Search
Close this search box.
Facebook Instagram Linkedin

Tag: general data protection law

Categories
Data Protection

LGPD Compliance Project: 4 steps to implement it

The essential step to implement a LGPD (General Data Protection Law) compliant project and comply with the new data management rules is to thoroughly inventory the personal data being collected in your business.

Basically, it is answering questions about data use like: “What do we have? Where is it? What could be interpreted as protected information?”

This information includes anything that can be used to identify a person, such as name, phone number, address, and even whether that person prefers to use a 12-hour or 24-hour format.

But this process is not an easy job. Personal data covered by the LGPD and other new privacy laws do not only appear in well-defined database fields. Other important steps are needed to implement a GDPR-compliant project.

Data management is just the first step towards GDPR compliance

Whether created in a commercial or social context, data protection is a concept everyone should be familiar with.

While some specifics of the implementation of the data protection law’s requirements are still being defined, the introduction of the LGPD has certainly coincided with, if not provoked, an upward trend of individuals becoming more zealous about their right to privacy.

Consumer concerns about privacy mean that investing in a data protection program brings far more value than simply protecting businesses from legal action or financial penalties.

Perhaps most important when implementing a GDPR-compliant project is the need to maintain brand reputation and consumer trust.

As consumers become more willing to shift their loyalty in favor of a company that securely protects their data, businesses can confidently leverage their GDPR compliance to secure competitive advantage.

Going beyond the basics: 4 steps to implement a GDPR-compliant project

As organizations look to update the way they use data and create more efficient processes to preserve data subjects’ rights, various data protection-related activities can be consolidated into a broader information control program.

Such a program should do more than simply enshrine compliance with data protection legislation for an exercise designed to avoid regulatory fines:

  • Step 1 – Governance: ensures compliance with the rules laid down by law and guides its employees.
  • Step 2 – Legal: consent, contract, legal obligation, vital interests, public task and legitimate interests.
  • Step 3 – Technology: data accuracy: all data held must be sensitive and up-to-date.
  • Step 4 – Cybersecurity: ensure the infrastructure of the service provided, conditions for the user to be able to preserve and manage the privacy, collection and processing of their personal data.

Data protection law covers all parts of an organization’s operations. To maximize the business gains from GDPR compliance, companies should extend the breadth of their data protection programs to incorporate information security into the design of business applications and technical infrastructure.

Legislation leads to a business value proposition in data protection and privacy

The LGPD legislation mandates that at the design stage of any processing operation, as well as at the time of the processing itself, companies implement appropriate technical and organizational measures designed to implement data protection effectively and integrate the necessary safeguards for data processing.

Therefore, those responsible for developing and delivering data systems need to look at how proper implementation of privacy can promote business as well as protect it from fines, and propose this as a business enabler.

The business objective of different organizations will vary, but changes will be required at the data and code level, so this will likely need to be driven by information security professionals with a good understanding of the business.

The business benefits of privacy and data protection therefore need to be identified and presented in a commercial context as a positive enabler rather than a cost to avoid fines.

This is an opportunity for information security professionals to highlight the financial benefits that come with these enhanced security measures and engaging with the business can only help.

Although the additional cost of designing security is not discretionary, working on a GDPR-compliant project can increase investment support and raise the profile and perceived value of the security function, defining and developing the company’s business maturity.

Translating requirements into a successful GDPR compliant project

A high-maturity organization will have clearly defined governance roles and responsibilities, risk management agreed with managers, and data privacy risks prioritized and mitigated effectively with all the right data controls in place so that there is minimal likelihood of a data breach.

However, the benefit of reducing risk will only be achieved if it is underpinned by a deep understanding of the business, its operations, strategic initiatives and future plans.

To prevent a GDPR-compliant project from failing and to have secure buy-in to the logic of enforcing changes to data protection law, it is important to demonstrate that achieving compliance has the benefit of reducing risk.

Instead of focusing on the implications of non-compliance, companies should use business scenarios and technology tools that reduce the impact of data exposure, such as including digital signatures in their processes and technological resources.

Ultimately, business gains will be better realized if the motivation for compliance is to protect the organization, rather than external pressure for change.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Secure data sharing: The Grand Challenge in Health

Despite the numerous benefits of adopting secure data sharing, data protection and privacy will be the major challenge for these organizations to overcome.

It is not all about adopting technologies, such as electronic medical record systems, there are policies and processes involved, as well as user awareness.

Indeed, data protection and confidentiality are top priorities in the IT sector, and in healthcare it will be no different. But it is not always easy to achieve these goals on a large scale.

It is no wonder that secure data sharing in healthcare is considered the big hurdle for the coming years.

Always keep patient safety in mind

For many health and IT security experts, data sharing in healthcare is a “double-edged sword”.

On the one hand, managers and doctors want innovation in healthcare and for patients to be able to decide what data they want to share and with whom they want to share it.

On the other hand, technology professionals want to ensure data protection and privacy, and therefore when patients allow the sharing of their medical information, they should fully understand what is happening with their data and where that information travels.

Data privacy can become a trap

To give you an idea, 80% of behavioral health apps in the Apple App Store share information with third parties.

Determining who has access to this data once it is shared can be difficult, especially if an end-user license agreement is involved.

Have you read the Facebook end user license agreement? It would probably take hours. So when we talk about secure data sharing, a user license agreement that takes hours to read and understand is not consent with data protection and privacy in mind.

This concern also applies to healthcare institutions. The rules adopted for the storage and use of data by these organizations will also have a significant impact on patients’ lives, putting the permission to share data directly in their hands.

Ultimately, existing legislations have reduced the risk of information sharing between healthcare organizations, but if a patient allows to share their medical data, the General Data Protection Law (LGPD) may not apply, in cases of problems.

Investment in data protection and privacy is critical, but it is only one stage towards secure sharing.

Today, operating systems and healthcare solutions are better protected and attackers have shifted their attention to the human element, aiming to break into the organization’s information systems.

As the number and frequency of cyber attacks designed to take advantage of innocent people are increasing, the importance of the human factor in information security management cannot be underestimated.

To combat cyber-attacks designed to exploit human factors in the data protection and privacy chain, it is paramount to recognize information security with the aim of reducing risks to health information that occur due to user-related vulnerabilities.

Education, policies and processes as the key to safe sharing

In October 2019, the Alabama health system in the United States was the victim of an attack that left it unable to accept new patients at three hospitals. An undisclosed amount was paid to stop a cyberattack and restore the hospitals’ operations.

But investment in data protection and privacy through technology is not the only thing to be done to reduce the risks and attacks that are bound to occur in this new decade. Technological resources are just the “tip of the iceberg” to ensure secure data sharing.

Often, in order for attacks to occur or for data sharing to happen inappropriately, viruses and malware need the help of users to get into computers.

In the context of information security, social engineering is the use of techniques to manipulate individuals into divulging confidential business or personal information that can be used for fraudulent purposes.

In other words, people can be misled into disclosing strategic information that they otherwise would not.

Common vectors of attack on users include:

  • Phishing: fake emails to trick people into clicking on a link or opening an attachment that carries a malware payload;
  • Social media: Social media can be a powerful vehicle to convince a victim to open an image downloaded from a website or take other compromising actions;
  • Instant messaging: Instant messaging clients can be hacked by cybercriminals and used to distribute malware to the victim’s contact list;
  • SMSishing: SMSishing uses text messages to get recipients to navigate to a website or enter personal information on their devices;

Organizations should conduct regular training to help employees avoid common pitfalls of malware and other threats.

And to achieve this goal, there is a wide variety of methods for information security awareness, such as web-based training materials, contextual training and embedded training.

Why do healthcare institutions need IT security policies and procedures?

The goal behind IT Security Policies and Procedures is to address threats, implement strategies on how to mitigate them and how to recover from threats that have exposed a part of your organization.

IT security policies and procedures provide a roadmap for employees on what to do and when to do it. Remember, for example, the annoying password management policies that every company has.

If this policy and procedure did not exist in organizations, how common would it be for people to use simple, easy-to-guess passwords that ultimately open the organization to a greater risk of data theft and/or data loss.

An organization’s information security policies are usually high-level concepts that can cover a large number of security controls.

Issued by the company to ensure that all employees using information technology assets within the organization comply with established rules and guidelines, the information security policy is designed so that everyone recognizes that there are rules by which they will be held accountable regarding the sensitivity of corporate information and IT assets.

Secure data sharing in healthcare is the convergence of technology and awareness

Senior management in healthcare institutions plays an important role in protecting assets and sharing information in an organization.

Executive management can support the IT security objective by setting security goals and priorities and ensuring the necessary investments for data protection and privacy.

However, even knowing that the use of resources, such as certificates and digital signatures, tools such as antivirus and firewall and personnel specialized in information security.

End users have a responsibility to protect information assets on a daily basis, through security policies and processes that have been defined, communicated and need to be enforced.

End-user compliance with security policies is essential to maintaining information security in an organization, this group primarily represents securing the medical information of patients and family members at what can be considered the most fragile times in a person’s life.

About Eval

A EVAL está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.

Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.

Categories
Data Protection

General Data Protection Law and its impact on the financial sector

Recently approved by Congress, the General Data Protection Law (LGPD) aims to make companies more transparent. It also intends to expand data subjects’ privacy rights.

Basically, Brazilian legislation follows the General Data Protection Regulation (GDPR), which came into force in Europe in May 2018.

The LGPD is a very significant law when it comes to the confidentiality requirements governing financial services institutions and other types of business processes that must protect users’ personal data.

Learn more about the LGPD and its main impacts on the financial market.

The LGPD, a major change in data protection and privacy

The LGPD was conceived with the aim of defining data privacy guidelines throughout Brazil. In this way, it aims to protect and give Brazilians the right to data confidentiality.

The LGPD is the most important Internet bill since the regulatory framework. In addition, it must be followed by all companies that process the personal data of residents in Brazil. It defines the procedures for collecting information, storing it, securing it and how it is processed and used.

Following the presidential approval and sanction of PLC 53/2018, the General Data Protection Law is going through a period of awareness and adoption by companies and should come into force at the beginning of 2020.

According to the LGPD, data processing will only be allowed under the following conditions:

  • The express consent of the data subject is required for the processing of personal data;
  • For the performance of a contract with the data subject or to take steps to enter into a contract;
  • To fulfill a legal obligation;
  • To protect the vital interests of a data subject or another person;
  • The processing will be necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority;
  • For the legitimate interests of the controller or a third party. Except where such interests are overridden by the interests, rights or freedoms of the data subject.

After the LGPD comes into force, if any company fails to comply with the law, the legal consequences could include fines and the company could have its activities suspended, in whole or in part.

In addition, where appropriate, companies can be held liable for other violations provided for by law.

LGPD and its consequences for the financial market

Failure to comply with the new Brazilian legislation results in major regulatory penalties, reputational damage and loss of consumer confidence.

For this reason, the damage done to the prestige of companies in the market is of greater concern than the financial impact of non-compliance with the new legislation.

The solution for financial institutions is to address the LGPD as a priority. Thus, allocating the necessary resources and flexibility to comply with any new regulatory requirements or one-off issues.

A comprehensive approach provides the financial market with the visibility needed to establish a clear understanding of the personal data held by the company. It also guarantees the ability to respond to requests to completely delete data when it is no longer useful.

Considering the scope of data privacy, the LGPD prohibits the processing of personal data for the purpose of unlawful or abusive discrimination.

For the financial market, this type of scenario can happen when the cross-referencing of information on a specific person or group is used to support commercial decisions, such as the consumption profile for the dissemination of offers of goods or services.

 

The General Data Protection Law also applies to foreign companies

The LGDP applies to data processing operations carried out in Brazil or abroad. If the information is collected on national territory, it is subject to the law.

This means that if a financial company or even Google collects data from a user here, but sues them in the United States, for example, they will have to follow the General Data Protection Act.

According to the new legislation, the company can still transfer the data to a foreign subsidiary or headquarters. However, the destination country must also have comprehensive data protection and privacy laws. Another option is for the other government to guarantee treatment mechanisms equivalent to those required in Brazil.

Citizens’ rights are preserved

The LGPD was unquestionably created to protect every citizen and their right to the confidentiality of their personal information. But the law also guarantees two fundamental aspects regarding the use of information in financial and online transactions:

  • Obligation on companies to notify in the event of a data breach;
  • The right to be forgotten.

The aim of the legislation is to protect citizens’ right to confidentiality and data privacy. In this way, it gives consumers the right to request that their personal information be consulted by financial institutions and, likewise, to request its deletion without requiring external authorization.

These queries allow, for example, financial institutions to retain certain data if it is necessary for compliance purposes and other legislation. However, in the absence of a valid justification, the person’s right to be forgotten prevails.

This will be a major challenge for financial institutions and other companies focusing on the digital market.

For many organizations, the difficulty will be implementing the data management practices needed to respect the right to be forgotten and the demand for greater transparency and coordination in all market segments.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.  

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.  

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.  

Eval, segurança é valor. 

Categories
Data Protection

Data Protection Law: Know the 7 Points of Attention

The General Data Protection Law (LGPD) is more than a set of rules; it is a milestone in the way companies and individuals interact with personal data.

The LGPD tries to strike a balance between being strong enough to give individuals clear and tangible protection and, at the same time, being flexible enough to meet the legitimate interests of companies and the public.

An important starting point with the data protection law is the concept of personal data. The LGPD only applies when personal data is processed. Personal data is information by which a person can be directly or indirectly identified.

Let’s take a deep dive into the seven crucial points you need to understand in order to comply with this legislation.

The 7 points of attention of the Data Protection Act, what you should know

In general, the concept of the LGPD seems easy, right? But in practice it isn’t. Companies have had years to prepare for the entry into force of the new legislation, but most are still lagging behind in introducing processes and tools for users to exercise these new rights.

Companies are still struggling to provide the necessary resources to help users. It’s not as if one day after the data protection law comes into force, all our privacy problems will magically disappear. That’s why the LGPD’s points of attention are so important.

So you can better understand what the General Data Protection Law will look like in practice:

# 1: Objetivos da Lei de Proteção de Dados

The LGPD is not just a legal document; it is a social pact aimed at protecting individuals’ rights over their personal data.

The law seeks to guarantee total transparency during the processing of this data, requiring companies to collect only the information that is strictly necessary and to keep it for the minimum time required.

In practice, there is no need to read the official text of Law 13.709 of August 14 to understand the objectives of the General Data Protection Law.

Within our points of attention in the LGPD, we can simplify this legislation by recognizing users’ rights in relation to personal data and guaranteeing total transparency on the part of the platforms when processing this data.

From this practical point of view in our list of the LGPD’s points of attention, it becomes clear that the most sensible course of action for all organizations that provide services, digital or otherwise, should be to collect only the personal data that is necessary and to store this information only for as long as is necessary.

In fact, the articles of the LGPD focus on exactly this idea.

# 2: Para quem se aplica à LGDP

It doesn’t matter where your company is located; if you offer goods or services in Brazil, the LGPD is applicable. Complying with the law not only avoids heavy fines, but also strengthens customer confidence in your brand.

It is important to highlight in our list of points of attention of the Data Protection Law that any company that sells goods or services located in Brazil, regardless of its region, is subject to the regulation.

By complying with the requirements of the LGPD, companies will avoid paying expensive fines and improve the protection and trust of customer data.

# 3: A criação de um novo cargo nas empresas

According to the Data Protection Act, companies deemed responsible for their users’ personal data must delegate data protection to a controller, who will be responsible for protecting all personal data.

The Data Protection Act requires companies to appoint a data controller, a trained professional who will be the guardian of data privacy. This role is crucial to avoid legal sanctions and ensure that data processing standards are maintained.

It is extremely important that this person receives exclusive training on the legislation and related obligations, and that their knowledge of the subject is broadened.

This is important because the entire organization, as the data controller, could face administrative fines or other legal sanctions in cases where data processing standards cannot be maintained.

# 4: Avaliação dos processos e redução da exposição aos riscos

The GDPR requires a careful analysis of how data is used to make business decisions. Exposure to risks must be minimized, and every piece of information must be treated as personal data, depending on the context and purpose of the processing.

A piece of information that does not qualify as personal data for an organization can become personal information if a different company obtains possession of it on the basis of the impact this data may have on the individual.

It all depends on why the organization is processing the data. If an organization processes data for the sole purpose of identifying someone, then the data is, by definition, personal data and therefore the need to reduce exposure to risks.

# 5: Adoção do padrão de desenvolvimento Privacy by Design

The Data Protection Act is not something to be considered after the fact; it must be integrated into every stage of the development of products and services. Ignoring this can result in non-compliant systems and significant costs to correct these problems.

So why should you care about the Data Protection Act?

Firstly, because you (or the company) care about the privacy of the people whose data you process. And also because non-compliance can give your organization a bad reputation and lead to the payment of severe fines.

This means that it is very important to take the requirements of the GDPR into account at all stages, also in the design phase and when selecting, cleaning and using your test and backup data.

Failure to do so will result in systems that are not compatible with the legislation. Extensive and sometimes even impossible rework, at a corresponding cost, will probably be necessary to correct these problems.

So take these requirements into account from the outset and avoid creating technical debts in terms of privacy and data protection.

# 6: Atenção aos subcontratados e parceiros

The LGPD makes a distinction between a data processor (basically, the entity that processes personal data) and a data controller (the entity that decides the purposes and means of that data processing).

If you are a controller, it is your responsibility to ensure that your subcontractors also comply with the GDPR.

Controllers are required to use processors, including public cloud operations, that implement appropriate technical and organizational measures taking into account “the state of the art and the costs of implementation” as well as the nature, scope, context and objectives of the processing.

# 7: Multas aplicadas pela Lei de Proteção de Dados

The substantial fines that can be imposed by the LGPD are well known. Under the new legislation, sanctions are imposed by the National Data Protection Authority (ANPD).

According to the data protection law, the fine for the incorrect use of personal information is up to R$50,000,000.00 (fifty million reais) per infraction, or 2% of the turnover of the private legal entity, group or conglomerate in Brazil for the previous financial year.

In addition, companies are subject to additional administrative sanctions applied by the national authority, which could result in the business becoming unviable due to financial loss or the company’s name or brand being compromised in the eyes of the consumer market.

The LGPD’s points of attention are just the beginning, there’s a long road ahead

For many organizations, there is still a lot of work to be done before the Data Protection Act is properly implemented.

Eval has solutions for data discovery, application encryption, data tokenization, anonymization, cloud protection, database encryption, big data encryption, protection of structured and unstructured files on file servers and in the cloud, and key management to meet different demands in the area of data security. These are solutions for business to be compliant and protected against data leakage.

Eval can help your company unify business operations with data protection and security, enabling the measurement of risk throughout the organization to assist in the implementation of a comprehensive LGPD compliance plan.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97