Brazil’s Lei Geral de Proteção de Dados (LGPD) requires companies to comply with strict requirements related to the collection and processing of consumers’ personal data. We’ve reviewed the LGPD and compiled the most important ways a Data Loss Prevention (DLP) solution can help you achieve compliance with the regulation.
Passed on August 14th, 2018, Brazil’s comprehensive general data protection law aims to align existing legislation to the new international standard set by the EU’s General Data Protection Regulation (GDPR). Latin America’s first major data protection law, the LGPD, replaces and supplements the over 40 legal norms that governed the protection of privacy and personal data at the federal level in the country.
The new law requires organizations to comply with strict requirements when processing personal data with the aim of protecting the fundamental rights of privacy and freedom. The LGPD is very clear regarding information security, requiring companies to use technical and administrative measures to protect data.
Despite the onset of the COVID pandemic and a planned delay in application till December 2020 or May 2021, the LGPD was signed into law on September 18th, 2020, and it is in effect since then. However, the sanctions under the law were enforced on August 1st, 2021.
DLP solutions such as Endpoint Protector are some of the most valuable tools for data compliance. These solutions are efficient now only with LGPD compliance, but GDPR, CCPA, PCI DSS, and others. In the case of endpoint DLPs, policies are applied directly to sensitive data rather than to devices or the whole network. In this way, they ensure that sensitive customer data is identified, controlled, and logged in order to meet LGPD requirements.
Let’s have an in-depth look at how DLP can lend a hand with LGPD compliance.
1. Discover where personal data is stored
A common compliance requirement is to know where your data is – otherwise, you cannot protect it. The LGPD, similarly to the GDPR, requires organizations falling under its jurisdiction to create and maintain a data inventory or data map of the personal information they collect and process. This means that you need to understand how and where data is used, as well as where it is stored.
A DLP software is usually equipped with data discovery services and allows administrators to scan the entire device fleet in search of protected data. By scanning and monitoring data at rest, these tools can provide data visibility and, thus, help you to create a data inventory.
DLP policies can be based on predefined profiles or custom content, allowing companies to search for personal data covered by privacy laws. In this way, you can be aware of what data is transferred where, generate reports from the results, and provide them to the Brazilian National Data Protection Authority (ANPD) upon request.
2. Delete personal data when it is required or no longer needed
Under the LGPD, consumers have the right to request that their personal information be deleted. This means that companies must ensure that their data is no longer stored on their network. But data can often end up on unauthorized endpoints. Employees share information in the execution of their duties, disregarding internal policies concerning sensitive data.
A DLP solution can help you with deletion requests through its data at rest scanning capabilities. These allow companies to search their entire networks for specific data sets, and when found, they can take remediation actions such as deletion or encryption. In this way, admins can easily control which personal data remains in a company’s network and devices.
3. Limit the use of personal data
The LGPD requires companies to clarify the purpose of collecting and using personal data and remain loyal to them. This means that they need to ensure that personal data is not used for any other purpose outside its intended services. Organizations must also prevent it from being uploaded to private cloud services or copied to unauthorized devices.
By using powerful scanners to identify sensitive data and monitoring its movement, DLP solutions can assist you with this compliance requirement. After discovering personal data, admins can restrict or block its transfer outside or inside the organization. In this way, users will no longer be able to upload, copy-paste, or print sensitive data.
4. Prevent data tampering and loss
The LGPD requires companies to use technical and administrative measures to protect personal data from unauthorized access, destruction, or loss. DLP solutions are an essential part of this arsenal, preventing incidents that could lead to data breaches by scanning and monitoring data at rest and data in motion. With predefined and custom policies that can restrict or block data transfers, these solutions can help you ensure that personal data doesn’t leave the company network.
5. Maintain personal data security standards
Like the GDPR, LGPD requires companies to design their data processing systems and procedures with privacy by default in mind. This means that privacy has to be a default setting rather than an afterthought. Organizations should also be prepared to demonstrate the effectiveness of the adopted data security measures to the ANPD, as an audit could be carried out at any time.
DLP tools offer unparalleled insight into your company’s data. Admins can set strict rules for specific sets of sensitive data and, at the same time, enable employees to manage data outside of these categories freely. With a DLP solution, it also becomes easier to determine policy breaches and report them back to the processors to take action.