by 
Technology has been growing day after day in the face of a demanding market for the speed of processing its inputs, where data exchange becomes an increasingly deep abyss when it comes to information security. The exposure of personal data has been increasingly used for service requests.
In view of this, information is considered the organization’s main asset and is at constant risk. The loss or theft of information generates losses for the company. For example, losing all information related to its customers, suppliers or even its employees could lead the organization to its discontinuity.
In this context, information security is a pertinent subject for every employee, regardless of the type of organization in which he works, given the similarity of the risks that companies face, even if of different sizes and segments. Thus, the initial questionI is:
How do I achieve information security compliance?
Some companies have an internal auditing process. Internal audit can assist the organization in its governance by anticipating problems, eliminating duplications, and identifying potential areas for performance improvement.
In information technology environments, auditing uses computer resources for the computer itself to be audited and for the automation of audit processes. In addition, the process aims to confirm whether internal controls exist and, if so, whether they are effective.
Auditing can be used as a management tool, adding intelligence to the business, generating positive results in the organization’s operation and finances, in addition to being a basis for possible organizational change. Therefore, auditing, in short, is an evaluation of compliance with ISO standards criteria.
Understanding the ISO
In this context, the investigation of failures in the activities resulted in models and specifications whose implementation meets the needs of the stakeholders. There are standardization organizations that are dedicated to establishing models for standardizing processes. Chief among them is ISO.
ISO (2019), an acronym for International Organization for Standardization, is a body that has published more than 22,000 international standards or related documents. These documents provide world-class specifications for products, services, and systems in order to ensure quality, safety, and efficiency.
The elaboration and dissemination of the Brazilian version of ISO standards is the responsibility of ABNT, an acronym for Brazilian Association of Technical Standards. This organization operates in conformity assessment, has certification programs, and is one of the founding members of ISO, the Pan American Commission on Technical Standards – Copant and the Mercosur Association for Standardization – AMN.
To assist in the audit of information systems, the ISO 27000 family of standards was created.
ISO 27000
It is composed of approximately forty standards, focusing on information technology, the security techniques of this technology, as well as its management systems.
The new ISOs and recent revisions of the old standards are based on the structure of the PDCA model, which is composed of four steps: plan, execute, check, and act.
PDCA can be defined as a tool used for the analysis and improvement of processes and teamwork. It was a concept developed by quality management, but it expanded to other areas, given its possibility of application to any type of management.
Likewise, ISO 27001 is a management standard and, for this reason, certification can be obtained with its implementation, as it aims to specify the necessary requirements to, among other activities, implement, operate and improve the Information Security Management System (ISMS).
It is of paramount importance that the ISMS is part of the organization’s processes, being integrated with the other processes and also with the administrative structure. The application of an ISMS is a strategic decision of the company and its implementation must take into account the needs and objectives of the organization. Basically, ISO 27001 deals with the implementation of an ISMS on an ongoing basis.
In addition, the standard reinforces the importance of continuous improvement of the ISMS and, although the use of the PDCA methodology is no longer mandatory, it is a continuous cycle, which provides the necessary evolution.
Based on the concepts presented, it is possible to understand the importance of preparing the organizational environment to experience the LGPD.
So, what is the LGPD?
The General Data Protection Law (LGPD) was created and approved in Brazil (Law No. 13,709 of August 14, 2018), based on the General Data Protection Regulation (GDPR), carried out by the European Parliament, which uniformly applies this regulation to all countries belonging to the European Union.
The GDPR, which has been implemented since May 2018 in European countries, is intended to ensure the security of personal data based on a set of principles. This regulation affects all organizations in the European Union and also those outside the bloc that want to do business with it.
The GDPR is based on the principle of consent, and for consent to be valid, a statement – written, electronic, or oral – recorded by the information subject is required. The exchange of information between organizations without the consent of the owner of the information is prohibited. The violation of the rights of data subjects, if confirmed by the control authorities, will generate compensation for them.
Another important point is that personal data should only be collected by organizations for specific, explicit and legitimate purposes, in addition to that they should be kept safe and stored only for the time necessary for the purpose.
In Brazil, data protection was carried out in a limited and sparse way, that is, without specific legislation, with mentions in the Consumer Protection Code, the General Telecommunications Law and the Access to Information Law.
The Brazilian version comes to determine and control that the data collected from individuals by companies are safeguarded and used in the manner stipulated by the owner, offering, in this sense, freedom and privacy to network users. In addition, this law affects all types of organizations operating in Brazil, regardless of their size, business, or shareholder origin.
In this way, all managers of organizations must understand the drivers of the law and implement its controls, adapting them to the characteristics of their business. It is worth mentioning that the LGPD has as its object personal data, which basically refers to any and all information related to a natural person, whether identified or identifiable.
Thus, the law does not apply to anonymous or anonymized data or if they were not related to the natural person. The standard also presents and conceptualizes the roles related to the protection of personal data.
Concepts related to the protection of personal data
Natural person (or natural person)
A person who can specify personal data directly or indirectly.
Personal data
Any information, or the set of more than one, relating to an identified or possibly identifiable natural person. Name, CPF, location and behavioral profile are examples of personal data.
Sensitive personal data
Personal data regarding ethnic origin, religious conviction, political opinion, religion, philosophy of life, health, genetics and biometrics.
Treatment
Any operation carried out with personal data.
Controller
Data processing agent that processes personal data.
Operator
A data processing agent that performs activities on behalf of the controller.
GDPR X LGPD
Despite being inspired by the GDPR, the LGPD has an important difference from its European counterpart: the treatment of the international transfer of personal data. The GDPR allows the process, provided that, in addition to the consent of the holders, the transfer is not repetitive, is to a limited number of holders and has adequate security measures. The LGPD, on the other hand, does not allow this process, even for companies belonging to the same economic group.
In this context, willing to regulate the application of the law, the National Data Protection Authority (ANPD) was created, which will be a public administration body, in which it is responsible for ensuring, implementing and supervising compliance with the LGPD.
Role of the ANPD
The ANPD is the authority that will assess which countries or international organizations have an adequate level of protection for the process, as well as define the standards to be practiced, such as, for example, global corporate standards, seals, and code of conduct.
Therefore, the inspection of compliance with the law will be the responsibility of the ANPD. It must investigate possible leaks of personal data. However, this can also be done by society, which has the support of some consumer protection agencies, such as: state PROCONs, the Public Prosecutor’s Office and consumer protection associations.
Role of the DPO
The GDPR exposes the need for a professional who is responsible for the processing of internal data, in this case the Data Protection Officer (DPO). The DPO is a figure established by the GDPR, and adapted by the LGPD, as the person in charge of processing personal data. This is the professional responsible for monitoring the demands related to the protection of personal data. He is also the point of contact between the company with the data subjects and with the ANPD.
It is suggested by the GDPR and also by best practices that the DPO has knowledge and a multidisciplinary profile and that he can give an opinion on technical and legal issues. It is also suggested that the DPO report to the company’s top management and that he be hired for a fixed period, in order to maintain impartiality in the function.
The DPO must be an individual, but it must not necessarily be a person hired to specifically perform this function in the organization. It can be an employee of the company who accumulates the activity or an identified service provider, hired through another company.
Likewise, the DPO must participate in decisions on issues related to personal data, both internal processing and sharing with third parties. In addition, it must issue opinions based on its technical knowledge, without guidance from senior management or third parties. It should be noted, however, that the DPO does not have decision-making power.
In addition, there is the need to develop a report exposing how the processing of issues related to personal data is being carried out, in which the Data Privacy Impact Assessment (DPIA) is the document established by the GDPR and adapted by the LGPD, as an Impact Report on the Protection of Personal Data.
Role of the DPIA
The DPIA refers to documentation describing the data processing processes that may generate a risk to civil liberties and fundamental rights, as well as mechanisms and measures to mitigate risk.
The DPIA arises from one of the principles listed by the LGPD: the principle of accountability and accountability. This principle defines that data processing agents must document activities related to personal data. In addition, and considering that some data processing may generate risks for the data subjects or for society, the law determines that the controller must carry out the DPIA, if determined by the ANPD.
In conclusion: how are companies adapting to the LGPD?
The LGPD will come into force in August 2020. A study carried out by the multinational consulting firm Gartner in 2019 predicts that less than 30% of Brazilian companies will meet the requirements of the law by this date.
Failure to comply with Brazilian law can generate a fine of up to 2% of revenue, with a ceiling of R$ 50 million per infraction. Therefore, it is important that organizations comply with the law.
