用特權訪問管理解決LGPD的合規問題

Due to the increasing technological development in the market, we can clearly see how much the trend of product and service purchases by consumers has changed. Through more practical technologies, such as cellphones, laptops, and tablets, they are just a click away to connect with companies over the internet.

Realizing this new consumer behavior, brands uncovered the need to ensure a digital presence in order to conquer new audiences. As a result of this migration, there was a need to have digital marketing strategies to capture customers, and the collection of user information is among the most used strategies to generate conversions.

However, the LGPD was sanctioned in 2018 to make sure that this data collected by companies (whether an email, CPF, or telephone number) was stored and used securely and transparently.

Since its announcement, it has been widely discussed among companies how to adapt to the rules established by law, as the impact on data processing is enormous for companies to create their communication strategies and protect personal data effectively.

Companies that have not yet adapted to the LGPD are subject to fines of R$ 50 million, which would bring huge losses to any company.

Keep reading the text and answer all your questions about the LGPD and how it can impact your company.

The Emergence of LGPD

 Law No. 13.709/2018, popularly known as LGPD (General Data Protection Law) ended up entering into force in 2018. It was created so that the personal data made available to companies became even more secure, that is, collected and stored efficiently.

In a practical way, it is known that this law offers users power over their data. That is, it can define how companies can dispose of their sensitive data, and how they should be treated. Furthermore, these users can simply deny sharing their information as they are not obligated to do so.

Following the LGPD’s practical line, users should be aware of the use and handling of their personal information by the companies that collected it. Also, users can choose to remove their data from the database of such companies.

The rules established by the LGPD apply to the following types of data:

• Personal data: those that identify an individual, for example, individual taxpayer ID, telephone, full name, address, e-mail address, photograph, IP address, among others.
• Sensitive data: they refer to information about a specific person that may lead him or her to suffer discrimination or prejudice. For example, sexual orientation, ethnicity, political ideologies, religious beliefs, among others.

The data can be obtained both physically and digitally, and in both cases, they will be covered by the protection offered by the law. Therefore, when collecting such information, it is also important to have consent to use it.

Concerning sensitive data, it is worth mentioning that they can only be collected if there is an explicit authorization from the holder and should only be used for a defined purpose, which can also be called legitimate interest.

All legal institutions and establishments, whether public or private, that use data from third parties, customers, or even employees must comply with the LGPD.

However, before you put measures in place to regulate your company, it is important to know the 10 privacy principles that LGPD requires from companies, which are:

1. Principle of Purpose: inform the purpose of collecting data from the user.
2. Principle of Adequacy: the data will have to be processed in a way that makes sense with the purpose that was informed to the holder.
3. Principle of Need: request only the information necessary for the fulfillment of its purpose.
4. Principle of Free Access: give assurance to the personal data holder that they can know the form and duration for which their data will be used.
5. Principle of Data Quality: the company will be responsible for the quality of provided data.
6. Principle of Transparency: the user must receive a notice with a detailed list of how their personal data can be used. 
7. Principle of Security:  a company must have the means to ensure that only authorized people have access to such data.
8. Principle of Prevention: data cannot be shared with other companies or people not authorized to process it.
9. Principle of Non-discrimination: data cannot be used for illegal purposes.

• Principle of Accountability: it is necessary to have the term that ensures the 10 principles are being followed.

To ensure the integrity of personal data, your information security team must contribute a lot, since fully protecting personal data is required for the company to have efficient privileged access control.

One that allows only authorized people to access the information and ensures the security from any internal or external threat, in addition to recording all types of actions taken on personal data.

The European GDPR as inspiration for the Brazilian LGPD

There is a European law, popularly known as GDPR (General Data Protection Regulation). It was from there that the LGPD based its main premises regarding the security of data and shared user information.

The GDPR is the updated version of another European Union privacy law, called the “Data Protection Directive”, which has been in force since 1995. The GDPR has legal protection and the Data Protection Directive is just a guide for good practices.

The European Union considers the protection of personal data as a right of any person living or being within the European territory. Therefore, if the person is a Brazilian and is in Europe, their data will be secured by the GDPR just because they are on European soil.

The LGPD complements the Civil Rights Framework for the Internet (Law 12.965 / 14) and comes to light at a moment marked by large leaks of information that involve the misuse of personal information.

In general terms, the two pieces of legislation are very similar, since both deal with the Privacy issue, defining the protection of personal data present in corporate databases.

The main proposal is that the individual’s right to know what information they provide to the services they use is fulfilled. In addition, the entity must explain why it requests certain data from the customer, and for what purpose they will be used.

Despite the similarity, the Brazilian legislation has some more specific items. Here are seven important details about the rights guaranteed to Brazilians:

1. Be informed of the collection and sharing of your data whenever it occurs;
2. Full access to your data, including the possibility of correcting them;
3. Request that your data stay anonymous;
4. Guarantee of data blocking or deletion;
5. Have the option of disallowing cookies when accessing a website and receiving information stating that this compromises the browsing performance and customization;
6. Request the interruption of communications and rest assured it is respected;
7. Review automatic algorithmic decisions about your data, with the right to request human review.

LGPD was created to help maintain the protection of personal data by ensuring the integrity of user information and its security. Each citizen must be aware of the real importance of their data and how making it available can impact both their life and the life of others. 

Each user and citizen must know their rights, if they are victims of crimes virtually committed by Brazilians or foreigners. In addition, when verifying the violation of its data by companies, whether foreign or not, the user has the right to seek its defense supported by the LGPD.

The Impact of LGPD on Brazilian Companies

Looking at the business side, these new processes guided by the Law will insist that businesses be extremely careful and meticulous about the terms of use of the respective data. Therefore, brands need to explain very well all forms of use in relation to the information provided by users. Not to mention that these businesses must also promote actions so that the user can manage their information.

In order for these activities to be carried out efficiently, and above all, in accordance with the guidelines imposed by the LGPD, each company must pay attention to the main rules it guides regarding the collected data.

What has happened a lot in the business world is that brands have hired professionals to deal specifically with these processes, making the internal sectors that need the personal data of customers and leads to be able to work even more securely, and within the law.

The new law provides guidelines on how the processing of collected data should work and it is extremely important to guarantee its security. See what your company needs to do by August to adapt itself:

1. Hiring a Data Protection Officer

For data to be handled correctly, some organizations will need to appoint someone to take charge of processing personal data.

The main duties of this role will be:

• Working as an intermediary between the company and the data holder, facilitating communication between both parties and responding to the holder’s complaints and requests.
• Establishing the connection between the corporation and the government, receiving instructions from the ANPD (National Data Protection Authority), and taking care that they are complied with.
• Ensuring that employees follow the rules set forth by the LGPD, and for this, they will provide training and guidance to handle data appropriately.
• Following the attributions established by the controller and executing complementary norms that the organization decides to use to guarantee the security of information.

2. Analysis of Data Protection and Privacy

It is essential to review the current privacy and protection policy and make any necessary adjustments. The holder needs to be aware of how their data will be used and what safeguards are guaranteed to decide whether to provide it or not.

Make a strategic plan and check all the controls and processes of your company looking for solutions to risk situations. Possible security gaps should be looked for in order to minimize the risk of loss, theft, or hijacking of information.

With the adoption of the LGPD, it is crucial to adopt administrative and technical measures that are effective in protecting information. For example, to protect your company from data theft, it is possible to use software such as senhasegura.

3. Training of Employees

In order for the LGPD rules to be followed by all employees, it is important to invest time and resources in training. To achieve this goal, one can offer courses, lectures, among others.

Employees need to understand how they can prevent leaks and know their responsibilities and consequences.

In addition, some data is restricted to certain sectors, and their members must understand this and be committed to the information in their hands for not sharing it with third parties.

In times of pandemic, when many workers have joined the remote work approach, it is interesting to guide how to maintain security during activities.

The adoption of data protection measures must become part of the collective and individual thinking of all employees, becoming part of the corporate culture too.

4. Beware of partners and outsourcing

Those who are partners of your business or provide outsourced services also need to adapt to the LGPD.

The contracts with suppliers and third parties that have access to your company’s information need to be reviewed to ensure that they comply with internal and external data privacy rules.

It is necessary that partner ventures also have a culture of privacy and security so that problems do not arise in the future and for your company to remain within the risk limit previously established.

The Key Challenges Faced for Compliance

Promoting a digital transformation through information security and LGPD is still a challenge. Citizens must be prepared to exercise their citizenship in this context and have information at their disposal to support them. 

In addition, experts assume that the State should treat the matter with caution, since the maximum tightening of this regulation, disregarding its effects in other countries, can lead to international isolation from the rest of the world. 

All these perspectives would imply less foreign investment and a weakening of negotiations and international relations between countries and companies, generating a strong impact in several areas, mainly in the economy. 

Therefore, it is expected that Brazil will advance in the race for leadership and autonomy of global information, treating the subject wisely within its own premises and transforming it into a State policy.

Fines for Those Who Do Not Comply With It

The data law fines began to be enforced on August 1, 2021. Check some of the sanctions for those who break the LGPD rules:

• Fine of up to 2% of the company’s revenue, which may reach the amount of R$ 50 million for an infraction committed.
• Partial suspension of the database operation for a period of up to 6 months with the possibility of an extension for an equal period.
• Suspension of the activity of processing personal data for up to 6 months with the possibility of an extension for an equal period.
• Partial or total prohibition of activities that deal with data processing.

So that you do not suffer losses, make sure that the LGPD rules begin to be complied with by your business.

Think about what changes your company needs to make. For example, if someone tried to break into your company’s database in search of personal data from your customers or employees, would it really be secure?

The Importance of Protecting Personal Data

For the states, it is a matter of extreme relevance to ensure the protection of citizens and enhance the economy and technology of the country through the flow and processing of information. 

For companies, keeping customer data restricted to the corporation itself and inside local servers is a very high expense, so many of them resort to cloud data storage, such as cloud computing, to ensure the storage of a large amount of data. It is in this transfer to the cloud that companies can leave their own data and customers vulnerable. 

Therefore, they need to invest in security layers, choose data management solutions, such as Privileged Access Management (PAM), and count on the support of legislation to ensure the security of the company and customers. 

From the point of view of users and citizens, without a protection policy, in addition to running the risk of having their data widely used for commercial and governmental purposes without proper consent, they are more vulnerable to cybercrimes that can go unpunished, except in cases they take place in the national territory.

Privileged Access Management as a Path to LGPD Compliance

Now that you had an overview of what LGPD is and what requirements are expected from companies and institutions, it is time to understand more about privileged access management.

It is important to mention that these new precautions are provided for in articles 46 and 49 of the new law, mentioning the importance of administrative controls to protect personal data collected via the internet.

The first step to ensuring your company is compliant with this law is to have a mechanism that is able to map and configure each employee’s access. After all, there is information that should not be accessed by all people and needs to remain available only for the sectors and teams that need it.

Thus, everyone must be encouraged to only access the information that is relevant to the performance of their daily activities, without access abuse or improper sharing of information. This is what we call the Principle of Least Privilege.

Always reviewing the accesses and users who should have access to certain data is also a way to ensure that your company is following the step-by-step as expected.

This way, it is easier to see if there are employees who are breaking any of the rules and why the amount of access is still higher than expected.

To assist in this routine, many institutions started to work with user logging, capable of mapping which people accessed certain information and how often this data was viewed.

Another important point that should not be left out is the inclusion or deletion of an employee when they start or leave the company. This is a common mistake that many institutions end up making without thinking about the legal consequences.

senhasegura, Your PAM Solution

These regulations related to data privacy are very positive because they seek to bring a balance between the protection of personal data, the dignity of a human being, the privacy, honor, and the image of people, as well as free initiative and economic use of data in a legitimate, responsible, proportional and reasonable way.

In order to comply with the two regulations, technological solutions such as senhasegura, a management solution for privileged access, which automates all access management of privileged users, including the recording of sessions for later auditing, among other features, are fundamental for the success of a data management strategy.

Pam solutions help corporations alleviate and avoid business losses and financial penalties. In many organizations, system administrators receive full superuser rights with little supervision. 

The absence of proper access governance for privileged accounts leads to an accumulation of privilege abuses, orphan accounts, ownership conflicts, and other governance issues.

Organizations need to go beyond password compartmentalization methods and static policies to restrict and monitor privileged access. A good way to solve this effectively is by hiring a PAM solution. A  good PAM solution manages all the points you need to pay attention to, ensures internal and external security, and even records all actions performed within the databases.

Gartner, one of the most respected IT research and consulting companies in the world, highlights senhasegura as one of the best PAM solutions in the world market in its report called Critical Capabilities for PAM, which evaluates PAM technology and its ability to execute and provide the functionalities needed for the cybersecurity universe.

If you are interested in learning how a PAM solution works, contact us and request a demo!