14 tips to stay compliant with LGPD

As I have already written in another article here on the blog, the General Law on Personal Data Protection (LGPD - Law No. 13,709) was sanctioned on August 14, 2018 and would take effect from August 2020, however, the deadline was postponed to January 1, 2021 due to pandemic. This regulation establishes a series of rules that all companies and organizations operating in Brazil will have to follow to allow citizens to have more control over their personal data, ensuring transparency in the use of individual data in any means.

In this article you will find some tips to be able to comply with some LGPD points. But warning beforehand that there is no tools or “Swiss” software that will solve everything. To comply with this law in addition to a tool will be necessary to implement many processes.

Study LGPD

Before listing the tips, it is important to define a team that is responsible for analyzing internal procedures regarding data collection and the flow of this information in the company involving third parties. Therefore, it is essential that these people study the law deeply so that they can understand all the principles and hypotheses to which they apply.

Here are some content for you to start and deepen the subject:

• LINK OF THE GENERAL PERSONAL DATA PROTECTION LAW (LGPD) ENDED OF THE PLANALTO OF THE PRESIDENCE OF THE REPUBLIC
• Our Blog Article: LGPD: What is it and how to apply to the company?
• Online LGPD courses on the Udemy

Let's go to the tips

Now enough to curl. Below is some tips that will help your business comply with LGPD.

Tip 1: Consent term for personal data processing

It is recommended to define a process of obtaining the consent of the holder to be used by the company that is clear, distinct and not grouped with other agreements or statements and that is active (provided by the holder, without the use of pre-marked boxes). The consent must be documented, in writing or by other means that demonstrates the manifestation of will of the holder. If the existing consent has not been obtained in accordance with the LGPD, it is recommended that the consent be renewed before the LGPD entry into force, if it is not possible to use another legal basis.

We create a document model you can download, adapt according to your needs and get the consent of employees and users to use data by the company. Download the document model now for the consent form for personal data processing .

Tip 2: Data Holder Rights Management

Implement a Privacy Portal (Front-End) with a solution management solution of data holders focused on the company's clients, in a timely manner (15 days for LGPD). This portal will manage the entire Workflow of the request and should contain the following features:

• Form of completion of the request, which can be presented in various digital products of the company;
• Validation of the identity of data holders;
• Control deadlines, activities and costs of the request;
• Identify personal data within the company to proceed with disclosure to the data subject, the correction, exclusion or portability of personal data.

Tip 3: To elaborate a policy of retention and data disposal

This policy should include appropriate retention and disposal principles of personal data, observing the legal requirements of the LGPD. In addition, policy must contain:

• An up -to -date temporality table for information storing taking into account the collected personal data;
• Appropriate disposal procedures for active (papers, computers, removable media) containing personal data;
• Process of exclusion or data anonymization when they are no longer necessary for the company, observing the need for data storage to meet legal obligations;
• Personal data backup process stored in systems;
• PseudoNimization process for the sensitive data at rest. Incorporate into the company culture the principles of data minimization, where the company collects only the information strictly necessary, for the period as necessary.

Tip 4: Record of personal data processing operations

LGPD requires the elaboration and maintenance of a registration of personal data processing operations, which should include:

• The names and contacts of the controller/ operator and, when applicable, of any responsible for treatment, the representatives of the entities and Data Protection Officer);
• The purpose of data processing;
• The description of the categories of data holders and the categories of personal data;
• The categories of recipients to whom personal data were or will be disclosed, including recipients established in third countries or international organizations;
• The deadlines provided for the exclusion of different data categories;
• The legal bases stipulated for data processing.

Tip 5: Process for Data Protection Impact Analysis (DPIA).

Implement / acquire a solution to perform DPIA in a systemic and centralized manner. This solution must have the following features:

• Privacy projects of the company consolidated in a central dashboard for the management of data protection activities;
• Project classification regarding the involvement of personal data and risk criteria (if there is profiling, sensitive data, large volume of processed data, etc.);
• DPI Workflow Management, from data flow selection using the established criteria to the final approval of the person in charge;
• Guidance and template for filing the DPIA available in a centralized manner for the entire company;
• Risk and gap analysis of personal data flows;
• Record of data protection activities performed throughout the project for compliance purposes.

Tip 6: Implement a DPO governance model

Implement a Data Protection Officer (DPO) governance model, defining the roles and responsibilities to meet regulatory expectations according to the changes brought by the LGPD.

Within the DPO routine, we understand that there will be tasks such as (i) Due Diligence of periodic third parties; (ii) Maintenance and update of the Ropa; (iii) elaboration and maintenance of DPI, when necessary; (IV) Performing internal periodic audits for compliance level analysis; (v) LGPD training routine for periodic employees and employees; (vi) jurisprudence monitoring routine, ANPD consultations, new certifications, good market practices and etc…

Tip 7: Hiring an external advisor

It is recommended to hire an external advisor to advise it on the analysis of the company's current compliance with LGPD, indication of improvement points and legal requirements, as well as defining an action plan to implement the necessary actions for the company to comply with LGPD.

Tip 8: Privacy training to educate employees

Develop a privacy training program and data protection to educate employees about the importance of privacy and personal data protection by enabling them to properly perform data processing, mitigating the risks of some data violation.

This program may have two phases, according to your approach. The first phase is common for all employees and will address what the laws of privacy and data protection are, their principles, the risks of not being in accordance with them, what are personal and sensitive data, legal bases, which is considered as data processing, how to classify the data before storing it, how to discard it correctly, which is the ropa, the DPIA, the role and importance of the Data (DPO) and as reported. a data violation in the company. Phase UM can be online , available to employees on the intranet. In the second phase of the program, training should be directed to each business area, according to the relationship nature they have with data holders (customer, financial relationship, HR, etc.). This phase will address more depth the application of legal bases according to the types of processing that the area performs and will present specific cases according to the area's performance (example of marketing profiling cases ). Phase two may be in person for employees in the area.

Training should be recycled periodically according to the company's internal policy or when significant changes in privacy laws.

Implement approval/disapproval metrics to measure training and learning level, both individually by employee and business area.

Tip 9: Identity Management and Access

Implement a pool of identity management solutions and access to provide the governance and administration of identities and their respective rights to access personal and sensitive data stored in the company's assets.
It is recommended that the entire life cycle of users and their access to personal and sensitive data will be managed through workflows to mitigate the risks of personal and sensitive data to be accessed by unauthorized persons, which can cause data violation according to LGPD.

Tip 10: Incident management

Structure, define and formalize an incident management process, aiming to contemplate response plans to incidents related to the data privacy theme. This plan must contain procedures and guidelines that guide the areas involved in the identification, monitoring, remediation and reporting of data breach incidents, as well as addressing the categorization of a data breach incident and their registration with tools. The infringement incident management process should be tested and regularly validated to assess the capacity to meet relevant privacy requirements.

It is recommended that a formal communication process be defined with the data protection authorities and data subjects. This communication must have the involvement of the company's Data (DPO) in charge and should be carried out within the deadlines set by the LGPD.

In addition, a process of notification of data violation that contains:

• The identity and contact of the data in charge and other relevant parts of the company;
• Description of possible consequences (risks) of data violation;
• Description of the nature of the violation, informing the number of holders that were affected;
• Technical and organizational measures applied to mitigate the consequences of this violation.

Tip 11: Review of former contracts

We recommend reviewing old contracts and including protective clauses related to data protection and compliance with LGPD, as well as adjusting existing standard contracts to include clauses in this regard, including the possibility of audit. Depending on the case, one can indicate the way data processing and minimum security measures to be respected.

Drive compliance assessments with new and existing third party/suppliers (with each contract renewal) to verify if they are in accordance with LGPD.

Tip 12: Internal and external privacy policy

There is no legal definition of the types of internal and external privacy policy that a company must possess. Anyway, we suggest that the company elaborates and maintains the privacy policies below with the best practices and more compliance with the personal data protection framework.

Regarding external policies, as a rule, companies have:

• Privacy Policy
• Cookies policy

With regard to internal policies, companies usually have:

• Privacy Policy and Data Protection
• Data retention and destruction policy
• Data Management Policy on mobile devices
• Data Security Policy

Tip 13: Define a process to monitor LGPD regulatory changes

This process will assist the company to stay up to date on the laws in question, providing a grant for decision making.

In addition, it is recommended that a process be defined to update policies, normatives, training, procedures, processes and other operations in order to reflect regulatory changes when they happen.

Tip 14: Implement a solution to increase information security

There is no point in implementing various information collection processes if it is unprotected or the equipment (computers, cell phones, etc.) of employees do not have tools such as antiviruses and internet access manager.

Therefore, it is extremely important that the company has solutions that increase the safety layer of devices and network. Here are some suggestions:

• Antivirus:
  • Kaspersky Anti-Virus : It often frequent the top 3 of the world's top antivirus lists in the world. It offers advanced scanning and cleaning features, as well as being able to undo malware actions and is therefore at the top of this list;
  • Bitdefender Antivirus Plus : offers complete protection for those who want to get free from malware. It has persistent virus recovery tools, password management and even increases your browser's safety for you to perform financial transactions;
  • F-Secure Anti-Virus : One of the most striking features of the ant-Virus F-Secure is the speed of its rapid scan-and this agility can be even higher when you redo the process. This ensures practicality and speed when keeping your computer safe. In addition, it has special resources to combat the action of malware, blocking and monitoring the action of suspicious files.
• Internet access manager:
  • Solutions that require greater investment, Suitable for large companies
    • Sophos
    • DELL SONICWALL
    • Fortinet FortiGate
  • Most affordable solution, Suitable for small and medium enterprises
    • Lumiun : Lumun is a cloud -based service that protects your business from internet threats, making the network safer and the team more productive. Lumiun works differently, as the biggest goal is to be an easy solution to implement and managed. It is known that currently one of the biggest problems of companies is low productivity and lack of security and it is in this segment that Lumiun operates, simplified to small and medium companies.

To choose the best option to increase information security, it is important to define your business needs well and compare the costs, features and benefits of each of the existing solutions.

Did you like this article? So share with your co -workers so they can together leave the company compliant with LGPD.

Do you have any questions? Write here in the comments and I will be delighted to answer you.