14 tips to stay compliant with the LGPD (Brazilian General Data Protection Law)

As I've written in another article here on the blog, the General Personal Data Protection Law (LGPD – Law No. 13,709) was enacted on August 14, 2018, and was scheduled to come into effect in August 2020. However, the deadline was postponed to January 1, 2021, due to the pandemic. This regulation establishes a series of rules that all companies and organizations operating in Brazil must follow to allow citizens greater control over their personal data, ensuring transparency in the use of personal data in any medium.

In this article, you'll find some tips to help you comply with certain aspects of the LGPD. But I'm warning you upfront that there's no "Swiss Army knife" tool or software that will solve everything. Compliance with this law requires implementing many processes, in addition to tools.

Study the LGPD

Before listing the tips, it's important to establish a team responsible for analyzing internal procedures regarding data collection and the flow of this information within the company involving third parties. Therefore, it's essential that these individuals thoroughly study the law to understand all the principles and assumptions to which it applies.

Here is some content to get you started and delve deeper into the subject:

• Link to the General Personal Data Protection Law (LGPD) in force on the website of the Planalto da Presidency of the Republic
• Our blog article: LGPD: what is it and how to apply it in your company?
• Online courses on LGPD on the Udemy

Let's get to the tips

Now, enough stalling. Below, I've listed some tips to help your company comply with the LGPD.

Tip 1: Consent Form for the Processing of Personal Data

It is recommended that the company define a process for obtaining consent from the data subject that is clear, distinct, and not bundled with other agreements or statements. It must be active (provided by the data subject, without the use of pre-checked boxes). Consent must be documented, in writing or by another means that demonstrates the data subject's expression of will. If existing consent was not obtained in accordance with the LGPD, it is recommended that consent be renewed before the LGPD comes into effect, if another legal basis cannot be used.

We've created a template document that you can download, adapt to your needs, and obtain consent from employees and users for the company's use of their data. Download the Personal Data Processing Consent Form .

Tip 2: Data Subject Rights Management

Implement a privacy portal (front-end) with a Data Subject Rights Management solution focused on the company's customers, in a timely manner (15 days for LGPD). This portal will manage the entire request workflow and should include the following features:

• Application form, which can be presented in various company digital products;
• Validation of the identity of data subjects;
• Control deadlines, activities and costs of the request;
• Identify personal data within the company to proceed with disclosure to the data subject, correction, deletion or portability of personal data.

Tip 3: Develop a Data Retention and Disposal Policy

This policy should include principles for appropriate retention and disposal of personal data, complying with the legal requirements of the LGPD. Additionally, the policy should contain:

• An updated temporality table for storing information taking into account the personal data collected;
• Appropriate disposal procedures for assets (papers, computers, removable media) containing personal data;
• Process of deleting or anonymizing data when it is no longer necessary for the company, observing the need to store data to meet legal obligations;
• Process of backing up personal data stored in systems;
• Pseudonymization process for sensitive data at rest. Incorporate data minimization principles into the company's culture, whereby the company collects only the strictly necessary information, for the required period.

Tip 4: Recording Personal Data Processing Operations

The LGPD requires the preparation and maintenance of a Record of Personal Data Processing Operations, which must include:

• The names and contact details of the Controller/Operator and, where applicable, any joint data controller, representatives of the entities and the DPO (Data Protection Officer);
• The purpose of data processing;
• The description of the categories of data subjects and the categories of personal data;
• The categories of recipients to whom the personal data have been or will be disclosed, including recipients established in third countries or international organizations;
• The deadlines provided for the deletion of different categories of data;
• The legal bases stipulated for data processing.

Tip 5: Process for Data Protection Impact Assessment (DPIA).

Implement/acquire a solution for conducting DPIA in a systemic and centralized manner. This solution should have the following functionalities:

• Company privacy projects consolidated into a central dashboard for managing data protection activities;
• Classification of projects according to the involvement of personal data and risk criteria (whether there is profiling, sensitive data, large volume of processed data, etc.);
• Management of the DPIA workflow, from the selection of the data flow using the established criteria to the final approval of the Manager;
• Guidance and template for completing the DPIA made available centrally throughout the company;
• Risk and GAP analysis of personal data flows;
• Recording of data protection activities carried out throughout the project for compliance purposes.

Tip 6: Implement a DPO governance model

Implement a DPO (Data Protection Officer) governance model, defining roles and responsibilities to meet regulatory expectations in accordance with the changes brought about by the LGPD.

Within the DPO's routine, we understand that there will be tasks such as (i) conducting periodic third-party Due Diligence; (ii) maintaining and updating the ROPA; (iii) preparing and maintaining the DPIA, when necessary; (iv) conducting periodic internal audits to analyze the level of compliance; (v) periodic training routine on the LGPD for employees and collaborators; (vi) routine monitoring of case law, consultations with the ANPD, new certifications, good market practices, etc.

Tip 7: Hiring an external advisor

It is recommended that you hire an external advisor to assist you in analyzing your company's current compliance with the LGPD, identifying areas for improvement and legal requirements, and defining an action plan to implement the necessary actions to ensure your company is in compliance with the LGPD.

Tip 8: Privacy training to educate employees

Develop a privacy and data protection training program to educate employees on the importance of privacy and personal data protection, empowering them to process data appropriately and mitigate the risks of a data breach.

This program can have two phases, depending on your approach. The first phase is common to all employees and will cover privacy and data protection laws, their principles, the risks of non-compliance, personal and sensitive data, legal bases, what is considered data processing, how to classify data before storing it, how to dispose of it properly, ROPA and DPIA, the role and importance of the data protection officer (DPO), and how to report a data breach within the company. Phase one can be online , made available to employees on the intranet. In the second phase of the program, training should be targeted to each business area, according to the nature of their relationship with data subjects (customer relations, finance, HR, etc.). This phase will cover in greater depth the application of legal bases according to the types of processing performed by the area and will include presentations of specific cases based on the area's operations (for example, profiling for the marketing ). Phase two can be in-person for area employees.

Training should be refreshed periodically in accordance with the company's internal policy or when there are significant changes in privacy laws.

Implement pass/fail metrics to measure training application and learning level, both individually by employee and by business area.

Tip 9: Identity and Access Management

Implement a pool of Identity and Access Management solutions to provide governance and administration of identities and their respective access rights to personal and sensitive data stored in company assets.
It is recommended that the entire user lifecycle and their access to personal and sensitive data be managed through workflows to mitigate the risks of personal and sensitive data being accessed by unauthorized individuals, which could lead to a data breach under the LGPD.

Tip 10: Incident Management

Structure, define, and formalize an Incident Management process to include incident response plans related to data privacy. This plan should contain procedures and guidelines that guide the departments involved in identifying, monitoring, remediating, and reporting data breach incidents, as well as addressing the categorization of a data breach incident and its recording in the tools. The breach incident management process should be regularly tested and validated to assess its ability to meet relevant privacy requirements.

It is recommended that a formal communication process be established with data protection authorities and data subjects. This communication should involve the company's Data Protection Officer (DPO) and be carried out within the deadlines established by the LGPD.

Additionally, a data breach notification process must be established that contains:

• The identity and contact details of the data controller and other relevant parties within the company;
• Description of the possible consequences (risks) of the data breach;
• Description of the nature of the violation, informing which and the number of holders that were affected;
• Technical and organizational measures applied to mitigate the consequences of this violation.

Tip 11: Review old contracts

We recommend reviewing existing contracts and including protective clauses related to data protection and LGPD compliance, as well as adjusting existing standard contracts to include clauses in this regard, including auditability. Depending on the case, you can specify how data will be processed and the minimum security measures to be followed.

Conduct compliance assessments with new and existing third parties/suppliers (at each contract renewal) to verify their compliance with the LGPD.

Tip 12: Internal and external privacy policy

There is no legal definition of the types of internal and external privacy policies a company must have. In any case, we suggest that companies develop and maintain the following privacy policies based on market best practices and aiming for greater compliance with the personal data protection framework.

Regarding external policies, as a rule, companies have:

• Privacy Policy
• Cookie Policy

Regarding internal policies, companies typically have:

• Privacy and Data Protection Policy
• Data Retention and Destruction Policy
• Mobile Data Management Policy
• Data Security Policy

Tip 13: Define a process to monitor LGPD regulatory changes

This process will help the company stay up to date on the laws in question, providing support for decision-making.

Additionally, it is recommended that a process be defined to update policies, regulations, training, procedures, processes and other operations to reflect regulatory changes as they occur.

Tip 14: Implement a solution to increase information security

There is no point in implementing several information collection processes if the information is unprotected or if employees' equipment (computers, cell phones, etc.) does not have tools such as Antivirus and Internet Access Manager.

Therefore, it's crucial that companies have solutions that increase the security layer of their devices and network. Here are some suggestions:

• Antivirus:
  • Kaspersky Anti-Virus : It has long been a top-three antivirus provider. It offers advanced scanning and cleaning capabilities, as well as the ability to undo malware actions, which is why it tops this list.
  • Bitdefender Antivirus Plus : Offers comprehensive protection for those looking to stay malware-free. It includes recovery tools for persistent viruses, password management, and even enhances browser security for financial transactions.
  • F-Secure Anti-Virus : One of the most striking features of F-Secure Anti-Virus is its quick scan speed—and this speed is even greater when you repeat the process. This ensures convenience and speed when keeping your computer secure. Furthermore, it has special features to combat malware by blocking and monitoring the activity of suspicious files.
• Internet Access Manager:
  • Solutions that require greater investment, suitable for large companies
    • Sophos
    • Dell SonicWall
    • Fortinet FortiGate
  • More affordable solution, suitable for small and medium-sized companies
    • Lumiun : Lumiun is a cloud-based service that protects your company from internet threats, making your network more secure and your team more productive. Lumiun's unique approach is to provide an easy-to-implement and manage solution. It's well known that low productivity and lack of security are among the biggest challenges facing companies today, and this is where Lumiun operates, streamlining its services for small and medium-sized businesses.

To choose the best option for increasing information security, it's important to clearly define your company's needs and compare the costs, features, and benefits of each available solution.

Did you like this article? Share it with your colleagues so you can work together to ensure your company LGPD- compliant

Do you have any questions? Leave them in the comments and I'll be happy to answer them.