Recently, Brazil's Digital Government Secretariat issued guidelines to instruct the interpretation of the General Data Protection Law (Law No. 13.709/2018,) by public entities. Although the guidelines are addressed to the public sector, they include instructions for private companies when applicable.
Each guideline is based on compliance benchmarks that comprise privacy and governance, data mapping, terms of use and privacy notices, risk analysis, adequacy of information and technology contracts, and data protection impact assessment. New matters addressed in the guidelines are covered below.
The role of a DPO in a privacy and governance compliance program
The privacy and governance guideline suggests entities follow a step-by-step privacy program followed to comply with the LGPD. The program includes three stages: initiation and planning, construction and execution, and monitoring.
According to the SGD, the first action to be taken in a privacy governance program is to appoint a data protection officer. The authority requires the active participation of the DPO during the program to support the elaboration of the data mapping, conduct or advise on the preparation of a DPIA, and conduct or advise on the implementation of rules of good practice and governance specified in the LGPD.
The LGPD does not address requirements for a DPO appointed by a data controller. However, the SGD suggests a DPO should have interdisciplinary knowledge in management, information security, risk management, information technology, privacy protection and data governance.
The DPO will be responsible for demonstrating the progress and results obtained during the development of the program to company leaders, as well as:
- Redefining priorities when necessary.
- Defining internal reporting mechanisms.
- Ensuring transparency in the processing of personal data.
- Establishing a maintenance regimen of the documentation related to the LGPD with information of ongoing and planned activities, services and systems that use personal data and incidents involving personal data.
What data mapping should contain
Inspired by France's data protection authority, the Commission nationale de l’informatique et des libertés, and the Belgian DPA, the Autorité de protection des données, the SGD drafted a guideline and template of data mapping. The primary recommended topics mapping can address include:
- Identification of the data process.
- Identification of the controllers, processors and DPO.
- The processor's role in the life cycle of personal data.
- The flow of the processing of personal data.
- Location and source of the data.
- Purpose of the processing of personal data.
- Category of the personal data.
- The categories of sensitive personal data.
- Frequency and amount of the categories of personal data processed.
- Data subject categories.
- Sharing of personal data.
- Security and privacy measures adopted.
- Transfer of personal data.
- Contracts that involve personal data.
This collected information must be constantly updated, in accordance with the SGD.
Consenting terms of use and privacy notices
As informed by the SGD, to obtain consent from the user, the “terms of use” should contain a clause that tells them that, when using the service, they agree expressly with its terms. Therefore, user opt-in is not required for the consent to be considered valid. However, this provision is questionable as the LGPD considers consent a free, informed and unequivocal declaration by which the data subject agrees with the processing of their personal data for a specific purpose (Article 5, XII, LGPD).
Unfortunately, the SGD does not mention how the consent must be collected in a privacy notice to be considered valid.
DPIA and risk analysis
The DPIA, according to the LGPD, is a document formulated by the data controller that includes a description of the processes involved in the processing of personal data that may trigger risks to civil liberties and fundamental rights of the data subjects, as well as a description of the measures, safeguards and risk mitigation mechanisms (Article 5, XVII, LGPD).
There are two cases in which the LGPD expressly recommends that the controller create a DPIA: when the processing of personal data is based on a legitimate interest (Article 10, Section 3º, LGPD) or when it involves sensitive data (Article 38, caput, LGPD). In these instances, Brazil's Autoridade Nacional de Proteção de Dados may at any time, request a DPIA from the data controller.
Notwithstanding, in the DPIA guideline the SGD also suggests a DPIA when the processing of personal data involves:
- Tracking the location of data subjects.
- Formation of a natural person’s behavioral profile (profiling).
- Automated decision-making that may have legal effects, including decisions designed to define a data subject’s personal, professional, consumer and credit profile or aspects of their personality.
- Children and teenagers.
- Changes in laws and regulations applicable to privacy, internal policies and standards, operation of an information system, purposes and means for processing personal data, new or changed data flows.
- Public security, national defense, state security, or investigation and prosecution of criminal offenses. In these cases, the LGPD is not applicable, but the ANPD still has the attribution of issuing technical opinions, recommendations and requesting a DPIA from the controllers (Article 4, Section 3º, LGPD).
- A violation of the LGPD by public entities.
- Administrative reforms that imply a new organization resulting from the incorporation, merger or split of bodies or entities.
Additionally, the SGD recommends the inclusion of a risk analysis in the DPIA. The risk assessment guideline takes into account not only the LGPD, but also specific information security aspects included in different ISOs. The analysis should consider the probability of a risk and its impact and should form part of a DPIA.
What can we expect for the future from Brazil's government authorities?
An incident response guideline is expected to be issued by the SGD, the purpose of which will be to orientate data controllers in the elaboration of a response plan toT security and data privacy incidents to minimize losses. It will also include guidelines for making the necessary communication of incidents to the data subject and the ANPD, as appropriate.
Additionally, the ANPD published an agenda of items that will be regulated during the next two years. It lists ten priority subjects and expected deadlines and includes, but is not limited to, the regulation of the LGPD in the following scenarios:
- Microenterprises and small-scale businesses, and business initiatives that declare themselves as startups or innovation companies, and individuals (natural persons) who process personal data for economic purposes.
- Data subject rights.
- Defining duties and attributes of the DPO.
- International data transfers.
- Communication of security and privacy incidents, such as data breaches.
- Defining aspects of the data protection impact assessment.
- Guiding the application of the legal basis for processing personal data.
- Establishing circumstances and conditions for the application of administrative fines.
These are important starting points companies should follow due to the ANPD's delay in beginning its activities, as well as the late appointment of its directors and members.
Photo by Telmo Filho on Unsplash