Products
By Use Cases By Roles
DataControls Cloud^TM
View
Learn more

Asset and Data Discovery

Discover Data Assets

Learn more

Data Access Intelligence & Governance

Identify which users have access to sensitive data and prevent unauthorized access

Learn more

Data Privacy Automation

PrivacyCenter.Cloud | Data Mapping | DSR Automation | Assessment Automation | Vendor Assessment | Breach Management | Privacy Notice

Learn more

Sensitive Data Intelligence

Discover & Classify Structured and Unstructured Data | People Data Graph

Learn more

Data Flow Intelligence & Governance

Discover & Classify Structured and Unstructured Streaming Data

Learn more

Data Consent Automation

First Party Consent | Third Party & Cookie Consent

Learn more

Data Security Posture Management

Protect data systems by discovering and automatically remediating misconfigurations

Learn more

Data Breach Impact Analysis & Response

Analyze impact of a data breach and coordinate response per global regulatory obligations

Learn more

Data Catalog

Automatically catalog enterprise datasets

Learn more

Data Lineage

Track changes and transformations of data throughout its lifecycle
Data Controls Orchestrator
View
DataControls Cloud^TM
View
Sensitive Data Intelligence
View

Asset Discovery
Data Discovery & Classification
Sensitive Data Catalog
People Data Graph
Learn more

Privacy

Automate compliance with global privacy regulations

Data Mapping Automation

View

Data Subject Request Automation

View

People Data Graph

View

Assessment Automation

View

Cookie Consent

View

Universal Consent

View

Vendor Risk Assessment

View

Breach Management

View

Privacy Policy Management

View

Privacy Center

View

Learn more

Security

Identify data risk and enable protection & control

Data Security Posture Management

View

Data Access Intelligence & Governance

View

Data Risk Management

View

Data Breach Analysis

View

Learn more

Governance

Optimize Data Governance with granular insights into your data

Data Catalog

View

Data Lineage

View

Data Quality

View
Data Controls Orchestrator
View
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

Snowflake

View

AWS

View

Microsoft 365

View

Salesforce

View

Workday

View

GCP

View

Azure

View

Oracle

View

Learn more

Regulations

Automate compliance with global privacy regulations.

US California CCPA

View

US California CPRA

View

European Union GDPR

View

Thailand’s PDPA

View

China PIPL

View

Canada PIPEDA

View

Thailand PDPA

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Privacy

View

Security

View

Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Videos

Solution and customer videos.

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

LGPD Data Discovery: The step towards personal data compliance

By Privacy Research Team

Published on November 25, 2021

Global privacy laws require organizations to map their data processing activities, tighten up their security measures, build customer trust, fulfill legal and moral obligations and fulfill data subject rights or face financial and reputational damages for non-compliance. But how do organizations comply with these requirements? Where do they start from?

Compliance with security frameworks and privacy laws isn’t possible without having an effective data discovery mechanism in place. Data discovery is the vital cog in the wheel that helps organizations locate sensitive personal data in their systems, determine its security posture, and identify regulated attributes.

This blog will discuss the significance of data discovery solutions in light of Brazil’s data protection regulation Lei Geral de Proteção de Dados Pessoais (LGPD) and its compliance.

The Growing Necessity of a Data Discovery Tool

As cloud services offer better convenience, technology, scalability, and cost than their counterparts, more and more companies are moving their important data to the cloud. To put this in perspective, according to the Flexera 2021 State of the Cloud Report, 97% of enterprises embrace a multi-cloud strategy.

The disparate nature of data coupled with dynamic cloud environments renders organizations unable to have seamless visibility into their key data or metrics.

The same data is then scattered across different data assets in both structured and unstructured systems. Some data exists in structured tables and columns, while some exist in emails, unprotected file folders, spreadsheets, etc. A serious lack of visibility into such data not only creates gaps for potential security threats but also leads to compliance failures.

For example, data subject access request (DSAR) fulfillment is almost universal and mandatory in most data privacy regulations and laws. If an organization doesn’t know where a specific user’s data resides in their systems, they will fail to honor the DSAR, and ultimately, not be able to meet compliance.

One of the key takeaways that IAPP highlighted from its IAPP-EY Annual Governance Report 2019 was, “More than half of respondents (56%) named “locating unstructured personal data” as the most difficult issue in responding to data subject access requests (including access, deletion, and rectification requests).”

Data Discovery can assist organizations in identifying, cataloging, and mapping the data. This further enables them to evaluate its sensitivity level, identify regulated attributes, and maintain a record of data processing activities.

Data Discovery is Significant for LGPD Compliance

Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil's data protection law that has been in effect since September 18, 2020, and is referred to as Brazil's version of the EU's General Data Protection Regulation (GDPR). LGPD shares many traits with the EU GDPR but it also has additional regulations that make it a more comprehensive and severe privacy standard.

LGPD contains 65 articles provisioned under 10 chapters. To comply with LGPD, organizations must consider the following:

LGPD Requirements for Personal Data Processing

Under Chapter II Section I and Article 7, LGPD require organizations to carry out data processing operations only if it meets any of the following lawful basis:

The consent of a data subject was obtained.
The data controller must comply with a legal or regulatory requirement.
When data processing is required by the public administration for the execution of public policies provided in regulations or based on agreements, contracts, or similar instruments.
For research purposes by research entities, providing that data anonymization is maintained whenever possible.
When a data subject requests data processing for the execution of any preliminary procedures related to a contract or the execution of a contract itself of which the data subject is a party.
To exercise rights in the administrative, judicial, or arbitration procedures
To protect the life or physical safety of a third party or the data subject
To protect the health, exclusively in a procedure which is carried out by health professionals, entities, services, or sanitary authorities.
When necessary to fulfill legitimate interests of a third party or controller, provided that it doesn’t violate the fundamental rights of the data subject.
For the protection of credit as per applicable law.

Data Subject Rights Under LGPD

LGPD empowers data subjects to have better control over their data by exercising 9 data subject rights against public and private organizations. GDPR also outlines data subject rights which are, in essence, the same as LGPD - barring a few exceptions.

Under LGPD, the data subject rights include the right:

To confirm the existence of processing of personal data
To be informed of the processing of personal data
To access the personal data
To rectify incorrect or outdated personal data
To anonymize, block or delete any excessive or unnecessary personal data which is processed not in compliance with the regulation
To transfer the personal data to a third-party service provider via an express request (data portability).
To request deletion of personal data collected using consent, following the termination of processing purpose for which consent was obtained.
To request information of public and private third parties with whom the personal data has been shared with.
To be informed about the possibility to deny the consent for collection and processing of personal data and the consequences for such denial.
To request to revoke consent earlier provided for the processing of personal data for a particular purpose.

LGPD Transparency and Accountability

Under Article 6 of Chapter I, LGPD requires all data processing activities to be done in good faith in accordance with the principles prescribed.

As per Article 6(VI) the principle of transparency is mentioned as “[the] guarantee to the data subjects of clear, precise and easily accessible information about the carrying out of the processing and the respective processing agents, subject to commercial and industrial secrecy.” This requirement is further strengthened by Article 9 which specifies the information to be provided to the data subject which is related to the reason for collection and processing of their personal data. This includes information on the purpose, type and duration of processing for which the personal data is being collected - and whether the processing is condition for the provision of a product or service or for the exercise of a right.

As per Article 6(X) this includes the principle of accountability which is defined as ‘ demonstration, by the data processing agent, of the adoption of measures which are efficient and capable of proving the compliance with the rules of personal data protection, including the efficacy of such measures.’ This requirement is strengthened by Article 37 which requires controllers and processors to keep records of their processing activities and Article 38 which obligates controllers to conduct and document data protection impact assessments for certain prescribed forms of processing.

Article 50 of the LGPD further suggests the formation of rules and practices for compliant data governance by controllers and processors, either collectively or individually. The rules and practices must be formed in accordance with the processing activities and personal data inventory of the organization and should consider the nature, scope, purpose and probability and seriousness of the risks and the benefits that will result from the processing of the collected personal data. They should also demonstrate the effectiveness of the organization’s data governance program to good practices or codes of conduct, which, independently, promote compliance with the LGPD.

LGPD Data Security and Governance

Under Section I of Chapter VII, the LGPD provides guidelines for security practices that organizations shall implement for data protection and integrity. Under the LGPD, organizations will have to employ effective security, technical and administrative measures to protect the personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing. Some of the security measures and guidelines include:

Strict access controls and minimized excessive privileges
Deployment of authentication systems for records access;
Use of encryption and other equivalent measures to secure data from the breach;
In the event of any breach, the organization must notify the LGPD regulatory authority, Autoridade Nacional de Proteção de Dados (ANPD), and the affected data subject;
The breach notification should explain the seriousness of the breach.

To be able to comply with the aforementioned regulations under LGPD, organizations must implement and follow the best Data Discovery practices.

LGPD Data Discovery Practices

The first step towards compliance requires insights into where the data resides in the disparate data assets. Therefore, it is first integral to have a single catalog of all the shadow and native data assets across PaaS infrastructure, on-premise systems, SaaS applications, or hyper-scale cloud.
The data assets should then be scanned for relevant metadata and cataloged under relevant categories, such as business metadata or security metadata. These metadata may include the vendor details, version, data asset’s security status, etc.
Once the data assets are identified and cataloged, the next step is to scan for the residing data and identify personal data and sensitive data. The Data Discovery should be effective enough to conduct a deep scan across structured and unstructured data, and further classify the identified data under relevant elements, such as health information, personal information, sensitive information, and financial information, just to name a few. Data classification further helps system administrators map the data to relevant data subjects or owners.
The system administrator then needs to apply policy, security, and privacy-based labeling to data, classifying the data for its sensitivity level, risk posture, the purpose of processing, etc.

A comprehensive Data Discovery system takes all these parameters into account and further enables administrators to:

Effectively map structured and unstructured data to data subjects, allowing them to fulfill DSR requests.
Detects security hotspots and any misconfigurations so administrators can ensure strict access controls, data encryption, and other equivalent security measures.
Document and maintain an updated record of all the data processing activities and logs.
Comply with other security and privacy regulations required by LGDP.

How Securiti Can Help?

Securiti enables organizations to run deep data discovery scans across their petabytes-scale environments with its AI-powered PrivacyOps solution and ensure compliance with LGPD and other global data protection regulations.

Run deep data scans across on-premise, hybrid, and multi-cloud environments.
Deploy 200+ native connectors for efficient data assets discovery and catalog.
Use hundreds of built-in and dozens of out-of-the-box personal and sensitive data attributes.
Identify and label hundreds of attributes specific to regional privacy regulations, such as LGPD, GDPR, CCPA, etc.

Book a demo now for more information.