored, and eventually deleted. Classification adds streamlined functionality as well as enhanced data security and compliance.
Vulnerability Assessments and Intrusion Protection
Proving LGPD compliance is easier with the security solutions delivered by Powertech. Organizations can automatically identify and quantify their system security vulnerabilities as well as harden their system to intrusion. In addition, robust audit functionality of users and system functions helps meet the audit requirements under GDPR.
Secure Managed File Transfer (MFT)
Comprehensive MFT solutions can help meet several key LGPD principles, namely securely transmitting personal data through encryption, performing integrity checks of transfers to protect accuracy, and providing detailed audit trails and reporting of all transfers. Personal data is protected in transit and at rest with granular user access roles adding additional security around data.
Data Loss Prevention (DLP)
The LGPD states that data processors must ensure that personal data is not used for any other purpose outside of the services for which it was intended. Digital Guardian Data Loss Prevention helps LGPD Compliance by enabling organizations to effectively discover, monitor, and control personal data transmitted over the network, in use on workstations or at rest on workstations, network servers, and stored in the Cloud. Data is adequately protected against unauthorized transmission, dissemination, use, and storage, while analytics and reporting functionality can provide key documentation to demonstrate LGPD Compliance.
Fortra Helps You With GDPR Compliance
At Fortra, we have more than 30 years of experience helping organizations around the world to protect their data. Our globally recognized solutions and our team of experts can help you comply with LGPD and other regulations. Request a no-obligation presentation to learn how our solutions can help your company's security strategy.