LGPD Data Discovery: The step towards personal data compliance

This blog will discuss the significance of data discovery solutions in light of Brazil’s data protection regulation Lei Geral de Proteção de Dados Pessoais (LGPD) and its compliance.

The Growing Necessity of a Data Discovery Tool

As cloud services offer better convenience, technology, scalability, and cost than their counterparts, more and more companies are moving their important data to the cloud. To put this in perspective, according to the Flexera 2021 State of the Cloud Report, 97% of enterprises embrace a multi-cloud strategy.

The disparate nature of data coupled with dynamic cloud environments renders organizations unable to have seamless visibility into their key data or metrics.

The same data is then scattered across different data assets in both structured and unstructured systems. Some data exists in structured tables and columns, while some exist in emails, unprotected file folders, spreadsheets, etc. A serious lack of visibility into such data not only creates gaps for potential security threats but also leads to compliance failures.

For example, data subject access request (DSAR) fulfillment is almost universal and mandatory in most data privacy regulations and laws. If an organization doesn’t know where a specific user’s data resides in their systems, they will fail to honor the DSAR, and ultimately, not be able to meet compliance.

One of the key takeaways that IAPP highlighted from its IAPP-EY Annual Governance Report 2019 was, “More than half of respondents (56%) named “locating unstructured personal data” as the most difficult issue in responding to data subject access requests (including access, deletion, and rectification requests).”

Data Discovery can assist organizations in identifying, cataloging, and mapping the data. This further enables them to evaluate its sensitivity level, identify regulated attributes, and maintain a record of data processing activities.

Data Discovery is Significant for LGPD Compliance

Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil's data protection law that has been in effect since September 18, 2020, and is referred to as Brazil's version of the EU's General Data Protection Regulation (GDPR). LGPD shares many traits with the EU GDPR but it also has additional regulations that make it a more comprehensive and severe privacy standard.

LGPD contains 65 articles provisioned under 10 chapters. To comply with LGPD, organizations must consider the following:

LGPD Requirements for Personal Data Processing

Under Chapter II Section I and Article 7, LGPD require organizations to carry out data processing operations only if it meets any of the following lawful basis:

1. The consent of a data subject was obtained.
2. The data controller must comply with a legal or regulatory requirement.
3. When data processing is required by the public administration for the execution of public policies provided in regulations or based on agreements, contracts, or similar instruments.
4. For research purposes by research entities, providing that data anonymization is maintained whenever possible.
5. When a data subject requests data processing for the execution of any preliminary procedures related to a contract or the execution of a contract itself of which the data subject is a party.
6. To exercise rights in the administrative, judicial, or arbitration procedures
7. To protect the life or physical safety of a third party or the data subject
8. To protect the health, exclusively in a procedure which is carried out by health professionals, entities, services, or sanitary authorities.
9. When necessary to fulfill legitimate interests of a third party or controller, provided that it doesn’t violate the fundamental rights of the data subject.
10. For the protection of credit as per applicable law.

Data Subject Rights Under LGPD

LGPD empowers data subjects to have better control over their data by exercising 9 data subject rights against public and private organizations. GDPR also outlines data subject rights which are, in essence, the same as LGPD - barring a few exceptions.

Under LGPD, the data subject rights include the right:

• To confirm the existence of processing of personal data
• To be informed of the processing of personal data
• To access the personal data
• To rectify incorrect or outdated personal data
• To anonymize, block or delete any excessive or unnecessary personal data which is processed not in compliance with the regulation
• To transfer the personal data to a third-party service provider via an express request (data portability).
• To request deletion of personal data collected using consent, following the termination of processing purpose for which consent was obtained.
• To request information of public and private third parties with whom the personal data has been shared with.
• To be informed about the possibility to deny the consent for collection and processing of personal data and the consequences for such denial.
• To request to revoke consent earlier provided for the processing of personal data for a particular purpose.

LGPD Transparency and Accountability

Under Article 6 of Chapter I, LGPD requires all data processing activities to be done in good faith in accordance with the principles prescribed.

As per Article 6(VI) the principle of transparency is mentioned as “[the] guarantee to the data subjects of clear, precise and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy.” This requirement is further strengthened by Article 9 which specifies the information to be provided to the data subject which is related to the reason for collection and processing of their personal data. This includes information on the purpose, type and duration of processing for which the personal data is being collected - and whether the processing is condition for the provision of a product or service or for the exercise of a right.

As per Article 6(X) this includes the principle of accountability which is defined as ‘ demonstration, by the data processing agent, of the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures.’ This requirement is strengthened by Article 37 which requires controllers and processors to keep records of their processing activities and Article 38 which obligates controllers to conduct and document data protection impact assessments for certain prescribed forms of processing.

Article 50 of the LGPD further suggests the formation of rules and practices for compliant data governance by controllers and processors, either collectively or individually. The rules and practices must be formed in accordance with the processing activities and personal data inventory of the organization and should consider the nature, scope, purpose and probability and seriousness of the risks and the benefits that will result from the processing of the collected personal data. They should also demonstrate the effectiveness of the organization’s data governance program to good practices or codes of conduct, which, independently, promote compliance with the LGPD.

LGPD Data Security and Governance

Under Section I of Chapter VII, the LGPD provides guidelines for security practices that organizations shall implement for data protection and integrity. Under the LGPD, organizations will have to employ effective security, technical and administrative measures to protect the personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing. Some of the security measures and guidelines include:

• Strict access controls and minimized excessive privileges
• Deployment of authentication systems for records access;
• Use of encryption and other equivalent measures to secure data from the breach;
• In the event of any breach, the organization must notify the LGPD regulatory authority, Autoridade Nacional de Proteção de Dados (ANPD), and the affected data subject;
• The breach notification should explain the seriousness of the breach.

To be able to comply with the aforementioned regulations under LGPD, organizations must implement and follow the best Data Discovery practices.

LGPD Data Discovery Practices

• The first step towards compliance requires insights into where the data resides in the disparate data assets. Therefore, it is first integral to have a single catalog of all the shadow and native data assets across PaaS infrastructure, on-premise systems, SaaS applications, or hyper-scale cloud.
• The data assets should then be scanned for relevant metadata and cataloged under relevant categories, such as business metadata or security metadata. These metadata may include the vendor details, version, data asset’s security status, etc.
• Once the data assets are identified and cataloged, the next step is to scan for the residing data and identify personal data and sensitive data. The Data Discovery should be effective enough to conduct a deep scan across structured and unstructured data, and further classify the identified data under relevant elements, such as health information, personal information, sensitive information, and financial information, just to name a few. Data classification further helps system administrators map the data to relevant data subjects or owners.
• The system administrator then needs to apply policy, security, and privacy-based labeling to data, classifying the data for its sensitivity level, risk posture, the purpose of processing, etc.

A comprehensive Data Discovery system takes all these parameters into account and further enables administrators to:

• Effectively map structured and unstructured data to data subjects, allowing them to fulfill DSR requests.
• Detects security hotspots and any misconfigurations so administrators can ensure strict access controls, data encryption, and other equivalent security measures.
• Document and maintain an updated record of all the data processing activities and logs.
• Comply with other security and privacy regulations required by LGDP.

How Securiti Can Help?

Securiti enables organizations to run deep data discovery scans across their petabytes-scale environments with its AI-powered PrivacyOps solution and ensure compliance with LGPD and other global data protection regulations.

• Run deep data scans across on-premise, hybrid, and multi-cloud environments.
• Deploy 200+ native connectors for efficient data assets discovery and catalog.
• Use hundreds of built-in and dozens of out-of-the-box personal and sensitive data attributes.
• Identify and label hundreds of attributes specific to regional privacy regulations, such as LGPD, GDPR, CCPA, etc.

Book a demo now for more information.