This is the second part of a series focusing on the top-five operational impacts of the Brazilian General Data Protection Law, the Lei Geral de Proteção de Dados Pessoais. The first part, written by IAPP Westin Research Fellow Sarah Rippy, examined the practical definitions and categorizations of data processing, data subject rights, and data subject access requests under the law. Compliance with these provisions will be a significant undertaking for companies around the world that collect and process personal data within Brazil or use personal data to offer goods or services to Brazilians.
This piece turns to the broader issue of data governance, looking first at what protections for personal data the law establishes and the data security standards the LGPD puts in place. It then explores the processes and procedures laid out by the law for controllers to establish data governance programs.
Security and secrecy of data
The LGPD includes several articles that regulate the data security practices of data-processing agents. The first of these is Article 46, which requires data controllers to adopt “security, technical and administrative measures” to protect personal data from “any type of improper or unlawful processing,” including unauthorized access, destruction, loss, alteration or communication. Furthermore, these measures are to be complied with “from the conception phase of the product or service until its execution,” language that mirrors the EU General Data Protection Regulation principle of “data protection by design and default.” The importance of protecting personal data throughout the information lifecycle is also evinced by Article 47, which requires processing agents — a term encompassing controllers, processors and data protection officers, as well as “any other person that intervenes in one of the processing phases” — to commit to ensuring the security of the personal data even after its processing has ended.
Article 46 further empowers Brazil’s new data protection authority, the Autoridade Nacional de Proteção de Dados, to designate the “minimum technical standards” that would fulfill this requirement. These standards are prescribed to take account of the “good faith” principles laid out in Article 6 of the LGPD, which include:
- Purpose (i.e., processing must be limited to “legitimate, specific and explicit purposes of which the data subject is informed”).
- Adequacy, in the sense that the processing is compatible with the purposes communicated to the data subject.
- Necessity (i.e., data minimization).
- Free access to information about the form and duration of processing and integrity of the personal data.
- Quality of the data (e.g., accurate, clear, relevant, and up to date).
- Transparency.
- Security.
- Prevention (i.e., measures adopted to prevent harms stemming from the processing of personal data).
- Nondiscrimination.
- Accountability (i.e., the ability for data processing agents to demonstrate efficiency and efficacy of measures adopted to comply with the rules).
Data breach notification under LGPD
Article 48 of the LGPD requires controllers to notify both the ANPD and data subjects of any “security incident that may create risk or relevant damage to the data subjects.” The communication must occur within a “reasonable” time period, with the definition of reason to be set forth by the ANPD.
Namely, this notification must provide several pieces of information, including:
- The nature of the data affected.
- The data subjects involved.
- Any “technical and security measures” that were in place for the protection of data.
- Any risks related to the security incident.
- Any measures that the controller has implemented since the event or will implement to “reverse or mitigate the effects of the damage.”
Moreover, if the communication to the data subjects and the ANPD was not “immediate,” the controller must also convey the reason for the delay.
Depending on its assessment of the severity and seriousness of the incident, the ANPD may order the controller to disclose the security event to the media and/or take certain measures to “reverse or mitigate” its effects on data subjects. Lastly, the ANPD’s assessments of such events will include whether “adequate technical measures were adopted to render the affected personal data unintelligible to third parties who were not authorized to access them.”
Good practice and governance
Creating a privacy governance program is an increasingly critical corporate practice as data spreads out across organizations and becomes “excessively expensive” to manage. Article 50 of the LGPD lays out requirements for the establishment of such “rules for good practices and governance” controllers, processors or associations can implement with regards to the processing of personal data. These rules may cover areas such as complaint and petition procedures for data subjects, security norms, technical standards, educational activities, accountability mechanisms and risk mitigation.
Furthermore, Article 50 implements a risk-based approach to data and privacy governance, which is a touchstone used by the GDPR, as well. In essence, privacy governance programs under the LGPD should base the establishment of rules and practices on “the nature, scope, purpose and probability and seriousness of the risks and the benefits that will result from the processing of the data subject’s data.”
The second part of Article 50 lays out more specific guidelines for the establishment of a privacy governance program that a controller may establish to apply the “good faith” principles of security and prevention laid out in Article 6. For such a governance program to fulfill the controller’s obligations under Article 6, it should, at a minimum, demonstrate a commitment on the part of the controller to internally adopt “policies and procedures that ensure broad compliance with rules and good practices regarding the protection of personal data.” Furthermore, the program should “establish adequate policies and safeguards based on a process of systematic evaluation of the impacts and risks to privacy.”
Additionally, the program should be adapted to the “structure, scale and volume” of the controller’s operations, as well as to the sensitivity of data that is processed. The privacy governance program must also be applied to the entire set of personal data, regardless of how it was collected, under the purview of the controller. The privacy governance program itself must also be integrated into the controller’s general governance structure and entail both internal and external supervision mechanisms. Another requisite feature of the governance program is a plan for the controller to respond to incidents and propose solutions. The program must be updated constantly based on “continuous monitoring and periodic evaluation.”
The purpose of the privacy governance program should be to establish a relationship of trust with data subjects through transparent operations that allow for data subjects’ participation. Further support in the law for data subjects’ participation is found in Article 51, which provides for the ANPD to “encourage” the adoption of technical standards that enhance data subjects’ control over their personal information.
Conclusion
Given the importance of the issues of data security and privacy governance, Article 46 of the LGPD on security measures, Article 48 on data breach notifications, and Article 50 on privacy governance have the potential to be among the most impactful provisions of the law. While the text still leaves many gaps to be filled in by the ANPD, such as what “minimum technical standards” would meet the requirements of Article 46, it provides specific obligations regarding data breach notifications, as well as the contents of a privacy governance program that would fulfill controller’s obligations regarding the principles of security and prevention. As companies around the globe work toward compliance with these rules — while looking for synergies between their existing data security and privacy governance programs — they will likely need to create new organizing structures and processes to turn these provisions into meaningful privacy and data protection for Brazilians.
The next installment in the series, from IAPP Research Director Caitlin Fennessy, CIPP/US, will focus on the rules and regulations regarding international data transfers, a key issue that has emerged as one of the biggest challenges in privacy this year following the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union in July.
Photo by Telmo Filho on Unsplash