*By Ricardo Ambrizzi
Since the General Personal Data Protection Law (LGPD) was enacted on August 14, 2018, companies of different sizes and operating markets have sought to adapt their operations so that personal data processing activities are in compliance with the requirements. However, small and medium-sized companies, startups would need the same security and administrative controls as large companies?
Faced with this need, the National Data Protection Authority (ANPD) structured a regulatory agenda in 2021 that contains 10 priority topics for the adaptation process. These include data and privacy protection for small and medium-sized businesses, startups and individuals who process personal data for economic purposes.
According to "Art. 55-J. It is incumbent upon the ANPD: XVIII - to edit simplified and differentiated rules, guidelines and procedures, including regarding deadlines, so that micro and small companies, as well as business initiatives of an incremental or disruptive nature that declare themselves to be startups or innovation companies, can adapt up to this law;” the ANPD's purpose is to regulate and provide subsidies for the adequacy and regularization of this type and size of companies. To meet this regulatory requirement, the ANPD established the Guidance on Information Security for Small Handling Agents.
Launched in October/2021, this Guide recommends the adoption of 3 administrative measures, 4 technical measures, measures related to the use of mobile devices and measures related to the cloud service, always evaluating the scenario and the technological park of your organization, aiming, in this way, the security of information related to personal data. Among the measures established are:
- Administrative Measures:
- Information Security Policy;
- Awareness and Training;
- Contract Management (Suppliers, Employees and Customers);
- Technical Measures:
- Access control;
- Security of stored personal data;
- Communications security;
- Maintenance of vulnerability management program;
- Measures related to the use of mobile devices:
- Mobile Device Policy;
- Technical controls for mobile device management (MDM).
- Measures related to the cloud service:
- Service Level Agreement Agreements (SLA), covering data security in the cloud;
- Assessment of providers of cloud service providers (information security requirements);
- Access management of cloud services, with authentication controls (multi-factor).
In general, the document aims to disseminate good practices and basic information security measures and, it should be noted that the process of adapting to LGPD is not limited to the recommendations mentioned in this guide, being recommended to companies to assess the risks and technologies in a more comprehensive way. used in its processes and activities that involve the processing of personal data in order to establish a secure, resilient and reliable data protection ecosystem.
— Ricardo Martins Melo Ambrizzi, Senior Information Security Consultant at [SAFEWAY]
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
