Thales can help organizations comply with Brazil’s LGPD and avoid fines and breach notifications through best practice data security, including:
Summary
Brazil’s General Data Protection Law (LGPD) was passed August 14, 2018, and goes into effect in 2020.
According to Article 1 of the law itself:
This Law provides for the processing of personal data, including by digital means, by a natural person or a legal entity of public or private law, with the purpose of protecting the fundamental rights of freedom and privacy and the free development of the personality of the natural person.
Wherever you operate and whatever the regulation, you can rely on Thales to help manage your risk. Thales can help your organization comply with many of the requirements of LGPD.
Best Practices
Brazil’s General Data Protection Law (LGPD) requires best practice in data security for personal data and notes that personal data that has been anonymized is no longer considered to be within the scope of the law, if it cannot easily be returned to its original state by those who might obtain it.
Best practice for data security always includes:
Thales has years of experience helping organizations implement these best practices, which will be necessary to comply with LGDP.
Encryption and Tokenization
Encryption of Data at Rest: Vormetric Transparent Encryption
Thales’s Vormetric Transparent Encryption solution protects data with file and volume level data-at-rest encryption, access controls, and data access audit logging without re-engineering applications, databases or infrastructure. Deployment of the transparent file encryption software is simple, scalable and fast, with agents installed above the file system on servers or virtual machines to enforce data security and compliance policies. Policy and encryption key management are provided by the Vormetric Data Security Manager.
Vormetric Tokenization with Dynamic Masking
Vormetric Vaultless Tokenization with Dynamic Data Masking dramatically reduces the cost and effort required to comply with security policies and regulatory mandates, such as LGPD. The solution delivers capabilities for database tokenization and dynamic display security. Enterprises can efficiently address their objectives for securing and pseudonymizing sensitive assets—whether they reside in data center, big data, container or cloud environments.
Vormetric Application Encryption
Vormetric Application Encryption delivers key management, signing, and encryption services enabling comprehensive protection of files, database fields, big data selections, or data in platform-as-a-service (PaaS) environments. The solution is FIPS 140-2 Level-1 certified, based on the PKCS#11 standard and fully documented with a range of practical, use-case based extensions to the standard. Vormetric Application Encryption eliminates the time, complexity, and risk of developing and implementing an in-house encryption and key management solution, with development options including a comprehensive, traditional software development kit for a wide range of languages and operating systems as well as a collection of RESTful APIs for the broadest platform support.
Encryption Key Management: Vormetric Integrated Key Management
Thales’s Vormetric Integrated Key Management unifies and centralizes encryption key management on premises and provides secure key management for data storage solutions. Cloud Key Management products include the CipherTrust Cloud Key Manager for centralized multi-cloud key life cycle visibility and management with FIPS-140-2 secure key storage, and Cloud Bring Your Own Key.
User Access Control: Vormetric Data Security Manager
Thales’s Vormetric Data Security Manager enables the organization to limit user access privileges to information systems that contain sensitive Information.
Database Access Logging: Security Intelligence Logs
The Vormetric Platform’s Security Intelligence Logs let your organization identify unauthorized access attempts and to build baselines of authorized user access patterns. Vormetric Security Intelligence integrates with leading security information and event management (SIEM) systems that make this information actionable. The solution allows immediate automated escalation and response to unauthorized access attempts, and all the data needed to build behavioral patterns required for identification of suspicious use by authorized users, as well as training opportunities.
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organisation that processes the personal data of EU citizens - regardless of where the organisation is headquartered.
Any organisation that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbour” clause.