In a hyperscale data-driven digital realm where data is being processed at an unprecedented rate and data sprawling across the digital landscape, navigating the complexities of data protection regulations can be a daunting task for businesses.
Brazil’s General Data Protection Law, or ‘Lei Geral de Proteção de Dados Pessoais’ (LGPD), is designed to safeguard personal data, necessitating organizations to map their data processing activities to ensure swift compliance with the law.
The LGPD is similar to the European Union’s General Data Protection Regulation (GDPR). It was approved on August 14, 2018, and later amended in July 2019 by Law No. 13.853. The LGPD came into effect on September 18, 2020; however, penalties for non-compliance started on August 01, 2021. The Brazilian Data Protection Authority, or the Autoridade Nacional de Proteção de Dados (ANPD), is a federal independent regulatory authority that interprets and enforces the LGPD and acts as the national supervisory authority.
According to Article 3 of the LGPD, the law applies to any processing operation carried out by a natural person or a legal entity of either public or private law, irrespective of the means, the country in which its headquarters is located, or the country where the data are located, provided that:
- The processing operation is carried out in the territory of Brazil;
- The processing activity is aimed at the offering or provision of goods or services, or the processing of data of individuals located on the national territory; or
- The personal data being processed was collected within the territory of Brazil.
This guide explores the critical components of LGPD data mapping, why data mapping is essential for LGPD compliance, and how organizations can optimize Securiti data mapping automation.
What is LGPD?
In previous years, Brazil drafted over 40 federal data privacy regulations, with both general and sector-specific guidelines, resulting in overlapping and conflicting laws across industries. These sectoral laws only offered limited protections and posed significant compliance challenges for multi-sector organizations.
To address these issues, Brazil enacted the LGPD to establish a comprehensive and unified regulatory framework for data privacy, regulating the collection, storage, and processing of personal data. The LGPD grants individuals data subject rights, imposes strict obligations for lawful data processing, mandates breach notifications to authorities and impacted individuals, establishes the ANPD, regulates cross-border data transfers, defines consent collection guidelines, and imposes noncompliance penalties.
Additionally, the LGPD outlines ten core principles – such as purpose, adequacy, necessity, free access, data quality, transparency, security, prevention, non-discrimination, and accountability – that covered organizations must include in their data collection and processing activities.
Learn more about LGPD.
Why is Data Mapping Essential for LGPD Compliance?
Although the LGPD does not explicitly define data mapping in its text, the principles and requirements specified in the law indicate that data mapping is a best practice for ensuring compliance with the LGPD and other evolving regulations.
LGPD data mapping is the process of identifying, cataloging, and documenting the flow of personal data within an organization. This involves creating a detailed record of where personal data is collected and how it is stored, processed, and shared both internally and externally. Key aspects of the LGPD that relate to data mapping include:
Transparency and Accountability
Data mapping provides transparency into data processing activities by establishing an in-depth understanding of an organization's data flows and processing activities.
LGPD’s Article 6 emphasizes transparency regarding how personal data is obtained, processed, and shared internally or with third parties. Data mapping facilitates this transparency by providing a comprehensive picture of how data flows around the organization, giving clear visibility of where data is being obtained, how it is being processed, and whom it is being shared with.
Article 6(10) of the LGPD introduces the principle of accountability, requiring data controllers to adopt effective measures and demonstrate compliance with personal data protection rules. Data mapping functions as a robust tool to document and demonstrate compliance efforts.
Consent
The LGPD defines consent as a free, informed, and unambiguous declaration that the data subject agrees to the processing of personal data for a given purpose.
LGPD’s Article 7 states that personal data should only be processed with the data subject’s consent. By identifying all sources and locations where personal data is obtained, data mapping helps to ensure that consent is obtained at the correct stages and tracks and records the consent provided by data subjects for particular processing activities.
Sensitive Personal Data
LGPD defines sensitive personal data as any personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical or political nature, data relating to health or sexual life, genetic or biometric data when linked to a natural person. Organizations need data mapping to identify sensitive personal data to comply with LGPD’s requirements and apply relevant security measures to safeguard sensitive personal data.
Risk Management
Articles 46-49 state that organizations engaged in processing activities must implement security, technical, and administrative measures to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing.
Data mapping assists risk management by identifying vulnerabilities in data processing activities and highlighting areas where personal data might be at risk. This enables organizations to implement targeted security measures to mitigate identified and evolving risks. Additionally, a robust data mapping tool is capable of automating risk assessments, providing real-time insights into risks related to data and processing activities.
Data Minimization and Storage Limitation
LGPD requires organizations to limit their collection of personal data and not retain data for longer than necessary. By utilizing data mapping, organizations can ensure compliance with these principles and gain a better understanding of their data.
Purpose Limitation
When collecting personal data, organizations must notify individuals of the intended use and obtain their explicit consent before using it for any other reason. By utilizing data mapping, organizations can align data processing activities with disclosed purposes.
Data Subject Rights
Articles 17-22 outline several data subject rights such as the right to be informed, right to access, right to correct inaccurate, incomplete, or out-of-date data, right to block, anonymize, or delete excessive or unnecessary data or data that is not being processed in compliance with LGPD, right to the portability of data to another service by an express request, right to deletion of personal data which is processed with the consent of the data subject, right to information about private and public entities with which the data is shared, right to be informed about the possibility of denying consent and the consequences of such denial and the right to revoke consent.
Data mapping helps efficiently identify and retrieve the required data to honor data subject requests (DSRs).
Records of Processing Activities
Article 37 of the LGPD requires data controllers and processors to keep records of personal data processing activities, especially when based on legitimate interest. This documentation helps demonstrate compliance with the law and can be efficiently achieved through data mapping.
Automated Decision-Making and Profiling
Article 20 of the LGPD establishes that data subjects are entitled to request a review of decisions made only based on the automated processing of personal data. Data mapping streamlines the identification process of where automated decision-making systems are utilized and what information they process.
Regulatory Reporting and Audits
When a regulatory agency initiates an audit or inquiry, a comprehensive data mapping activity simplifies providing precise data about a business's data processing activities. Onboarding a robust data mapping tool speeds up the audit process and shows a commitment to compliance.
Breach Response
Data mapping assists in swiftly identifying impacted individuals and impacted data (personal and sensitive personal data) in the event that an organization is the target of malicious actors and experiences a data breach. This enables organizations to promptly respond to the data breach in accordance with LGPD’s requirements.
Steps to Effective Data Mapping for LGPD Compliance
Identify and Classify Data
The first step in the process requires organizations to identify the personal data they have and where it is stored (on-premise, in the cloud, or hybrid systems). Once the data and its location are identified, the classification and categorization process can begin. This includes a variety of personal data, including contact details like names, addresses, phone numbers, and email addresses; identifiers like passport, social security, and driver's license numbers; commercial data like records of purchases and personal property; biometric data like voiceprints, fingerprints, and facial recognition; internet activity like search history, browsing history, and interactions with websites or apps; geolocation data tracking actual locations or movements; and professional data like job titles, employers, and work history.
Map Data Sources and Collection Methods
Organizations must identify data sources and internal systems that collect data, such as websites, mobile apps, and customer service interactions. This also applies to cookies, transaction data, online forms, and consumer surveys.
Document Data Use and Processing Activities
Organizations must maintain comprehensive records of data collection, storage, processing, and sharing activities. This enhances transparency, reinforces data governance, and ensures compliance with LGPD and other data protection regulations. Documentation usually covers data sources, data types, processing objectives, data flow charts, and access controls. It also helps identify data dependencies and risks.
Identify Data-Sharing Practices
Organizations must be aware of their data-sharing policies, which include sharing information with affiliates, marketing partners, and service providers, among others. Data mapping facilitates the identification of externally shared data and the level of detail at which it is accessible to third parties.
Assess Data Security Measures
Data mapping provides transparency into an organization's data security practices by enabling organizations to establish access controls to determine who can access data and under what conditions. This includes maintaining data encryption both in transit and at rest to safeguard sensitive personal data from unauthorized access. Additionally, maintaining comprehensive audit trails is crucial for documenting all access and changes to personal data, leading to easier monitoring and accountability.
Data mapping enables organizations to establish access controls to govern who may access data and under what circumstances, which gives insight into the organization's data security posture. To protect sensitive personal data from unauthorized access, organizations must ensure data is encrypted while it's in transit and at rest.
Optimize Your Data Mapping with Securiti
Securiti’s Data Command Center leverages contextual data intelligence and automation to unify data controls across security, privacy, compliance, and governance through a single, fully integrated platform. Securiti data mapping automation helps organizations automate the process, which is crucial for compliance with data protection regulations such as GDPR, CPRA, LGPD, and others.
Securiti Data Mapping Automation provides organizations with comprehensive data discovery, efficient data risk monitoring, data asset cataloging, global data map visualization, automated risk assessments, privacy impact assessments, regulatory compliance assurance, real-time collaboration with stakeholders, and more.
The process starts by collecting data on assets and processes, either through importing from current databases or using a user-friendly portal. Users can begin privacy impact assessments and create processing activity records through a central data catalog to comply with privacy regulations. Visual data maps show cross-border transfers, significant flows, and risks, updating dynamically as data mapping automation detects changes in data types, volumes, subject residency, and access rights.
This automation maintains up-to-date risk assessments and links personal data across multiple data stores to create detailed people data graphs. Securiti’s AI-driven PrivacyOps tool automates DSR fulfillment and privacy compliance tasks, easing the shift from manual procedures, minimizing cost, and reducing risks.
Request a demo to witness Securiti in action.
