What is the LGPD?
Following the global privacy trend, Brazil has approved the new regulation about personal data protection which will come into effect in August 2020. Although Brazil already had a solid basis with legal norms at the federal level, the Brazilian General Data Protection Law (LGPD) will add a new legal framework for the use of personal information both online and offline, in the private and public sectors.
The new law applies to companies that have branches in Brazil, offer goods and services to the local market, and collect as well as process “data subject” information in the country. Organizations from a wide range of sectors such as banking, telecom, healthcare are all subject to the new law and can face severe sanctions in case of noncompliance. The LGPD allows for fines up to $12.2M USD and total prohibition of processing in certain cases.
Requirements
Right of Access:
Personal data of data subjects must be stored in a format supporting the exercise of the right of access and only provided on receipt of a “verifiable consumer request.”
How SecuPi Helps:
SecuPi can use any condition to avoid processing of application processes, including a parameter where a data subject requested not to be processed – thus preventing any access or manipulation of the subject’s data. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed. Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
Right of Deletion:
Data subjects have the right to demand that their personal information will be deleted after they withdraw consent (legal exceptions exist here). They can also demand deletion of data that is unnecessarily collected, excessive, or processed in violation of the provisions of the LGPD.
How SecuPi Helps:
On the application level, SecuPi redacts information of customers who requested to be deleted (referred to as “logical deletion” ). On the database level, SecuPi applies Format Preserving Randomization (FPR) Anonymization, ensuring that both the personal data is anonymized, as well as randomized on different databases, to prevent correlation of the same anonymized value between different data sets.
Privacy by Design and by Default:
Processors shall adopt security, technical and administrative measures to ensure the protection of personal data from unauthorised accesses and accidental or unlawful situations of destruction, loss, alteration, communication or any type of improper or unlawful processing.
How SecuPi Helps:
SecuPi protects all data deemed personal and private by the application owner, hence immediately manage access privileges, and flag anomalous behavioristic facts on data access or processing. Through full audit, Data Protection by design and by default are enabled: 1. Data protection by design example – any access to personal data is logged and can never be deleted. 2. Data protection by default example – SecuPi can be configured to block all access to personal data unless specifically granted to users.
Consent and Right to Opt Out
Consent must be provided by the data subject in writing or in some other ways that demonstrate the data holder’s will. The controller is responsible for making sure that the consent was obtained in accordance with the requirements of the LGPD. Consent must be specific to specific purposes. Consent can be withdrawn by the data subject at any time. Prior to giving consent, the data subject must be informed about the processing.
How SecuPi Helps:
SecuPi’s ability to redact, hide, mask or block individual customers from consent-driven data-flows and processes is the cornerstone of its platform consent support. It enables to redact customers in real-time according to their consent feeds. For example, a customer sales representative (CSR) will be able to access customer call history records and personal data in a CRM application only if they are authorized to do so.
Accountability and Recordkeeping:
Organizations must be accountable to demonstrate that they have adopted efficient measures ensuring compliance with the LGPD’s personal data protection requirements. As an element of the accountability principle, both the controller and the processor must maintain records of personal data processing operations that they carry out.
How SecuPi Helps:
SecuPi’s audit logs are clear and factual and can show which processor accessed which data, as well as providing full transcript of the processing activities done through the application. Since the SecuPi agent is deployed on the application server, it has access to all relevant information, including which user was used to process the information, timestamp, URI, etc. SecuPi enables to map data-flows and provides the ability to granularly audit and control it to maintain access on a “need to know basis” and use data in line with its purpose.
Breach Notification:
The LGPD stipulates that the communication of an incident must take place within a reasonable time, to be defined by the local national authority.
How SecuPi Helps:
In the unfortunate case of a breach, SecuPi’s audit logs and behavior analytics can pinpoint exactly which data was exposed and breached, and significantly shorten the reporting time, while providing accurate and accountable information. SecuPi enables companies to cease processing part or all of the data about a data subject, without specialist development or specialist configuration, on any system where SecuPi is installed Furthermore, SecuPi dramatically simplifies rollback of changes, or further tweaks to processing restrictions (e.g. preventing customer service processing, but permitting the DPO, subject rights management team, or legal team access to resolve a complaint, legal case, or subject request).
