LGPD Data Discovery: The step towards personal data compliance

The Growing Necessity of a Data Discovery Tool

As cloud services offer better convenience, technology, scalability, and cost than their counterparts, more and more companies are moving their important data to the cloud. To put this in perspective, according to the Flexera 2021 State of the Cloud Report, 97% of enterprises embrace a multi-cloud strategy.

Data Discovery is Significant for LGPD Compliance

Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil’s data protection law that has been in effect since September 18, 2020, and is referred to as Brazil’s version of the EU’s General Data Protection Regulation (GDPR). LGPD shares many traits with the EU GDPR but it also has additional regulations that make it a more comprehensive and severe privacy standard.

LGPD Requirements for Personal Data Processing

Under Chapter II Section I and Article 7, LGPD require organizations to carry out data processing operations only if it meets any of the following lawful basis:

  1. The data controller must comply with a legal or regulatory requirement.
  2. When data processing is required by the public administration for the execution of public policies provided in regulations or based on agreements, contracts, or similar instruments.
  3. For research purposes by research entities, providing that data anonymization is maintained whenever possible.
  4. When a data subject requests data processing for the execution of any preliminary procedures related to a contract or the execution of a contract itself of which the data subject is a party.
  5. To exercise rights in the administrative, judicial, or arbitration procedures
  6. To protect the life or physical safety of a third party or the data subject
  7. To protect the health, exclusively in a procedure which is carried out by health professionals, entities, services, or sanitary authorities.
  8. When necessary to fulfill legitimate interests of a third party or controller, provided that it doesn’t violate the fundamental rights of the data subject.
  9. For the protection of credit as per applicable law.

Data Subject Rights Under LGPD

LGPD empowers data subjects to have better control over their data by exercising 9 data subject rights against public and private organizations. GDPR also outlines data subject rights which are, in essence, the same as LGPD — barring a few exceptions.

  • To be informed of the processing of personal data
  • To access the personal data
  • To rectify incorrect or outdated personal data
  • To anonymize, block or delete any excessive or unnecessary personal data which is processed not in compliance with the regulation
  • To transfer the personal data to a third-party service provider via an express request (data portability).
  • To request deletion of personal data collected using consent, following the termination of processing purpose for which consent was obtained.
  • To request information of public and private third parties with whom the personal data has been shared with.
  • To be informed about the possibility to deny the consent for collection and processing of personal data and the consequences for such denial.
  • To request to revoke consent earlier provided for the processing of personal data for a particular purpose.

LGPD Transparency and Accountability

Under Article 6 of Chapter I, LGPD requires all data processing activities to be done in good faith in accordance with the principles prescribed.

LGPD Data Security and Governance

Under Section I of Chapter VII, the LGPD provides guidelines for security practices that organizations shall implement for data protection and integrity. Under the LGPD, organizations will have to employ effective security, technical and administrative measures to protect the personal data from unauthorized accesses and accidental or unlawful situations of destruction, loss, alteration, communication, or any type of improper or unlawful processing. Some of the security measures and guidelines include:

  • Deployment of authentication systems for records access;
  • Use of encryption and other equivalent measures to secure data from the breach;
  • In the event of any breach, the organization must notify the LGPD regulatory authority, Autoridade Nacional de Proteção de Dados (ANPD), and the affected data subject;
  • The breach notification should explain the seriousness of the breach.

LGPD Data Discovery Practices

  • The first step towards compliance requires insights into where the data resides in the disparate data assets. Therefore, it is first integral to have a single catalog of all the shadow and native data assets across PaaS infrastructure, on-premise systems, SaaS applications, or hyper-scale cloud.
  • The data assets should then be scanned for relevant metadata and cataloged under relevant categories, such as business metadata or security metadata. These metadata may include the vendor details, version, data asset’s security status, etc.
  • Once the data assets are identified and cataloged, the next step is to scan for the residing data and identify personal data and sensitive data. The Data Discovery should be effective enough to conduct a deep scan across structured and unstructured data, and further classify the identified data under relevant elements, such as health information, personal information, sensitive information, and financial information, just to name a few. Data classification further helps system administrators map the data to relevant data subjects or owners.
  • The system administrator then needs to apply policy, security, and privacy-based labeling to data, classifying the data for its sensitivity level, risk posture, the purpose of processing, etc.
  • Detects security hotspots and any misconfigurations so administrators can ensure strict access controls, data encryption, and other equivalent security measures.
  • Document and maintain an updated record of all the data processing activities and logs.
  • Comply with other security and privacy regulations required by LGDP.

How Securiti Can Help?

Securiti enables organizations to run deep data discovery scans across their petabytes-scale environments with its AI-powered PrivacyOps solution and ensure compliance with LGPD and other global data protection regulations.

  • Deploy 200+ native connectors for efficient data assets discovery and catalog.
  • Use hundreds of built-in and dozens of out-of-the-box personal and sensitive data attributes.
  • Identify and label hundreds of attributes specific to regional privacy regulations, such as LGPD, GDPR, CCPA, etc.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store