São Paulo/SP – December 26, 2022. A simple registration and homologation are not enough to guarantee the trust of relationships. With the LGPD, aspects of risk, information security, data protection and privacy need to be considered and evaluated.
* By Ramon Ito
Adaptation to the LGPD covers not only the company's relationship with its customers or consumers, but also with the entire structure of its business, such as employees, processes, technologies and suppliers (third parties).
Before exploring this topic, it is important to clarify the roles of personal data processing agents: when your company outsources data processing activities to another organization, it is the data controller and the third party or service provider is a data operator. . A data controller decides what information is processed and the legal basis for justifying the processing while a data operator performs this processing on behalf of the controller.
Both treatment agents have responsibilities and the LGPD makes clear the possibility of repairing property, moral, individual or collective damages, whenever such damages result from a violation of personal data protection legislation.
The data operator will be held responsible when he does not follow the controller's guidelines or when he fails to comply with the requirements of the LGPD, such as, for example, failing to apply security measures capable of preventing incidents with personal data. Yet no company, parent or operator would want to be involved in a data scandal that could negatively impact their operations and reputation.
In this way, to mitigate possible risks and avoid incidents of data leakage, it is of paramount importance that companies establish a process for Third-Party Risk Management, since a large part of data breaches occurs through the relationship with their service providers. .
Third Party Risk Management
A simple registration and homologation are not enough to guarantee the trust of relationships. With the LGPD, aspects of risk, information security, data protection and privacy need to be considered and evaluated.
The risks an organization exposes itself to by engaging a third party depends on a number of factors including, but not limited to:
- The business segment;
- The relevance and size of the organization;
- The sensitivity of personal data;
- The volume of data processed;
- The reason for which personal data is processed;
- The means of data processing.
To assess the compliance of third parties, it is recommended to carry out the following actions:
- Identify all service providers that process personal data and sensitive personal data (if possible, relating to the processes and services offered by your company);
- Define how the evaluation will be carried out (sending a questionnaire, face-to-face evaluation, specialized consultancy…);
- Determine which controls will be evaluated;
- Define a risk matrix and criteria for assessment;
- Review active contracts to adapt them to LGPD guidelines;
- Apply the assessment to third-party controls;
- Share the evaluation result with the third party. If necessary, give the service provider the opportunity to prepare action plans aimed at increasing their level of maturity and continuity in providing services;
- Monitor the execution of action plans prepared and set deadlines for compliance;
- Research whether the third party has a history of relevant security incidents or cases of unavailability of systems and services.
It is recommended that the assessment take place periodically so that new risks are always identified (continuous improvement) and there is up-to-date control over the maturity level of each supplier.
Final considerations
Unfortunately, it has become very common for us to receive news of data leaks in companies from all sectors and, certainly, this news has a quick impact on the image and reputation of companies, even though in several cases it has been found that the problem originated in a failure caused by a third-party partner. In this way, preventively evaluating the data protection and privacy controls of their suppliers is a primordial activity for companies that wish to preserve their image and reputation, comply with laws and regulations, provide quality services and guarantee the security of their information and of your customers.
Furthermore, it is recommended to periodically carry out an evaluation process, making it possible to determine whether suppliers are engaged and careful enough to continue providing the service. This is a process in which both parties benefit, as the controller minimizes risks such as unavailability in the provision of services or leakage of its information, while the operator has the opportunity to improve its data protection controls, stand out in the market in which it operates and even have a competitive edge to win new customers.
— Ramon Ito is a GRC and Privacy Specialist with experience in information security projects in different industries: Agricultural, Mining, Food, Financial Institutions, Retail, Commerce, Cosmetics,
Pharmaceuticals, Services, Energy (generation and transmission), Machining, Steel, Aerospace and Aviation.
Check out: #LGPDMagazine! Launch of the 4th edition of the LGPD Magazine: The DPO e-magazine features a range of articles, shares experiences from privacy professionals, highlights selected news and features an exclusive interview with the CEO of DPOs. Privately Global.
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
