*By Juliana Dias
THE General Data Protection Law (13.709/2018) better known as LGPD, basically comes into effect to control and make transparent any and all operations (collection, alteration, storage, processing, deletion, etc.) that involve personal data of a natural person.
Cloud (a cloud) in short, it refers to a concept of transferring, storing and accessing data. An unquestionable factor is the gains that services hosted in the cloud have offered to businesses, such as: greater scalability, availability of services, cost reduction, among others.
So the questions remain...
We can consider that large cloud service providers eg: AWS Amazon/Azure Microsoft/Google Cloud, can also be great allies for the fulfillment of the LGPD, considering that normally, they will be in Compliance with other safety standards ISO 27001, ISAE 3402 etc.?
Some important points related to solutions in Cloud must be highlighted:
- Thinking about scalability, the backup in the cloud can be very useful as you will be able to access a large amount of stored data easily and quickly, without having to worry about physical equipment to support such demand;
- Solution Disaster Recovery, a quick way to re-establish all accesses and services, saving idle time;
- Most of them use advanced solutions for Digital Security, as they have expertise for dealing with different types of attacks, when detecting and avoiding a threat, for example, “Cloud Access Security Broker or Cloud Access Security Broker", are software hosted in the cloud or on-premises, which sit between storage service consumers and providers, driving security, compliance and governance policies for cloud applications;
- They can offer immediate notifications in case of incidents with personal data, which also has an advantage, since by the LGPD the national authority must be communicated in the shortest possible time;
- There are cloud solutions that can also assist in data management, thus facilitating the search for stored data and identifying its purpose for those being used.
How to improve data governance over services that are in the cloud or applications that are on servers across countries?
The big challenge is to make a legal translation for the areas and get a commitment from all of them, after all, if there is any type of incident eg data leakage, the infraction can be from a warning of R$50 million, to a blocking of data until a solution is presented.
A concern that should not be seen only by the legal area, but by all areas of the organization eg: Marketing, IT, GRC, Human Resources etc. that can handle the processing of personal data and personal data, considering that most of these areas make use of these types of data during the execution of their activities. To begin with, we can emphasize the importance of communication between all the areas mentioned, and a leadership to orchestrate and guarantee this adequacy of the LGPD with the projects.
Then, one of the actions that companies must take to control risks and vulnerabilities is through real-time monitoring. This follow-up must be done closely by management to ensure that problems are identified in advance. Monitoring is also directly linked to one of the pillars of the LGPD which has the principle of guaranteeing privacy from the point of development of a product and/or service, the term is known as "Privacy By Design” (privacy from conception).
Still talking about initial actions that must be taken by the areas to ensure that the solution cloud be in compliance with the LGPD, we must cite at least the prerequisites that providers must offer and that must be evaluated before being hired. We can ask the provider about several points, such as whether it is possible to monitor the audits for validation of the process focused on LGPD (data lifecycle, how it is centralized, how they are identified and stored, if for this storage , secure practices are adopted – encryption, backup policy – and how the incident management is carried out (thinking about precise and agile responses for immediate notification of the incident).
The company's responsibility is also to take care of its entire chain of cloud service providers. When contracting a solution cloud, It is of great importance that the risks of a possible exposure of the data are evaluated, in which case a Personal Data Protection Impact report (RIPD), as the logical storage can suffer cyber attacks of various genres and at any time. Be careful when evaluating providers abroad, as the LGPD has specific rules for these types of transactions. Consider all regulatory requirements and security controls the provider provides to prevent potential incidents. The company should also avoid the use of public cloud as much as possible, as access can easily occur, thus assuming a possible risk to the holder's data and prioritizing the most important services to initiate this migration, is also a good practice.
— Juliana Dias is a GRC Consultant at SAFEWAY
THE SAFEWAY is an Information Security company, recognized by its clients for offering high added value solutions, through Information Security projects that fully meet the needs of the business.
During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today through more than 23 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
SAFEWAY can help your organization through SAFEWAY SECURITY TOWER a complete service chain so that your operations continue to be monitored and protected by a highly specialized team. Our SOC works on a 24×7 basis, with a high-performance technical team and tools to assist your organization in identifying and responding to incidents in a predictive and reactive manner, keeping your business safe and monitored at all times.
Let's make the world a safer place to live and do business!