14 tips to stay compliant with LGPD

As I already wrote in another article here on the blog, the General Personal Data Protection Law (LGPD – Law nº 13,709) was sanctioned on August 14, 2018 and would come into force from August 2020, however, the deadline was postponed to January 1, 2021 due to the pandemic. This regulation establishes a series of rules that all companies and organizations operating in Brazil will have to follow to allow citizens to have more control over their personal data, ensuring transparency in the use of individuals' data in any way.

In this article you will find some tips to help you comply with some points of the LGPD. But I warn you in advance that there is no “Swiss Army knife” tool or software that will solve everything. To comply with this law, in addition to being a tool, it will be necessary to implement many processes.

Study the LGPD

Before listing the tips, it is important to define a team that is responsible for analyzing internal procedures regarding data collection and the flow of this information within the company involving third parties. Therefore, it is essential that these people study the Law in depth so that they can understand all the principles and hypotheses to which it applies.

Here is some content to get you started and delve deeper into the subject:

• Link to the General Personal Data Protection Law (LGPD) in force on the Planalto da Presidency of the Republic website
• Article from our blog: LGPD: what is it and how to apply it in the company?
• Online courses on LGPD on the Udemy

Let's get to the tips

Now enough messing around. Below I list some tips that will help your company comply with the LGPD.

Tip 1: Consent Form for Processing Personal Data

It is recommended to define a process for obtaining the holder's consent to be used by the company that is clear, distinct and not grouped with other agreements or statements and that is active (provided by the holder, without the use of pre-written boxes). marked). Consent must be documented, in writing or by another means that demonstrates the holder's expression of will. If existing consent has not been obtained in accordance with the LGPD, it is recommended that consent be renewed before the GDPR comes into force, if another legal basis cannot be used.

We have created a document template that you can download, adapt according to your needs and obtain the consent of employees and users for the use of data by the company. Download the Document Template for the Consent Form for the Processing of Personal Data .

Tip 2: Managing Data Subject Rights

Implement a privacy portal (front-end) with a Data Subject Rights Management solution focused on the company's customers, in a timely manner (15 days for LGPD). This portal will manage the entire request workflow and must contain the following functionalities:

• Request filling form, which can be presented in various company digital products;
• Validation of the identity of data subjects;
• Control deadlines, activities and costs of the request;
• Identify personal data within the company to proceed with the disclosure to the data subject, correction, deletion or portability of personal data.

Tip 3: Develop a Data Retention and Disposal Policy

This policy must include the principles of appropriate retention and disposal of personal data, observing the legal requirements of the LGPD. Additionally, the policy must contain:

• An updated temporality table for storing information taking into account the personal data collected;
• Appropriate disposal procedures for assets (papers, computers, removable media) that contain personal data;
• Process of deleting or anonymizing data when it is no longer necessary for the company, observing the need to store data to meet legal obligations;
• Backup process of personal data stored in systems;
• Pseudonymization process for sensitive data at rest. Incorporate the principles of data minimization into the company culture, where the company collects only strictly necessary information, for as long as necessary.

Tip 4: Registration of Personal Data Processing Operations

The LGPD requires the preparation and maintenance of a Register of Personal Data Processing Operations, which must include:

• The names and contact details of the Controller/Operator and, when applicable, of any person responsible for joint processing, representatives of the entities and the DPO (Data Protection Officer);
• The purpose of data processing;
• The description of the categories of data subjects and categories of personal data;
• The categories of recipients to whom the personal data have been or will be disclosed, including recipients established in third countries or international organizations;
• The deadlines for deleting different categories of data;
• The legal bases stipulated for data processing.

Tip 5: Process for Data Protection Impact Analysis (DPIA).

Implement/acquire a solution to carry out DPIA in a systemic and centralized manner. This solution must have the following functionalities:

• Company privacy projects consolidated into a central dashboard for managing data protection activities;
• Classification of projects regarding the involvement of personal data and risk criteria (if there is profiling, sensitive data, large volume of data processed, etc.);
• Management of the DPIA workflow, from the selection of the data flow using the established criteria to final approval by the person in charge;
• Guidance and template for completing the DPIA made available centrally for the entire company;
• Analysis of risks and GAPs of personal data flows;
• Record of data protection activities carried out throughout the project for compliance purposes.

Tip 6: Implement a DPO governance model

Implement a DPO (Data Protection Officer) governance model, defining roles and responsibilities to meet regulatory expectations in accordance with the changes brought about by the LGPD.

Within the DPO routine, we understand that there will be tasks such as (i) carrying out periodic third-party Due Diligence; (ii) maintenance and updating of ROPA; (iii) preparation and maintenance of the DPIA, when necessary; (iv) carrying out periodic internal audits to analyze the level of compliance; (v) periodic training routine on LGPD for employees and collaborators; (vi) routine monitoring of case law, consultations with the ANPD, new certifications, good market practices, etc…

Tip 7: Hire an external advisor

It is recommended to hire an external advisor to assist you in analyzing the company's current compliance with the LGPD, indicating points for improvement and legal requirements, as well as defining an action plan to implement the necessary actions so that the company complies with LGPD.

Tip 8: Privacy training to educate employees

Develop a training program on privacy and data protection to educate employees about the importance of privacy and protection of personal data, enabling them to carry out data processing appropriately, mitigating the risks of a data breach occurring.

This program can have two phases, depending on your approach. The first phase is common for all employees and will address what privacy and data protection laws are, their principles, the risks of not complying with them, what personal and sensitive data are, legal bases, what is considered as data processing, how to classify data before storing it, how to dispose of it correctly, what is ROPA, DPIA, the role and importance of the data officer (DPO) and how to report a data breach in the company. Phase one could be online , made available to employees on the intranet. In the second phase of the program, training must be targeted at each business area, according to the nature of the relationship they have with data subjects (customer relationships, finance, HR, etc.). This phase will address in more depth the application of legal bases according to the types of processing that the area carries out and will present specific cases according to the area's operations (example of profiling for the marketing ). Phase two can be in person for employees in the area.

Training must be periodically updated in accordance with the company's internal policy or when there are significant changes in privacy laws.

Implement pass/fail metrics to measure training application and level of learning, both individually by employee and by business area.

Tip 9: Identity and Access Management

Implement a pool of Identity and Access Management solutions to provide governance and administration of identities and their respective access rights to personal and sensitive data stored in the company's assets.
It is recommended that the entire lifecycle of users and their access to personal and sensitive data be managed through workflows to mitigate the risks of personal and sensitive data being accessed by unauthorized people, which could lead to a data breach in accordance with the LGPD.

Tip 10: Incident Management

Structure, define and formalize an Incident Management process, aiming to include response plans for incidents related to the topic of data privacy. This plan must contain procedures and guidelines that guide the areas involved in identifying, monitoring, remediating and reporting data breach incidents, as well as addressing the categorization of a data breach incident and its recording in the tools. The breach incident management process must be regularly tested and validated to assess its ability to meet relevant privacy requirements.

It is recommended that a formal communication process be defined with data protection authorities and data subjects. This communication must involve the company's Data Officer (DPO) and must be carried out within the deadlines established by the LGPD.

Additionally, a data breach notification process must be established that contains:

• The identity and contact details of the data controller and other relevant parties within the company;
• Description of the possible consequences (risks) of the data breach;
• Description of the nature of the violation, informing which and how many holders were affected;
• Technical and organizational measures applied to mitigate the consequences of this violation.

Tip 11: Review old contracts

We recommend reviewing old contracts and including protective clauses related to data protection and compliance with the LGPD, as well as adjusting existing standard contracts to include clauses in this regard, including the possibility of auditing. Depending on the case, it may be possible to indicate how data processing will be carried out and the minimum security measures to be respected.

Conduct compliance assessments with new and existing third parties/suppliers (at each contract renewal) to check whether they comply with the LGPD.

Tip 12: Internal and external privacy policy

There is no legal definition of the types of internal and external privacy policies that a company must have. In any case, we suggest that the company develop and maintain the privacy policies below based on best market practices and aiming for greater compliance with the personal data protection framework.

Regarding external policies, as a rule, companies have:

• Privacy Policy
• Cookies Policy

Regarding internal policies, companies typically have:

• Privacy and Data Protection Policy
• Data Retention and Destruction Policy
• Data Management Policy on Mobile Devices
• Data Security Policy

Tip 13: Define a process to monitor LGPD regulatory changes

This process will help the company to stay up to date with the laws in question, providing support for decision making.

Furthermore, it is recommended that a process be defined to update policies, regulations, training, procedures, processes and other operations, in order to reflect regulatory changes when they occur.

Tip 14: Implement a solution to increase information security

There is no point in implementing several information collection processes if they are unprotected or the employees' equipment (computers, cell phones, etc.) do not have tools such as Antivirus and Internet access manager.

Therefore, it is extremely important that the company has solutions that increase the security layer of devices and the network. Here are some suggestions:

• Antivirus:
  • Kaspersky Anti-Virus : has been in the top 3 of the world's best antivirus lists for some time now. It offers advanced scanning and cleaning features, as well as being able to undo actions carried out by malware, which is why it is at the top of this list;
  • Bitdefender Antivirus Plus : offers complete protection for anyone who wants to get rid of malware. It has recovery tools for persistent viruses, password management and even increases the security of your browser so you can carry out financial transactions;
  • F-Secure Anti-Virus : One of the most striking features of F-Secure Anti-Virus is the speed of its quick scan mode — and this agility can be even greater when you redo the process. This ensures practicality and speed when it comes to keeping your computer safe. Furthermore, it has special features to combat the action of malware, blocking and monitoring the action of suspicious files.
• Internet access manager:
  • Solutions that require greater investment, suitable for large companies
    • Sophos
    • Dell SonicWall
    • Fortinet FortiGate
  • More affordable solution, Suitable for small and medium-sized companies
    • Lumiun : Lumiun is a cloud-based service that protects your company from internet threats, making your network safer and your team more productive. Lumiun works differently, as the main objective is to be a solution that is easy to implement and manage. It is known that currently one of the biggest problems for companies is low productivity and lack of security and it is in this segment that Lumiun operates, simplified to small and medium-sized companies.

To choose the best option to increase information security, it is important to clearly define your company's needs and compare the costs, characteristics and benefits of each of the existing solutions.

Did you like this article? Then share it with your co-workers so that together they can make the company compliant with the LGPD.

Do you have any doubt? Write here in the comments and I will be happy to answer you.