One of the most relevant subjects in the Information Technology and Compliance sector has undoubtedly been privacy and data protection.
With the high database and information, it is up to the IT sector of companies to conduct this data, performing all the security procedures in the collection, storage and treatment of them.
But now, when talking about systems and technology development, how do we put this into practice?
Through the Privacy by Design methodology, all personal data protection can be analyzed from the beginning of the system conception. It is worth remembering that privacy by design is only part of the cycle of adequacy of companies to LGPD.
A simplified summary explains the 7 basic principles:
1) Proactive non reactive; preventive non corrective: Predict and anticipate the events susceptible to interference or privacy compromise.
2) Privacy as standard configuration: By default, the configuration referring to privacy must provide for security and protection, and any treatment must be worked on as an exception and conditioned to the fast authorization of the holder.
3) Privacy incorporated to the project: Incorporate the privacy tools to the initial project to reduce efforts and wear and tear in future compliance with the protection rules. Privacy becomes part of the solution itself and not an addendum.
4) Total functionality – positive sum, not zero sum: The use of personal data must be in accordance with the objectives of the handler without the need to make unnecessary changes, such as giving up security to get more data.
5) End-to-end security, complete lifecycle protection: When treating data, you need to ensure the security of all information from its capture, which is the first form of treatment, to its elimination or sharing, which are also forms of treatment.
6) Visibility and transparency: Visibility and transparency need to be applied from the beginning of the relationship. The terms and conditions of use and privacy must be clearly exposed by the treatment agent, highlighting all relevant information that involves the mitigation or flexibilization of any right.
7) Respect for the user’s privacy: The development of the system must be based on the interests and guarantees of the user, with measures capable of preventing, guaranteeing and clearly communicating to the holder all the possibilities and risks in the treatment envisaged. Privacy must always be the basis of the system and exceptions duly negotiated and informed.
The seven principles guarantee a positive approach, covering all the necessary points that establish the protection of personal data, with the vast majority of privacy rules.
The privacy by design method should gradually be incorporated into the application development and data management processes of all companies, not just technology companies.
The biggest change given on this occasion is the insertion of tasks related to the treatment, exposure and use of data by the systems.
The method is totally adaptable to the practices of each company, however it requires the IT and compliance professional to understand each specific principle to understand how they should be reflected in the internal policies and processes of each company or government agency.
WHAT IS THE IMPORTANCE OF VISIBILITY AND DATA MANAGEMENT?
Undoubtedly, the law will affect the way IT professionals handle, collect and process data.
In this case, the principles to be considered when viewing and managing this data are:
- Data storage: the professional must be sure that the encrypted data is authorized and processed with the correct authorization of use;
- The type of data stored or collected: it will be necessary to justify that the personal data collected is necessary for specific use and used only for this purpose;
- Data processing: data processing must be conducted so that data can no longer be assigned to one or the other subject without additional information;
- Data transfer: data that requires transfer must be encrypted and its encryption must be irreversible;
- Access to data: it will be necessary to decide who will or will not have access to the personal data collected.
After adjusting the data according to these principles, only the use or processing of such information documenting and evidencing the specific reasons for their use will be allowed.
LIFE CYCLE OF THE DATA IN LGPD:
Several are the already existing solutions that will make the protection of personal data even faster and more efficient.
Among them, we have assessment tools that hold or transmit personal data or also provide visibility on devices, users and applications, either in the installation, in the cloud or smartphone.
Automated implementation tools that manage consent to make websites compliant with the requirements of the law, to obtain informed consent from users for data collection and use, or even the complete deletion of such information if necessary.
Maintenance tools that monitor and integrate with automation frameworks to monitor data changes throughout the development lifecycle, helping ensure that it remains compliant with the requirements of the law.
Privacy management software platform that performs continuous scans of web pages to identify and categorize cookies, providing a transparent mechanism to obtain the necessary consents for specific data access.
In summary, LGPD is currently one of the most important data protection legislation.
Its impact is given to any organization present in the national territory that deals with the personal and corporate data, but also meets with GDPR when multinational companies are present and processing data.
To map the origin of data, classify it and use technology to be able to adapt to LGPD, is of paramount importance for IT professionals, since data security and treatment in a safer way are a guarantee of greater credibility before the market.