Applying The GDPR Lessons Learned to LGPD Compliance

In August of 2018, Brazil enacted it’s General Data Protection Law (LGPD) which will finally come into effect on August 15th. This is Brazil’s first omnibus privacy regulation. Before LGPD Brazil has had the Brazilian Internet Act to protect online users, as well as various privacy provisions in its constitution, civil codes, and various regulations. In line with the LGPD, Brazil has only recently created its first National Data Protection Authority to enforce the law.

Bringing your organization into compliance with a new privacy regulation is never easy. It can be especially challenging if the regulation contains many new requirements, as is the case for organizations operating predominantly in Brazil. Since there are many similarities between the LGPD and the European General Data Protection Regulation (GDPR), we decided to take a look at the lessons learned when preparing for that regulation with the hope that they will be helpful to those facing the LGPD requirements. This is especially relevant since many (by some accounts, the majority) of organizations were not in compliance with the GDPR by its due date of May 2018.

I have organized the “lessons learned” under four categories.

Compliance Administration

Omnibus regulations require a lot of documentation – updated contracts, policies and procedures, notices, training materials, choices for consent, and more. The main reason why so many organizations were delayed in complying with the GDPR was the focus on administrative compliance at the expense of doing the necessary heavy lifting of addressing the personal data the regulation refers to (discussed below).

The lesson – documentation is produced quickly and carries liability when it is incomplete or inaccurate. Focus on changing agreements with third parties and legal entities, but don’t rush the policy and procedure change. Stay at a high level with your LGPD policies and procedures until business processes are mapped and remediated, even after the compliance date.

Achieving Compliance is a Team Sport

To address the broad range of privacy requirements, the GDPR and LGPD include various stakeholders across the organization, and they must work together. This effort includes many corporate functions – IT, HR, privacy, information security, records management, marketing to name a few – but also the operations across the business unit where personal data is processed. Getting such a diverse group to work effectively together is hard to do and must be maintained after the compliance date.

The lesson – one of the more challenging activities your LGPD task force will have to do is implement change management in their respective parts of the organization. New practices and tools must take root and those that guided their adoption are in the best position to influence their adoption.

Automation of Privacy Requirements

There are different requirements that cannot be effectively implemented without automation. These requirements include tracking consents, addressing individual rights, such as Data Subject Access Requests (DSARs) and right of erasure, masking data for minimization, and encrypting personal or sensitive data. The selection of tools and their deployment takes time and often requires the direct involvement of more than one function in the organization.

The lesson – with some of the privacy requirements that can benefit from automation, organizations can delay a decision even after the compliance date. For example, organizations that do not expect many DSARs could hold off on automating that process. However, when it comes to the masking and encryption of data, waiting can be expensive. As we have seen with some of the large GDPR enforcement actions, it’s the weak protection of data that end up leading to a reportable breach (breach notification is part of the LGPD) and then the involvement of the regulator.

LGPD is All About the Data

To comply with any omnibus privacy regulation, an organization must understand the use that it makes of personal data from collection to disposal. This means:

  1. Find the repositories that contain the personal data of Brazilian residents or that is otherwise collected and processed in Brazil (“data in scope”).
  2. Inventory the individuals (data subjects) found in the data in scope.
  3. List the various processing purposes (e.g., customer support) for using the data in scope and confirm that those purposes are still allowed under the LGPD.
  4. Identify the business processes that support each processing purpose (e.g., online chat, call center interaction, providing refunds).
  5. Associate each business process with the applications and repositories that support it.
  6. Identify the employees and the third parties that are involved with executing each of the processes.
  7. Remediate the data for LGPD compliance by eliminating access, deleting irrelevant data or data of poor quality, minimize data for reduced risk, protect the data throughout its lifecycle.

The lesson – this step proved to be the most resource and time-consuming in the GDPR compliance process. It is likely to continue well after the due date. The success of this step rests on the complete and accurate identification of the data (#1) which requires automated discovery.

If the experience organizations had when addressing GDPR is any indicator, then complying with the LGPD will be an ongoing effort that will continue as long as the regulation is in force. Your compliance efforts rest on a foundation of knowledge about the data and processes in scope. Incorporating automation to your privacy program, from the discovery of personal data to addressing individual rights and tracking compliance, is the best way to stay on top of the different requirements while saving time and money.

About the author:

Sagi Leizerov, Ph.D., SVP Enterprise Privacy Solutions at Dataguise

Sagi is a Certified Information Privacy Professional (CIPP/US) with over 20 years of privacy and data governance experience. You can check out his full bio here.