Become an expert on PrivacyOps - Start NowStart Now
Published on November 25, 2021 AUTHOR - Privacy Research Team
Global privacy laws re quire organizations to map their data processing activities, tighten up their security measures, build customer trust, fulfill legal and moral obligations and fulfill data subject rights or face financial and reputational damages for non-compliance. But how do organizations comply with these requirements? Where do they start from?
Compliance with security frameworks and privacy laws isn’t possible without having an effective data discovery mechanism in place. Data discovery is the vital cog in the wheel that helps organizations locate sensitive personal data in their systems, determine its security posture, and identify regulated attributes.
This blog will discuss the significance of data discovery solutions in light of Brazil’s data protection regulation Lei Geral de Proteção de Dados Pessoais (LGPD) and its compliance.
As cloud services offer better convenience, technology, scalability, and cost than their counterparts, more and more companies are moving their important data to the cloud. To put this in perspective, according to the Flexera 2021 State of the Cloud Report, 97% of enterprises embrace a multi-cloud strategy.
The disparate nature of data coupled with dynamic cloud environments renders organizations unable to have seamless visibility into their key data or metrics.
The same data is then scattered across different data assets in both structured and unstructured systems. Some data exists in structured tables and columns, while some exist in emails, unprotected file folders, spreadsheets, etc. A serious lack of visibility into such data not only creates gaps for potential security threats but also leads to compliance failures.
For example, data subject access request (DSAR) fulfillment is almost universal and mandatory in most data privacy regulations and laws. If an organization doesn’t know where a specific user’s data resides in their systems, they will fail to honor the DSAR, and ultimately, not be able to meet compliance.
One of the key takeaways that IAPP highlighted from its IAPP-EY Annual Governance Report 2019 was, “More than half of respondents (56%) named “locating unstructured personal data” as the most difficult issue in responding to data subject access requests (including access, deletion, and rectification requests).”
Data Discovery can assist organizations in identifying, cataloging, and mapping the data. This further enables them to evaluate its sensitivity level, identify regulated attributes, and maintain a record of data processing activities.
Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil's data protection law that has been in effect since September 18, 2020, and is referred to as Brazil's version of the EU's General Data Protection Regulation (GDPR). LGPD shares many traits with the EU GDPR but it also has additional regulations that make it a more comprehensive and severe privacy standard.
LGPD contains 65 articles provisioned under 10 chapters. To comply with LGPD, organizations must consider the following:
Under Chapter II Section I and Article 7, LGPD require organizations to carry out data processing operations only if it meets any of the following lawful basis:
LGPD empowers data subjects to have better control over their data by exercising 9 data subject rights against public and private organizations. GDPR also outlines data subject rights which are, in essence, the same as LGPD - barring a few exceptions.
Under LGPD, the data subject rights include the right:
Under Article 6 of Chapter I, LGPD requires all data processing activities to be done in good faith in accordance with the principles prescribed.
As per Article 6(VI) the principle of transparency is mentioned as “[the] guarantee to the data subjects of clear, precise and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy.” This requirement is further strengthened by Article 9 which specifies the information to be provided to the data subject which is related to the reason for collection and processing of their personal data. This includes information on the purpose, type and duration of processing for which the personal data is being collected - and whether the processing is condition for the provision of a product or service or for the exercise of a right.
As per Article 6(X) this includes the principle of accountability which is defined as ‘ demonstration, by the data processing agent, of the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures.’ This requirement is strengthened by Article 37 which requires controllers and processors to keep records of their processing activities and Article 38 which obligates controllers to conduct and document data protection impact assessments for certain prescribed forms of processing.
Article 50 of the LGPD further suggests the formation of rules and practices for compliant data governance by controllers and processors, either collectively or individually. The rules and practices must be formed in accordance with the processing activities and personal data inventory of the organization and should consider the nature, scope, purpose and probability and seriousness of the risks and the benefits that will result from the processing of the collected personal data. They should also demonstrate the effectiveness of the organization’s data governance program to good practices or codes of conduct, which, independently, promote compliance with the LGPD.
Under Section I of Chapter VII, the LGPD provides guidelines for security practices that organizations shall implement for data protection and integrity. Under the LGPD, organizations will have to employ effective security, technical and administrative measures to protect the personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing. Some of the security measures and guidelines include:
To be able to comply with the aforementioned regulations under LGPD, organizations must implement and follow the best Data Discovery practices.
A comprehensive Data Discovery system takes all these parameters into account and further enables administrators to:
Securiti enables organizations to run deep data discovery scans across their petabytes-scale environments with its AI-powered PrivacyOps solution and ensure compliance with LGPD and other global data protection regulations.
Book a demo now for more information.