'Most Innovative Startup 2020' by RSA - Watch the video
Learn MoreBlogs
Published on November 16, 2020 AUTHOR Marcelo Crespo
For some years now we have seen some legislative moves around the world with regard to the protection of personal data. More intensely, since Regulation 2016/679 (known as GDPR) in force since May 25, 2018, we have seen more discussions and innovations on the topic. So it was with Germany (Federal Data Protection Act 2017 - Bundesdatenschutzgesetz - BDSG) and France (Data Protection Act nº 2018-493 June 2018), in addition, of course, Brazil, with our LGPD, Law 13.709 / 18 was, in some way, inspired by the GDPR.
At this point it is essential to note that these are not laws that only concern situations of incidents of personal data violations. Obviously, the topic “personal data violation incidents” is very important. There should be a consensus that every organization will, at some point, be a victim of data incidents and, although we have said this in classes, lectures, congresses, classrooms for years, we often realize that this reality seems to be still ignored by many.
Unfortunately, we have no elements to list the reasons why this happens, but it is clear that the topic “information security” is closely related to the protection of personal data and should be viewed with great attention by the organizations.
Precisely about the LGPD we can say with certainty that it is not a law whose scope is information security, since its main concern is broader: the privacy of subjects of personal data. It is not, therefore, a law that deals with information security, but in a tangential way.
Let us look briefly at the structure of the law:
Still in Chapter I the LGPD says in art. 6, VII, that personal data processing activities must observe good faith and the principle of security, defining it as the use of technical and administrative measures capable of protecting personal data from unauthorized access and accidental or destruction, loss, alteration, communication or dissemination. There is, however, no breakdown of what would be acceptable in terms of technical measures for the protection of personal data.
Further on, in Chapter II, art. 12, §3º when the LGPD reads about anonymization, there is mention that the national authority may provide for standards and techniques and carry out checks on its security, after hearing the National Council for the Protection of Personal Data.
With regard to international transfers, in Chapter V, precisely in art. 34, the LGPD determines that the data protection level of the foreign country or the international body will be assessed by the national authority, which will take into account the adoption of security measures provided for in regulations (although there is no clear mention to which regulation it refers to).
In Chapter VI, art. 38 the LGPD determines that the national data protection authority may determine that the personal data controller prepare a personal data protection impact report and its sole paragraph states that the report may require demonstration of the methodology used to the collection and to guarantee the security of information and the analysis of the controller in relation to measures, safeguards and risk mitigation mechanisms adopted. Art. 40 provides that the national authority may provide for safety standards, among others.
In art. 44 we also verify the mention of security when it determines that the processing of personal data will be irregular when it fails to observe the legislation or when it does not provide the security that the data subject can expect, considering the analysis of the way in which it is performed (I) , the result and the risks reasonably expected of it (II) and the data processing techniques available at the time it was performed (III).
It is in Chapter VII, however, that the LGPD has a greater focus on information security when, in art. 46, establishes that the treatment agents must adopt security, technical and administrative measures capable of protecting personal data. And art. 47 continues to determine that the treatment agents or any other person who intervenes in one of the phases of treatment is obliged to guarantee the security of the information provided for by law.
Art. 48 is the main device that mentions violations to personal data and determines that the controller notifies the national data protection authority and the data subject of the occurrence of a security incident that may cause risk or damage to the subject, but, for this, it does not impose a specific deadline, mentioning that this must be done within a reasonable period. However, it establishes the minimum communication requirements, which include the description and nature of the data affected, information on the data subjects involved, the indication of the technical and security measures used to protect the data, subject to commercial and industrial secrets, the risks related to the incident, the reasons for the delay, in case the communication was not immediate, and also the measures that were or will be adopted to reverse or mitigate the effects of the damage.
Paragraph 2 provides that the national authority will verify the severity of the incident and may order the controller to make extensive disclosure in the media and to take measures to reverse or mitigate the incident.
In turn, Paragraph 3 says that the judgment of the severity of the incident must take into account the evidence that adequate technical measures have been taken to make the affected personal data unintelligible, within the scope and technical limits of its services, to unauthorized third parties to access them.
It should be noted, however, that the rules that discuss incidents of violations are not specific in terms of processes or tools, not to mention penetration tests or DLP. And art. 49 proves this statement insofar as it says that the systems used for the processing of personal data must be structured in order to meet security requirements, standards of good practice and governance and the general principles set out in this Law and other rules regulatory requirements.
But then, how to deal with technical issues? In order to achieve compliance with the law more comprehensively, it is suggested to follow the provisions of art. 50, which provides guidelines for what can be called a digital compliance or privacy compliance program. That is, to follow the pillars of a privacy compliance program so that you can have the support of senior management, so that risk assessments are carried out for risk areas, that rules are formalized in policies and codes of conduct, that there are means of monitoring and auditing of personal data flows and providing adequate internal communication and appropriate training. Technical risks must be assessed in a context of privacy compliance so that they are incorporated with other risks for the protection of personal data.
Thus, it is reiterated that the LGPD is not a law that thoroughly deals with information security, being principiological with guidelines for better governance of personal data.
Automate and manage the entire consent life cycle with efficiency for various cookie compliance regulations around the world.
Learn MoreDiscover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs
Learn MoreSimplify gathering information, dynamically update your data catalog, and automate assessments and reports
Learn MoreMeet Brian Lillie, Former CPO at Equinix as he discusses the potential challenges of CCPA and how the PrivacyOps framework can be the key to unlocking compliance.
Learn MoreWatch the 3-minute pitch presented by Rehan Jalil on SECURITI.ai in the RSAC Sandbox Competition
Learn MoreCCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared or sold.
Learn More
[email protected]
PO Box 13039,
Coyote CA 95013
Find data assets, and discover personal and sensitive data in structured and unstructured data systems, across on-premises and multi-cloud.
Classify & label data to ensure appropriate security controls are enabled on most sensitive data in your organization
Collect, organize, enrich and build a data catalog to address privacy, security and governance solutions
Connect to structured and unstructured data sources and automatically discover and build a relationship map between personal data and its owner.
Assess risk scores for every data asset, asset location, or personal data category
Auto discover personal data in Snowflake and enforce access governance
Auto discover personal data in Snowflake and enforce access governance
Discover, classify, manage and protect sensitive data in Box. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Slack. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more
Discover, classify, manage and protect sensitive data in Workday. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Github. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Jira. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Dropbox. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in SAP Successfactors. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Servicenow. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Zendesk. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Apache Hive. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Apache Spark SQL. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Cassandra. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Couchbase. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Maintain your Data Catalog with continuous automated updates
Automate data subject rights request fulfillment and maintain proof of compliance
Connect to structured and unstructured data sources and automatically discover and build a relationship map between personal data and its owner.
Audit once and comply with many regulations. Collaborate and track all internal assessments in one place.
Automation of privacy assessment collection from third parties, collaboration among stakeholders, follow-ups and compliance analytics.
Automate global cookie consent compliance.
Simplify and automate universal consent management.
Automate the incident response process by gathering incident details, identifying the scope and optimizing notifications to comply with global privacy regulations.
Keeping privacy notices up-to-date made easy
Operationalize GDPR compliance with the most comprehensive PrivacyOps platform
Operationalize CCPA compliance with the most comprehensive PrivacyOps platform
Revolutionize LGPD compliance through PrivacyOps
Enable privacy by design through the AI driven PrivacyOps platform