Brazil, the largest country in both South America and Latin America, released a data privacy law bringing new business opportunities, especially in the international domain.
Brazil’s Lei Geral de Proteção de Dados (LGPD) came into effect on September 18th last year. The enforcement date depends on the approval from the Congress of Brazil which is now scheduled for August 1st this year. The LGPD creates a legal framework for the use of personal data of individuals in Brazil, regardless of where the data processor is located. It is closely modelled after the European Union's General Data Protection Regulation (GDPR) and like GDPR, the LGPD has far reaching consequences for data processing activities in and outside of Brazil. If an organization is found to be non-compliant with the LGPD legislation, it will receive penalties of up to two percent of revenue for the prior fiscal year. The fines are limited to a maximum of 50 million reals (approximately $9 million USD). Additionally, organizations are obligated to report any data security incidents or breaches to Brazilian national authorities.
Based on Article 1, LGPD “governs the processing of personal data, including by digital means, by a natural person or a legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy, and the free development of the personality of the natural person”. According to Article 3, any organization, irrespective of where it is located, who has customers or clients in Brazil, needs to be in compliance with LGPD. This means that it is not just Brazilian citizens whose personal information is protected, but any individual whose data has been collected or processed while inside Brazil.
What is the essence of the LGPD?
The LGPD requires data processors to adopt measures to protect sensitive personal data from loss, unauthorized access, accidental or lawful destruction and exposure. As with any data privacy regulation, any organization subject to LGPD should focus on four key steps:
- Visibility: you can't analyze what you can't see. Visibility across the organization provides the accurate data it needs to make informed decisions. Access to data and visibility provides insights into the locations and types of data held by an organization (Article 50)
- Analysis: identifies the risk of exposure to guide an effective data protection strategy (Article 50)
- Protection: establishes and applies technical security policies to address any vulnerabilities in how sensitive data is currently being managed (Article 46). It also mentions that anonymized or pseudonymized data with the proper treatment and separation of roles is not considered personal data under the law (Articles 12 and 13)
- Reporting: demonstrates compliance and facilitates the administrative procedures required by LGPD (Article 50)
The following graphic highlights key considerations for each step, and includes two important actions for organizations to be compliant:
Turning Compliance into Organizational Advantage
Increased Data Awareness
As per Article 38, every organization needs to have a clear understanding of their data and a formal process must be defined to manage it- where it’s located, the type of data that is being held and the type of protection being applied. It is advantageous to automate the process… considering all the data stores in scope (including local, network, database, big data and cloud) and to cover both structured and unstructured data types. The end result is that you know exactly where your sensitive data resides and what you need to protect in order to be compliant.
Reduced Risk of Exposure
According to Article 46, organizations shall apply appropriate security techniques (such as encryption, tokenization, access control) to protect data from unauthorized access and unlawful situations. The law also specifically mentions in Articles 12 and 13 that anonymized or pseudonymized data is not considered personal data “if it can no longer be associated with an individual, except by using additional information kept separately by the controller in a controlled and secure environment” (example i.e. separating the key storage and management from the storage and management of data).
Based on Article 9, individuals have the fundamental right as part of the legal framework to know how their personal data is being processed or shared. This can be a major challenge for organizations due to the amount of data they hold as well as identifying the best approach for protecting it. This is why a comprehensive data security solution is essential to help protect all sensitive data, wherever it is located, to help reduce the risk of exposure of a data breach.
How to Fast Track LGPD Compliance
Thales CipherTrust Data Discovery and Classification supports organizations by automating the data visibility process in any storage (local, network, database, big data and cloud) for structured as well as unstructured data. It provides a complete list of built-in templates for LGPD and other relevant privacy regulations to facilitate compliance.
The solution provides organizations with an understanding of their data by discovering, classifying and ranking sensitive data and prioritizing the appropriate remediation actions to close compliance gaps and reduce the risk of exposure.
Thales CipherTrust Data Security Platform
CipherTrust Data Discovery and Classification is part of the CipherTrust Data Security Platform. In addition to unifying data discovery, classification and data protection, the CipherTrust Platform also provides unprecedented granular access controls, all with centralized key management. This simplifies data security operations, accelerates time to compliance and reduces risk across your business.
Below is how Thales can facilitate your LGPD compliance.
Thales’s data discovery and classification can help you get a clear understanding of data and risks and take actions to close the gaps from a single pane of glass.