LGPD: Data Protection and Information Security in Brazil

For some years now we have seen some legislative moves around the world with regard to the protection of personal data. More intensely, since Regulation 2016/679 (known as GDPR) in force since May 25, 2018, we have seen more discussions and innovations on the topic. So it was with Germany (Federal Data Protection Act 2017 - Bundesdatenschutzgesetz - BDSG) and France (Data Protection Act nº 2018-493 June 2018), in addition, of course, Brazil, with our LGPD, Law 13.709 / 18 was, in some way, inspired by the GDPR.

At this point it is essential to note that these are not laws that only concern situations of incidents of personal data violations. Obviously, the topic “personal data violation incidents” is very important. There should be a consensus that every organization will, at some point, be a victim of data incidents and, although we have said this in classes, lectures, congresses, classrooms for years, we often realize that this reality seems to be still ignored by many.

Unfortunately, we have no elements to list the reasons why this happens, but it is clear that the topic “information security” is closely related to the protection of personal data and should be viewed with great attention by the organizations.

Precisely about the LGPD we can say with certainty that it is not a law whose scope is information security, since its main concern is broader: the privacy of subjects of personal data. It is not, therefore, a law that deals with information security, but in a tangential way.

Let us look briefly at the structure of the law:

1. Chapter I - Preliminary provisions.
2. Chapter II - The processing of personal data.
3. Chapter III - Rights of the data subject.
4. Chapter IV - The processing of personal data by the Government.
5. Chapter V - International data transfer.
6. Chapter VI - Personal data processing agents.
7. Chapter VII - Safety and good practices.
8. Chapter VIII - Oversight.
9. Chapter IX - The National Data Protection Authority (ANPD) and the National Council for the Protection of Personal Data and Privacy.
10. Chapter X - Final and transitional provisions.

Still in Chapter I the LGPD says in art. 6, VII, that personal data processing activities must observe good faith and the principle of security, defining it as the use of technical and administrative measures capable of protecting personal data from unauthorized access and accidental or destruction, loss, alteration, communication or dissemination. There is, however, no breakdown of what would be acceptable in terms of technical measures for the protection of personal data.

Further on, in Chapter II, art. 12, §3º when the LGPD reads about anonymization, there is mention that the national authority may provide for standards and techniques and carry out checks on its security, after hearing the National Council for the Protection of Personal Data.

With regard to international transfers, in Chapter V, precisely in art. 34, the LGPD determines that the data protection level of the foreign country or the international body will be assessed by the national authority, which will take into account the adoption of security measures provided for in regulations (although there is no clear mention to which regulation it refers to).

In Chapter VI, art. 38 the LGPD determines that the national data protection authority may determine that the personal data controller prepare a personal data protection impact report and its sole paragraph states that the report may require demonstration of the methodology used to the collection and to guarantee the security of information and the analysis of the controller in relation to measures, safeguards and risk mitigation mechanisms adopted. Art. 40 provides that the national authority may provide for safety standards, among others.

In art. 44 we also verify the mention of security when it determines that the processing of personal data will be irregular when it fails to observe the legislation or when it does not provide the security that the data subject can expect, considering the analysis of the way in which it is performed (I) , the result and the risks reasonably expected of it (II) and the data processing techniques available at the time it was performed (III).

It is in Chapter VII, however, that the LGPD has a greater focus on information security when, in art. 46, establishes that the treatment agents must adopt security, technical and administrative measures capable of protecting personal data. And art. 47 continues to determine that the treatment agents or any other person who intervenes in one of the phases of treatment is obliged to guarantee the security of the information provided for by law.

Art. 48 is the main device that mentions violations to personal data and determines that the controller notifies the national data protection authority and the data subject of the occurrence of a security incident that may cause risk or damage to the subject, but, for this, it does not impose a specific deadline, mentioning that this must be done within a reasonable period. However, it establishes the minimum communication requirements, which include the description and nature of the data affected, information on the data subjects involved, the indication of the technical and security measures used to protect the data, subject to commercial and industrial secrets, the risks related to the incident, the reasons for the delay, in case the communication was not immediate, and also the measures that were or will be adopted to reverse or mitigate the effects of the damage.

Paragraph 2 provides that the national authority will verify the severity of the incident and may order the controller to make extensive disclosure in the media and to take measures to reverse or mitigate the incident.

In turn, Paragraph 3 says that the judgment of the severity of the incident must take into account the evidence that adequate technical measures have been taken to make the affected personal data unintelligible, within the scope and technical limits of its services, to unauthorized third parties to access them.

It should be noted, however, that the rules that discuss incidents of violations are not specific in terms of processes or tools, not to mention penetration tests or DLP. And art. 49 proves this statement insofar as it says that the systems used for the processing of personal data must be structured in order to meet security requirements, standards of good practice and governance and the general principles set out in this Law and other rules regulatory requirements.

But then, how to deal with technical issues? In order to achieve compliance with the law more comprehensively, it is suggested to follow the provisions of art. 50, which provides guidelines for what can be called a digital compliance or privacy compliance program. That is, to follow the pillars of a privacy compliance program so that you can have the support of senior management, so that risk assessments are carried out for risk areas, that rules are formalized in policies and codes of conduct, that there are means of monitoring and auditing of personal data flows and providing adequate internal communication and appropriate training. Technical risks must be assessed in the context of privacy compliance so that they are incorporated with other risks for the protection of personal data.

Thus, it is reiterated that the LGPD is not a law that thoroughly deals with information security, being principiological with guidelines for better governance of personal data.