Skip to main content

*By Leandro Zilli

Information is one of the most precious assets in the contemporary world, so much so that the practice of massive data collection has become a business. The organizations understood that from this data it would be possible to carry out an analysis, create profiles and predict market trends, this type of practice became an agenda in the debates and there was a question, "What would be the limit and how would the privacy rights be of people?".

Given this scenario, data privacy laws emerged, being the General Data Protection Regulation – GDPR (General Regulation on Data Protection – RGPD) the forerunner. The European law came into force on May 25, 2018 and caused other nations to rethink privacy and internally adjust their respective guidelines to meet this new vision, becoming a central theme for trade agreements.

In order to increase these relationships and guarantee the right to security and privacy of personal data for individuals, on August 14, 2018, the LGPD - General Law for the Protection of Personal Data - came into effect in almost its entirety only on September 18, 2020, its purpose is to regulate the processing of personal data and safeguard the basic rights of data subjects. During this period, the ANPD – National Authority for the Protection of Personal Data – was created, with the objective of ensuring the protection of personal data and sensitive personal data, implementing and monitoring compliance with the LGPD.

As of August 2021, after 3 years of sanction, the punishments that are present in the LGPD came into effect, which can range from a warning (for fines of up to 2% of its billing limited to R$50 million per infraction) and even the blocking of operations, negative publicity of the infraction or deletion of irregular data.

When we talk about laws and controls, the concern with sanctions always comes to the fore, but this is not the only reason organizations are concerned, the significant impact on their business and the loss of reputation driven by the lack of customer confidence are also highlighted. . The “17th Cost of a Data Breach Report” (2021) published by IBM analyzed more than 500 real data breaches in 17 countries and regions and 17 different industries, through more than 3,000 interviews, regarding the costs for combating data breaches, including incident discovery and response activities.

As for data breaches, the average global cost exceeded US$ 4 million, with 38% of the total average global cost being responsible for the loss of business (around US$ 1.59 million) and the main reasons were turnover of customers and the loss of revenue related to system downtime.

It is possible to identify that organizations with a more mature security posture had significantly lower costs compared to those that did not invest in security-focused technologies such as IA, Zero trust, Cloud security and compliance automation. Another interesting point is that the average cost of data breach increased by US$1 million in cases where remote work, due to the COVID-19 pandemic, was the factor causing the data breach. Organizations that had more than 50% of their workforce operating remotely took 58 days longer to identify and contain data breaches compared to other organizations that had less than 50% of their workforce on a remote basis. home office.

But after all, what is the solution?

It's a long way to go, but it should start by understanding the law and adapting the environment, knowing the risks and weaknesses of the business and putting in place a privacy program, with the objective of spreading a new culture and knowledge to everyone in the organization.

This adaptation should be carried out through a process mapping in order to identify if the data collection is obtained in a conscious way and if it mainly serves its real defined purpose.

In addition to data collection and processing, to prevent improper access and possible data leakage, it is necessary to have a structure that allows greater control of these strategic data, with the application of information security pillars: Confidentiality (data accessed only by authorized ), Integrity (complete and accurate data) and Availability (accessible data when necessary), in addition to the implementation of appropriate processes and technologies to increase the level of security, it is important to remember that it is important that the segregation and handling of this strategic information is differentiated from the others that can be qualified as common use, due to their degree of importance to the organization. All controls must undergo periodic reviews so that the data is protected according to new identified risks and that necessary improvements are applied.

All this investment of time and money will not be effective if there is also no ongoing training and awareness program for employees regarding risks. The presence of a DPO in the organization will be of great value, being able to act as an expert regarding the protection and cycle of the data in the organization (collection, processing and disposal). The DPO will act strategically in the organization, monitoring and following the organization so that it develops in accordance with the rules and good practices implemented.

 

Conclusion

Adapting the LGPD is not just the law itself, it is a series of aligned actions that range from understanding the law, adapting information security controls, to changing the organization's culture and the maturity of its processes of business.

It is not always an easy task for companies to implement the LGPD in their environment, it often requires a great effort and the lack of specialized professionals to work on this issue is also a weakness. A practical solution, which has obtained good results, is the hiring of specialized consultants, they have the expertise, understanding and preparation necessary to support them on this path.

Implementing a privacy and data protection program, adapting the collection of information for conscientious use in order to meet the real purpose and using a mature approach to protecting these assets, will result in cost reduction, greater security and may bring a view of the risks in the company's potentials and weaknesses. Consecutively, it will have a positive impact on the reliability of the market and on the relationship with customers, as the organization will demonstrate that it is committed to protecting the data of these holders.

— Leandro Zilli is a GRC Consultant at [SAFEWAY] – ITIL v3

About Safeway:

THE SAFEWAY is a company of Information security, recognized by its customers for offering high added value solutions, through Information Security projects that fully meet the needs of the business. In these years of experience, we have proudly accumulated several successful projects that have given us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.

Today through more than 23 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.

Let's make the world a safer place to live and do business!