What to Expect with Brazil's Data Protection Law 

LGPD Compliance

Passed by the National Congress of Brazil in 2019, the Brazilian General Data Protection Law(Lei Geral de Protecao de Dados or LGPD) is slated to take effect in August 2020. Similar to the General Data Protection Regulation (GDPR) this legislation created a legal framework for the utilization of personal data related to or processed on individuals in Brazil regardless of where a data processor is located. 

Prior to the passing of LGPD, Brazils' data protection was enforced via frameworks which included the Consumer Protection Code and Civil Rights Framework for the Internet (Internet Act).  Additionally, the country has more than 35 laws that relate to privacy at protection at a federal level. It is worth noting that these laws are designed more for specific industries and not applicable on a national level.

As enterprise software in the cloud has increased from 20 percent to 27 percent since 2017, many Brazilians have much to be concerned about with data protection and cloud security.

 

WHO IS AFFECTED?

Similarly to GDPR, the LDPG applies to organizations, public or private, or any individual collecting or processing personal data in Brazil, regardless of location base. Additionally it is applicable to those organizations who intent to offer services to individuals in Brazil. 

DATA SUBJECT RIGHTS

When reviewing LGPD Article 18, there are nine rights data subjects have over their personal data. These rights have been expanded and should be guaranteed to in an effective and accessible manner. 

Those include:

  1. Confirmation of existence of processing

  2. Access to data

  3. Correction of inaccurate, incomplete or out of date data

  4. Anonymization, blocking or deleting unnecessary of excessive data that has been processed in non compliance of LGPD

  5. Portability of data to another service or provider

  6. Deletion of personal data

  7. Information about public or private entities with with the controller has shared data

  8. Information about the possibility of denying consent and consequences of denial

  9. Revocation of consent

 

NOT APPLICABLE

Similar to the GDPR, there are exceptions of the law's application to personal data. The law will not regulate business-to-business (B2B) information. The additional instances where the LGPD does not apply includes:
 
  • Data used exclusively for artistic, journalistic, academic, or literary reasons

  • Data used for national security, public safety, criminal investigation or punishment activities, and national defense

  • Data process by an individual for personal purposes

 
 

DATA REQUIREMENTS

With findings by IBM's global survey reporting that 96 percent of Brazilians believe that companies don't do enough to protect their personal information, these new requirements could be beneficial to all in Brazil.  What many have deemed as most pressing of the new requirements is the mandatory reporting of data breach notifications.

Notifying the data protection authority becomes mandatory and performed within a timeframe considered reasonable. For organizations, there are 10 principles listed by LGPD that need to be taken into account for the processing of personal data. Those include:

  • With the consent of the data subject;

  • To comply with a legal or regulatory obligation of the controller;

  • To execute public policies provided in laws or regulations, or based on contracts, agreements, or similar instruments;

  • To carry out studies by research entities that ensure, whenever possible, the anonymization of personal data;

  • To execute a contract or preliminary procedures related to a contract of which the data subject is a party, at the request of the data subject;

  • To exercise rights in judicial, administrative or arbitration procedures;

  • To protect the life or physical safety of the data subject or a third party;

  • To protect health, in a procedure carried out by health professionals or by health entities;

  • To fulfill the legitimate interests of the controller or a third party, except when the data subject’s fundamental rights and liberties, which require personal data protection, prevail; or 

  • To protect credit (referring to a credit score).

 
 

DIFFERENCES BETWEEN LGPD AND GPDR

Though there are many similarities between the LGPD and GDPR, there are a few differences to be noted.

 

REPORTING OF DATA BREACHES

Both the LGPD and GPDR require the reporting of data breaches to the local data protection authority by organisations, however, the explicit statement from the GDPR is the difference. Under GPDR, organizations must report a data breach within 72 hours of discovers, and the LGPD does not provide a firm deadline, merely stating that the security incident must be reported within a reasonable time period.

 

DATA PROTECTION OFFICER (DPO)

The LGPD states within article 41 that an officer shall be appointed in charge of processing data, potentially suggesting that organizations who process data of Brazilians will need a DPO. The GDPR not only requires an organization to hire a DPO, but also provides an outline for when this requirtement needs to occur. 

FINES

Established organizations within Brazil found violating the LGPD can be fined up to 2 percent of annual turnover. There is a per violation basis, and organizations can be fined up to 50 million Real which corresponds to approximately $9 million US dollars per infraction. 

 

WHY REAL-TIME SECURITY DETECTION MATTERS

Regardless of regulatory requirement, real-time detection and remediation can be the defining moment between security incidents, and losing protected information leading to devastating financial repercussions. As a best practice for keeping data secure, the software choice for securing an organization's infrastructure should not be taken lightly. Common compliance and security goals that are relevant to organizations across every industry include: 

  • Maintaining a Safe Network

  • Maintaining Vulnerability Management

  • Preventing Unauthorized Access

  • Ensuring Security Flaws are Immediately reported

  • Maintaining Integrity of Data Assets 

As noted by the 2020 DBIR, personal data was involved in 58 percent of data breaches, which was almost double the percentage from 2019. Additionally in alignment with CIS Critical Security Controls, the DBIR provided a list of top controls organizations can utilize for best practices.

CIS Control 3: Continuous Vulnerability Management

Can your software help find misconfigurations and remediate code-based vulnerabilities?

Implementing with CimTrak

The CimTrak Compliance Module is a SCAP compliant vulnerability scanning tool that can be scheduled to identify potential vulnerabilities on a user specified interval.  CimTrak can also use specific benchmarks to ensure that the most recent patches have been applied to the target operating system. Additionally, CimTrak facilitates the comparison of vulnerability scans over time, allowing a user to access if the infrastructure is improving or not during a time-frame. 

IMPLEMENT CIS CONTROLS AND BENCHMARKS WITH EASE

CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, workstations and Servers

Can your software help ensure and verify systems are configured with only the services/access needed to achieve function?

Implementing with CimTrak

CimTrak monitors systems to ensure operating systems are in a secure state, utilizing CIS Benchmarks and NIST Benchmarks to ensure systems are configured in a  hardened state. With the ability to roll-back and restore to a previous or correct state, the mean-time-to-restore (MTTR) can be measured in seconds.  Additionally, CimTrak can be configured to monitor configurations for changed, and CimTrak's restore more can automatically remediate unauthorized configuration changes.  

CIS Control 9: Limitation and Control of Network Ports, Protocols and Services 

Does your software help to provide an understanding of what services and ports should be exposed on your network and limit access to those?

Implementing with CimTrak

CimTrak can be used to monitor active ports, services and protocols and provide notification when changes to ports services and protocols occur. Additionally CimTrak can be configured to run scans against a set of ports to endure that unauthorized ports have not been opened. 

CIS Control 11: Secure Configuration for Network Devices such as firewalls, routers, and switches.

Are your configurations secure?

Implementing with CimTrak

CimTrak monitors network devices for unexpected or unauthorized changes to their configuration. Deviations are indentified and documented with users being notified upon detection. 

CIS Control 12: Boundary Defense

Is your software able to go beyond firewalls to include network monitoring?

Implementing with CimTrak

CimTrak can maintain an inventory of all network devices.

CIS Control 13: Data Protection 

Can you control access to sensitive information by maintaining an inventory of sensitive information and limited access to authorized cloud providers?

Implementing with CimTrak

CimTrak can inventory, hash, and store critical information about all sensitive information, and custom actions can be utilized to shutdown systems that experience unauthorized changes or other integrity-related anomalies.

CIS Control 16: Account Monitoring and Control

Can your software lock down user accounts across the organization to keep others from using stolen credentials?

Implementing with CimTrak

CimTrak can monitor all local, LDAD, and Active Directory accounts and users, along with their associated rights and privileges.  Additionally, CimTrak's compliance module can help ensure accounts have an expiration date that is monitored and enforced, and all workstations are set to lock after a standard period of inactivity.

 

To learn more about how CimTrak can help with additional CIS controls for many regulatory requirements, download the solution brief for best practices.

New call-to-action 
 
 
 
 

Topics

Jacqueline von Ogden

Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".