'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on August 15, 2021 AUTHOR - Privacy Research Team
The LGPD or the Lei Geral de Proteção de Dados Pessoais is a data privacy regulation that is devised to protect the privacy rights of individuals in Brazil.
This law imposes a streamlined set of obligations on organizations (public as well as private) who process personal data collected in Brazil, carry out personal data processing activities in Brazil, process personal data of individuals located in Brazil or process personal data for offering goods or services in Brazil.
The LGPD is inspired by the GDPR and has sixty-five articles which comprehensively cover all facets of data protection in Brazil. The law was passed on August 14, 2018, and went into effect on September 18, 2020. The LGPD will be enforced by the ANPD, the statutory and exclusive regulator - sanctions under the LGPD will be enforced from August 1st 2021.
Similar to GDPR, the LGPD protects employees data that is collected, stored or processed by an organization. There are a number of articles that specifically state the requirements with regards to employee’s individual data. Let's look at what each article states:
Article 6 discusses the employers’ obligations towards the processing of employees’ data and what they need to do in order to stay compliant. These obligations include:
Article 7 of the LGPD also defines 10 legal grounds for processing personal data by organizations . Employers must ensure processing activities that involve employees’ personal data is covered by at least one of these legal bases and in compliance with the obligations required above.
Article 9 of the LGPD further explains what information employers need to provide to their employees in a clear, adequate and ostensible manner:
If employers process employees' personal data relying on the basis of consent, they must collect and document that consent correctly as per Article 8 of the LGPD. The requirements of these records are as follows:
When legitimate interest is leveraged as the lawful basis for processing employee data, the ANPD might request the employer to conduct a DPIA. Employers and associated processors must also keep records of processing activities. Under article 10, 37 and 38, the organization is required to conduct an internal assessment for each of their processing activities to ensure that proper security measures are in place.
Securiti incorporates AI to enable Assessment Automation (PIAs, DPIAs, Readiness Assessments, Transfer Impact Assessments) to trigger and conduct risk-based assessments. It can further enable organizations to mitigate data exposures, remediate misconfigurations and discover risks within your organization.
Every privacy law puts great emphasis on the sensitive personal data of an individual. This can be seen in laws such as the GDPR and CCPA where sensitive data has requirements separate from personal data.
As per the LGPD, sensitive personal data is personal data concerning racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data, when related to a natural person;
Under Article 11 of the LGPD, employers must only collect and process sensitive personal data for certain limited purposes or with specific consent of the employee. Due to these additional restrictions on sensitive personal data, employers must discover where they collect, store and process employee’s personal data to ensure they are in compliance with the LGPD.
Securiti’s Sensitive Data intelligence Solution allows organizations to discover and catalog sensitive data within their data stores and implement adequate security measures to protect this data from breach.
Under Article 39 of the LGPD, the processor is bound to follow the instructions of the controller for any data processing activity and the controller must ensure its instructions are followed.
When assessing the risk associated with a third-party vendor, organizations need to consider three main points; data protection, privacy violations, and respect for consumers' data. Securiti helps organizations automate this process.
Generally, personal data of individuals can only be transferred to third-party countries by organizations if:
Data can be breached at any time and this puts the individual at risk. Apart from having security measures in place, organizations also need to have a breach management system in place to mitigate the damage of a data breach.
The systems used for processing personal data shall be adapted in order to meet the security requirements, standards of good practices and governance, general principles provided in this Law and other regulatory rules. Under article 48 of the LGPD and subsequent guidance by the ANPD, employers are required to inform the ANPD about any breach incidents which pose a risk of harm to the affected data subjects within 2 days.
Under article 17 and 18, individuals have the following rights in relation to their personal data:
Article 18 of the LGPD requires organizations to immediately adopt and fulfill employee DSR requests without cost to the employee, within a given time period and according to the terms provided in regulation.
Securiti offers the DSR Automation Solution to enable simplified fulfillment of individuals data subject requests.The solution recruits the help of automated processes to help enterprises swiftly respond to data subject requests and enable coordination between stakeholders for reviews and approvals.
Data privacy laws such as the LGPD give employees the same rights to their personal data as consumers, which means that employers are going to get scrutinized over the employee data they store.
Achieving compliance through manual methods can be a struggle given the infinitely growing volume of data being collected by organizations. This is where Securiti comes in with automation to offer a simple and efficient road to compliance.
See how Secutiti can help your organization comply, request a demo today!
Security | PrivacyOps | Governance | Compliance