Search
Close this search box.
Facebook Instagram Linkedin

Tag: lgpd

Categories
Data Protection

Difference between encryption types for data protection

Companies can reduce the likelihood of a data breach, and thus reduce the risk of fines in the future under the General Data Protection Act (GDPR), if they choose to use encryption for data protection.

The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber attacks are almost inevitable for companies.

Therefore, encryption for data protection plays an increasing role in IT security for a large part of companies.

In general, encryption refers to the procedure that converts unencrypted text, also known as clear text, into information that is unreadable, in a form of interpretation using a key, where the output information only becomes readable again using the correct key.

This minimizes the risk of an incident during data processing, as the encrypted content is basically unreadable to third parties who do not have the correct key.

Encryption is the best way to protect data during transfer and is a way to protect stored personal data. It also reduces the risk of abuse within a company, as access is limited to only authorized people with the right key.

Encryption for data protection and the GDPR: what you should know

In today’s age of computers, encryption is often associated with the process where an ordinary plain text is converted into cipher text, which is the text made in such a way that the intended recipient of the text can only decode it and hence this process is known as cryptography.

The process of converting ciphertext into plaintext is known as decryption.

The main uses of encryption are as follows:

  • Confidentiality: the information can only be accessed by the person for whom it is intended and no other person except them can access it;
  • Digital Signature: In which information is signed so that the sender of the information can be identified, with integrity and non-repudiation.
  • Integrity: the information cannot be modified in storage or in the transition between the sender and the intended recipient without any addition to the information being detected;
  • Authentication: the identities of the sender and recipient are confirmed. As well as the destination/source of the information is confirmed.

Types of encryption for data protection:

In general, there are three types of encryption for data protection:

  • Symmetric key cryptography

It is an encryption system where the sender and receiver of the message use a single common key to encrypt and decrypt messages.

Symmetric key systems are faster and simpler, but the problem is that the sender and recipient need to somehow exchange the key in a secure way.

The most popular symmetric key cryptosystem is the Data Encryption System (DES) and the Advanced Encryption Standard (AES). Advanced Encryption Standard (AES);

  • Hash functions

There is no use of any key in this algorithm. A fixed-length hash value is calculated according to the plaintext, which makes it impossible for the content of the plaintext to be retrieved. Many operating systems use hash functions to encrypt passwords;

  • Asymmetric key cryptography

In this system, a key pair is used to encrypt and decrypt information. A public key is used to encrypt and a private key is used to decrypt.

The public key and the private key are different. Even if the public key is known to everyone, the intended receiver can only decrypt it because only he knows the private key.

To maintain confidentiality in the storage and transit of data

Encryption allows data to be stored encrypted, allowing users to stay away from attacks by hackers.

Reliability of transmission

A conventional approach that enables reliability is to perform encryption of the transmission channel, either symmetric or asymmetric or even a combination of the two encryptions.

If you use symmetric cryptography, you need a key to encrypt the information, then you need to find some way to exchange the key, which turns out to be a problem to be solved, which is the exchange of keys in a secure way.

It is worth remembering that this method performs well.

Another way is to use asymmetric cryptography, in which the recipient’s public key can be used so that the message can be opened only by the recipient who has the corresponding key, the private key.

The problem with this type of use is performance.

Identity Authentication

For authenticity, which aims to know if the sender of the message is himself, makes use of PKI, (Public Key Infrastructure).

This is done by encrypting the message with the sender’s private key, just as anyone can have their corresponding public key, it can be verified that the message was generated by the appropriate sender.

Why is encryption for data protection crucial for GDPR compliance?

While there are no explicit data protection encryption requirements in the General Data Protection Act (GDPR), the new legislation requires you to apply security measures and safeguards.

The LGPD highlights the need to use appropriate technical and organizational measures for personal data security.

Because encryption for data protection makes information unreadable and unusable to people without a valid cryptographic key,encryption strategies for data protection can be extremely beneficial to your company in the event of a data breach and the requirements under the GDPR.

Remember the LGPD requirement to notify customers affected by a security incident?

By encrypting your data, you reduce the chance of fulfilling this obligation due to cyber attack issues or other types of problems.

No information is technically “breached” if the data is unintelligible to the attacker.

How to choose the most appropriate way to ensure data security?

The Thales CipherTrust Data Security platform guarantees the entire structure and integrity of your company’s data, and the format of the fields in the database, whatever it may be: Oracle, SQL, MySQL, DB2, PostGrid, you name it.

Simple, comprehensive and effective, Cipher Trust provides capabilities to secure and control access to databases, files and containers – and can protect assets located in cloud, virtual, big data and physical environments.

With CipherTrust, you can protect your company’s data and anonymize your sensitive assets, ensuring security for your company and avoiding future problems with data leakage.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
News and Events

Suddenly LGPD: 10 questions and answers your company needs to know to meet the requirements of the Data Protection Act

It may seem controversial to imagine that suddenly the General Law of Data Protection (LGPD), will come into force throughout the country. After all, Law No. 13,709/2018, which defines the new legislation, was sanctioned on August 14, 2018, establishing an 18-month adaptation period, scheduled to begin in 2020.

However, the law went through postponements in the same year it was to take effect (2020), and then it was expected to be extended to 2021 due to the COVID-19 pandemic.

But, between comings and goings in the National Congress and presidential approvals and vetoes, we are expecting the Law to come into effect at any moment. Unfortunately, these changes generate a lot of instability regarding the new legislation and a risk that can directly impact the main objective of the law: the protection and privacy of Brazilians.

In addition to the definition (or lack of clear definition), of the effective date of the LGPD, the Federal Government has recently established the structure of the National Data Protection Authority (ANPD)the body responsible for overseeing the protection of personal data, elaborating guidelines for the National Policy on Personal Data Protection and Privacy, inspecting and applying sanctions in cases of non-compliance with the legislation, among other duties defined in Law 13,709.

Expectations aside, companies and organizations need, more than ever now, to be prepared for the requirements that will soon be imposed by data protection law. Despite all this transition period, there are still questions about the LGPD that companies need to understand in order to comply with the new legislation.

To help clarify the main doubts, we have put together a list of the most important questions and answers so that you can adapt the LGPD to your business.

Questions and answers about LGPD that your company needs to know to comply with the data protection law

Although there is no universal checklist applicable to all cases, some problems arise more frequently than others. And these questions and answers about the LGPD will be relevant for years to come, as the new legislation has no expiration date.

#1. Are you a data controller or data processor – do you determine the purposes and means of the processing of personal data or do you process personal data on behalf of another party?

Answering this question is crucial to determining the scope of your obligations under data protection law. Of all the questions and answers about the LGPD, this one will probably guide you to most of the actions that need to be taken going forward.

Data controllers decide what data is collected, for what purpose, how it is processed, and for how long. This means that you are responsible for fulfilling a wide range of obligations, such as protecting the data, meeting the objectives of, for example, data minimization and processing transparency. You are also the one who has the obligation to respond to and facilitate the exercise of the data subject’s rights.

On the other hand, if you are a data processor, you process data on behalf of a controller and only within the scope that it has determined. Therefore, you cannot make decisions about what personal data is processed and how. Your primary duty is to protect the data you process from unauthorized access, modification, etc.

#2. Do you perform all processing activities yourself or do you use third-party processing services, such as server rental?

If you use a third-party processing service, you must enter into a specific written agreement (including in electronic form), which should regulate in particular the object and duration of the processing, the nature and purpose of the processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller.

Remember that even if you do not process the data yourself, you are still responsible for the processing. Choose only those companies that guarantee to implement appropriate technical and organizational processing measures to meet the requirements of the LGPD and ensure data protection.

The set of questions and answers about the LGPD also apply to third-party companies.

#3. Who can access your company’s personal data? Are there different levels of access for different positions?

The fact that you, as the controller or processor, have the right to process the data does not mean that all your employees can access it – it should only be the people whose position within your company requires that they have these rights.

Remember to specify the scope of the authorization – what kind of data they can access (e.g. customer data, employment-related data) and what they can do with the data. Some people will need to have full access, including the right to enter, modify or delete the data, while for others just the right to view the data will be sufficient.

#4. Is all the data you collect really necessary for the purpose of your processing?

One of the main rules of personal data protection is data minimization. It obliges the controller to limit – by default – to the minimum necessary the amount of personal data collected, as well as the extent of its processing, the period of its storage, and its accessibility.

Remember to take this into account when auditing your databases and when designing new data flows (creating forms, making decisions about activity tracking, etc.).

#5. How is the collected data used – what is the purpose of processing personal data?

Data may only be processed for specified, explicit, and legitimate purposes and may not be processed in a way incompatible with those purposes.

# LGPD 6. Do you collect sensitive data – such as health records, data on racial or ethnic origin, religious or philosophical beliefs, etc.?

Processing sensitive data is prohibited by default and can happen only in specific circumstances described in the LGPD, so a general recommendation would be to avoid processing such data altogether. If this is not possible, seek legal advice to identify remedies that provide a legal basis for processing such data.

#7. Have you checked whether there are processes in your company that require a data protection impact assessment to be performed?

Such an assessment must be carried out in the case of processing that – taking into account its nature, scope, context and purposes – is likely to result in a high risk to the rights and freedoms of individuals, in particular due to the use of new technologies.

It may be necessary in specific cases, including:

  • The systematic and comprehensive assessment of personal aspects relating to natural persons that is based on automated processing, including profiling, and upon which decisions that produce legal effects on the natural person or significantly affect him/her are based.
  • The processing of sensitive data on a large scale.
  • The systematic monitoring of a publicly accessible area on a large scale.

#8. How will the right to data portability be handled? In what format will the data be provided to the data subject or to another controller at the data subject’s request?

The right to data portability can be exercised if the data subject has provided data to a controller. The processing is performed by automated means and is based on one of the following legal bases – the data subject’s consent or a contract to which the data subject is a party.

It allows the data subject to request a copy of their data in a structured, common, and readable format. The LGPD does not provide further specifications of this format, so it is up to the controller to choose it, keeping in mind that the data subject may request that the data be transmitted directly to another controller.

#9. How can a user request access to his/her data, including receiving a copy of his/her personal data being processed? Will this process be conducted manually or automatically? In what format will the copy be provided?

The data subject may ask the controller for a copy of his or her personal data being processed. When this right is exercised for the first time, the controller must provide this copy free of charge, but in case of further requests, the controller may charge a reasonable fee based on administrative costs.

Unless otherwise requested by the data subject, if the request is made by electronic means, the information must also be provided in electronic format.

In preparing for the data subject to exercise their data rights, the controller must ask itself a handful of important questions, the most important being:

  • How the request can be made – using a dedicated website, with a request form and instructions, or perhaps, for example, by e-mail;
  • This process will be conducted either manually or automatically;
  • In the first case, there are enough trained personnel to handle the incoming workload;
  • The existing procedures and organizational means allow such requests to be met without undue delay.

#10. Will data be shared with third parties, including within your group? When, how, on what legal basis?

When you are the data controller, sharing data with other entities can take two forms:

  • The processing will be carried out on your behalf, you specify its purpose, duration, the obligations of the processor, and so on – in this case you need to conclude a contract regulating all these issues with the processor, and you do not have to ask the data subject for his or her consent to do so;
  • Your company loses control over the data it shares and its processing, and the recipient becomes an independent controller of that data – in which case you will need a legal basis for sharing personal data (e.g. consent from the data subject specifying with whom you share the data and for what purpose).

Questions and answers about the LGPD that went beyond the basic concept

Basic questions like “What is LGPD?”, ” What is personal and confidential data?”, “When does LGPD go into effect?” have been left out to show that data protection law is directly linked to your company’s business processes, and therefore the goal of data protection law implementation should be something more in-depth.

This means that questions and answers about the LGPD should focus on tools, features such as the adoption of electronic signatures, encryption, training, among other points that were not portrayed in our list. It is necessary to go further.

With a little over a year to go, companies need to keep an eye on the next steps of the General Data Protection Law. That is, the execution of the necessary compliance actions before the LGPD went into effect.

Companies like EVAL help you implement your strategy to meet expected requirements before LGPD takes effect with solutions to assess risks, enforce policies, protect data, respond to incidents and requests, and prove compliance.

EVAL can help your company unify business operations with data protection and security, enabling risk measurement across the organization to assist in implementing a comprehensive LGPD compliance plan.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

ANPD and LGPD: The Importance of Law 13.853

On July 8, 2019, Law No. 13,853 was published in the Federal Official Gazette (DOU) with the purpose of formalizing the creation of the National Data Protection Authority (ANPD).

Basically, the ANPD as a national authority and public administration body is responsible for ensuring, implementing and enforcing compliance with the General Data Protection Law (LGPD) throughout the national territory.

According to the LGPD, the National Data Protection Authority is composed of:

  1. Board of Directors
  2. National Council for the Protection of Personal Data and Privacy
  3. Internal Affairs
  4. Ombudsman
  5. Own legal advisory body
  6. Administrative units and specialized units necessary for the implementation of the LGPD

In addition, the Board of Directors of the ANPD shall be composed of five (5) directors, including the Chief Executive Officer.

But law 13.853 did not consist only in the creation of the ANPD, it went further and established important changes for companies that need to adapt to the requirements of the General Data Protection Law.

The approved modifications were fundamental for the applicability of the LGPD. Since without the creation of the ANPD, the law risked becoming practically unworkable, contradicting a system that has demonstrated worldwide effectiveness.

LGPD requirements: law 13.853 went beyond the creation of the National Data Protection Authority – ANPD

The General Data Protection Law provides, among several competences, that the ANPD must ensure the protection of personal data and develop guidelines for the National Policy for the Protection of Personal Data and Privacy.

Therefore, the National Data Protection Authority has a great responsibility regarding the supervision of the requirements defined by the LGPD and that must be met by companies that must adapt to the new legislation that comes into force in 2021.

In addition to consolidating the creation of the ANPD, Law 13.853 was responsible for solidifying important changes provided for by data protection and privacy legislation:

  • The law provides that data protection is of national interest, avoiding the proliferation of state and municipal laws that attempt to regulate the matter;
  • The data controller may be a legal person, and its appointment will also involve the data operator. In the original version, this assignment was exclusive to the data controller;
  • With the changes, the law excludes the obligation to inform the data subject in cases of processing of personal data to comply with a legal or regulatory obligation or when carried out by the public administration, for the execution of public policies provided for in rules or contracts;
  • It expands the hypotheses of communication and shared use of sensitive data related to health, explaining the scope to those related to pharmaceutical care and auxiliary services of diagnosis and therapy. In addition, also in cases of portability requested by the holder, or for financial and administrative transactions resulting from the use and provision of said services;
  • Health insurance companies are prohibited from using health data for risk selection, or for the purpose of hiring or excluding beneficiaries;
  • It inserts the possibility to waive the communication by the controller to the data controller. This, in the case of sharing data that has undergone correction, deletion, anonymization or blocking of data, where such communication proves impossible or represents a disproportionate effort
  • It establishes conditions for cases of sharing personal data, contained in databases in government agencies, to private entities;
  • It brings the hypothesis of direct conciliation between the data controller and the data subject – in cases of individual leaks or unauthorized access -, prior to the application of legal sanctions;
  • Establishes the need for the members of the ANPD Board of Directors, chosen by the President of the Republic, to be approved by the Federal Senate;
  • It defines rules for the composition of the ANPD, its attributions and the origin of its revenues;

The ANPD has various roles and responsibilities, including investigating organizations that have suffered data breaches, imposing penalties where appropriate and generally auditing companies for their data collection and storage practices.

How does ANPD support the General Data Protection Law and businesses?

As the national authority responsible for overseeing and applying sanctions in case of non-compliance with data protection and privacy legislation, the National Data Protection Authority also aims to promote good practices in the processing of personal data and guidance on data protection.

In practice, the publication of law 13.853, creating the ANPD, consolidates the legal bases for processing, data auditing and privacy policies, aiming to ensure that the personal data of customers and employees are processed legally.

The importance of the ANPD for business

The publication of Law 13.853 was fundamental for companies that already face several challenges in their routine search for information security in their business processes.

There are often time constraints, budget and more pressing operational concerns that may take higher priority over cybersecurity.

But there are other issues as well, with the lack of knowledge in data protection and privacy that directly impact the difficult journey of meeting the requirements provided by the LGPD.

Therefore, the National Data Protection Authority should help companies understand their data protection responsibilities by providing resources, support and guidance, tailored to the needs of organizations according to their segment, size and applicability of data protection law.

In addition, the ANPD should also promote awareness among the population of public rules and policies on personal data protection and security measures, prepare studies on national and international practices on personal data protection and privacy, and encourage the adoption of standards for services and products that facilitate control over their personal data, which should take into account the specificities of the activities and the size of those responsible.

Indeed, technology is driving changes in the social, political, legal and commercial environment that the National Data Protection Authority needs to regulate.

The most significant data protection risks for individuals are now driven by the use of new technologies and so the role of the ANPD will be key throughout this process.

With just over a year to go, companies need to be aware of the next steps of the LGPD. That is, the implementation of the necessary compliance actions in accordance with the law.

About Eval

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Data Protection for Healthcare Institutions and the LGPD

In the age of information and hyperconnectivity, data protection for healthcare institutions has emerged as not only a legal but also an ethical and strategic imperative.

The increasingly blurred boundary between the digital and physical worlds has elevated data management and security to a matter of vital importance.

For the health sector, this need becomes even more critical.

Healthcare institutions deal with large volumes of sensitive and confidential data every day, which requires the highest level of protection.

However, with the General Data Protection Law (LGPD), which represents a paradigmatic shift in data management practices, this sector now faces a new challenge.

In this scenario of digital transformation and greater awareness of privacy rights, health institutions need to adapt to the requirements of the LGPD.

Therefore, understanding the magnitude of the LGPD and how data protection for healthcare institutions can bring positive impacts to the relationship with patients, efficiency of processes and reputation of organizations is essential.

The Convergence of the LGPD and Data Security in Healthcare

The General Data Protection Law (LGPD), in force since 2020, has arrived as a regulatory milestone in Brazil.

It established a new level of rights and responsibilities related to privacy and personal data protection, directly impacting health institutions.

The LGPD classifies health data as “sensitive information”, a subset of personal data that deserves greater protection due to its intimate nature and potential to cause harm if improperly exposed.

This means that patients’ health information, which can cover everything from their medical and genetic history to data about their physical and mental well-being, is considered specially protected by the law.

The Importance of Data Protection for Healthcare Institutions

Healthcare institutions, which handle such data on a large scale, are therefore required to adjust to the stricter guidelines set out by the LGPD.

This involves implementing robust security measures to prevent the leakage or misuse of this information, as well as ensuring the explicit consent of data subjects for its collection and use.

Thus, the LGPD raises the data protection standard for healthcare institutions, requiring them to make an even greater commitment to the privacy and security of patient data.

In turn, it imposes the need to constantly review and improve data security protocols, privacy policies and data management practices.

In practice, the GDPR and health data security are now intrinsically linked, and GDPR compliance has become an inseparable part of health care.

Strategies to Implement Data Protection for Healthcare Institutions

Building an environment of trust and security around patient data is not a simple task, but it is an imperative need for healthcare institutions in the era of GDPR.

Below, we will explore some crucial strategies for the effective implementation of data protection for healthcare institutions.

Master the Law

The foundation for any data protection strategy starts with a comprehensive understanding of the GDPR.

This involves familiarization with all its provisions and guidelines, as well as their specific implications for the health sector.

Invest in expert legal advice to help your institution navigate the complexity of the law and ensure full compliance.

Conduct a Data Risk Assessment

To effectively implement data protection for healthcare institutions, it is crucial to conduct a data risk assessment.

This process involves identifying and analyzing potential risks that could threaten the security of patient data.

Include assessing existing IT systems, identifying potential weaknesses and implementing appropriate security measures to minimize risks.

Implement Data Protection Policies and Practices

Develop and implement rigorous data protection policies and practices, tailored to the unique needs and challenges of the healthcare sector.

Implement clear guidelines on how patient data is collected, stored, processed and shared within your organization, ensuring ongoing compliance with the GDPR.

Data Protection Education and Training

One of the keys to data protection for healthcare institutions is creating an organizational culture that values data privacy and security.

This challenge can be overcome through a continuous education and training program.

Such a program equips all staff with the knowledge and skills needed to properly handle patient data and maintain compliance with the GDPR.

These strategies will not only ensure compliance with the GDPR, but will also improve the security of patient data, increasing patient trust and satisfaction and enhancing your healthcare organization’s reputation.

The GDPR as an Opportunity

Often, the GDPR is seen only as a legal requirement to be fulfilled, an obstacle that needs to be overcome.

However, it is critical to recognize that the LGPD, and the subsequent need for robust data protection for healthcare institutions, also represents a significant opportunity for institutional improvement and market differentiation.

  • Strengthening the Relationship with Patients

LGPD compliance demonstrates the organization’s commitment to patient data privacy and security.

Strengthen the relationship between healthcare institutions and their patients, who will perceive consideration and respect for the integrity of their personal information.

At the end of the day, trust is the foundation of any relationship, especially in healthcare where sensitive information is constantly being exchanged.

  • Market Differentiation

A healthcare institution that strictly adheres to the LGPD and invests in patient data protection differentiates itself in an increasingly competitive market.

Concern for data privacy and security not only helps to avoid regulatory sanctions, but can also be used as a powerful marketing tool to attract new patients and retain current ones.

  • Enhancing Digital Infrastructure

GDPR compliance requirements can drive healthcare institutions to enhance their digital infrastructure.

Leading to the implementation of new technologies and practices, results in more secure and efficient data systems that benefit not only data protection for healthcare institutions, but also the overall quality of patient care.

Therefore, the adoption of the LGPD and data protection for healthcare institutions should not only be seen as a legal obligation, but rather as a path for improvement.

In doing so, healthcare institutions have the opportunity to improve their relationship with patients and stand out in a competitive market. In addition, this can drive innovation in your digital infrastructure.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

LGPD Compliance Project: 4 steps to implement it

The essential step to implement a LGPD (General Data Protection Law) compliant project and comply with the new data management rules is to thoroughly inventory the personal data being collected in your business.

Basically, it is answering questions about data use like: “What do we have? Where is it? What could be interpreted as protected information?”

This information includes anything that can be used to identify a person, such as name, phone number, address, and even whether that person prefers to use a 12-hour or 24-hour format.

But this process is not an easy job. Personal data covered by the LGPD and other new privacy laws do not only appear in well-defined database fields. Other important steps are needed to implement a GDPR-compliant project.

Data management is just the first step towards GDPR compliance

Whether created in a commercial or social context, data protection is a concept everyone should be familiar with.

While some specifics of the implementation of the data protection law’s requirements are still being defined, the introduction of the LGPD has certainly coincided with, if not provoked, an upward trend of individuals becoming more zealous about their right to privacy.

Consumer concerns about privacy mean that investing in a data protection program brings far more value than simply protecting businesses from legal action or financial penalties.

Perhaps most important when implementing a GDPR-compliant project is the need to maintain brand reputation and consumer trust.

As consumers become more willing to shift their loyalty in favor of a company that securely protects their data, businesses can confidently leverage their GDPR compliance to secure competitive advantage.

Going beyond the basics: 4 steps to implement a GDPR-compliant project

As organizations look to update the way they use data and create more efficient processes to preserve data subjects’ rights, various data protection-related activities can be consolidated into a broader information control program.

Such a program should do more than simply enshrine compliance with data protection legislation for an exercise designed to avoid regulatory fines:

  • Step 1 – Governance: ensures compliance with the rules laid down by law and guides its employees.
  • Step 2 – Legal: consent, contract, legal obligation, vital interests, public task and legitimate interests.
  • Step 3 – Technology: data accuracy: all data held must be sensitive and up-to-date.
  • Step 4 – Cybersecurity: ensure the infrastructure of the service provided, conditions for the user to be able to preserve and manage the privacy, collection and processing of their personal data.

Data protection law covers all parts of an organization’s operations. To maximize the business gains from GDPR compliance, companies should extend the breadth of their data protection programs to incorporate information security into the design of business applications and technical infrastructure.

Legislation leads to a business value proposition in data protection and privacy

The LGPD legislation mandates that at the design stage of any processing operation, as well as at the time of the processing itself, companies implement appropriate technical and organizational measures designed to implement data protection effectively and integrate the necessary safeguards for data processing.

Therefore, those responsible for developing and delivering data systems need to look at how proper implementation of privacy can promote business as well as protect it from fines, and propose this as a business enabler.

The business objective of different organizations will vary, but changes will be required at the data and code level, so this will likely need to be driven by information security professionals with a good understanding of the business.

The business benefits of privacy and data protection therefore need to be identified and presented in a commercial context as a positive enabler rather than a cost to avoid fines.

This is an opportunity for information security professionals to highlight the financial benefits that come with these enhanced security measures and engaging with the business can only help.

Although the additional cost of designing security is not discretionary, working on a GDPR-compliant project can increase investment support and raise the profile and perceived value of the security function, defining and developing the company’s business maturity.

Translating requirements into a successful GDPR compliant project

A high-maturity organization will have clearly defined governance roles and responsibilities, risk management agreed with managers, and data privacy risks prioritized and mitigated effectively with all the right data controls in place so that there is minimal likelihood of a data breach.

However, the benefit of reducing risk will only be achieved if it is underpinned by a deep understanding of the business, its operations, strategic initiatives and future plans.

To prevent a GDPR-compliant project from failing and to have secure buy-in to the logic of enforcing changes to data protection law, it is important to demonstrate that achieving compliance has the benefit of reducing risk.

Instead of focusing on the implications of non-compliance, companies should use business scenarios and technology tools that reduce the impact of data exposure, such as including digital signatures in their processes and technological resources.

Ultimately, business gains will be better realized if the motivation for compliance is to protect the organization, rather than external pressure for change.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Exposure of sensitive data: the weak point of companies

Many companies are letting the exposure of sensitive data directly impact sensitive files exposed to the majority of employees, without proper access control, as well as keeping user accounts inactive and not changing passwords regularly.

This information was pointed out in the Data Gets Personal: 2019 Global Data Risk Report survey carried out by Varonis Data Lab in several different countries, including Brazil.

By focusing on keeping cybercriminals at bay, many companies have paid little or no attention to exposing sensitive data. After all, in many cases, important information and folders are freely accessible to all employees and are not monitored.

It’s a bit like having several ways to prevent your house from being broken into, but leaving a safe full and open in the middle of the living room. If someone passes, they’ll get a present.

These problems will have to be analyzed by companies, since it’s not just about security. After all, in addition to the risks in this regard, with the LGPD about to come into force, this type of case could lead to fines for non-compliance.

But we’ll go into this subject in more detail later in this article.

High exposure of sensitive data

The study analyzed 54 billion documents from 785 companies in 30 industries and 30 different countries. It was discovered that 53% of the organizations analyzed had more than 1000 sensitive files exposed to all employees.

To give you an idea, on average each employee had access to 17 million files.

It’s not just files, but document folders also get a lot of exposure. 51% of the companies analyzed had more than 100,000 folders open to all employees.

Beyond the numbers

Sensitive data with open access to many (or all) employees represents a high risk for companies. There are various ways in which cybercriminals try to get at sensitive company information.

If an employee is phished, for example, this could cause extensive damage to the company by exposing the organization’s sensitive data. We even recently reported on cases of phishing that caused extensive damage.

These problems are not difficult to solve. Simply manage access to files and folders, especially those containing data such as confidential information on employees, clients, partners and projects.

In addition, the use of cryptography, together with good governance of cryptographic keys, is very important for keeping information secure.

That way, if something does leak, whoever gets hold of the file won’t be able to access the data it contains.

Inactive users who don’t log out and passwords that don’t change

Another finding of the study is that inactive user accounts are not deleted. 58% of companies found accounts with more than 1000 inactive users.

In general, these are people who have left the company for some reason, but their access to computers and systems still exists. In addition, more than a third of employees had passwords that never expire.

Cybercriminals are the ones to thank for this. Although they are looking for valuable data, they need a way to get to that information and accounts that are sitting unused become a good option for hacking.

Passwords that don’t change are easier to crack by brute force and when that happens, these accounts become an excellent gateway for a long time.

Sensitive information working overtime when sensitive data is exposed

Generally, sensitive data stored by a company is needed for a certain period of time in order to meet usage needs or legal issues, but then it must be deleted.

It’s like discarding a credit card after it expires. When important data is no longer needed, there is no reason to continue storing it.

Keeping them is taking an unnecessary risk.

However, 72% of the file folders analyzed contained old information that should have already been deleted. In addition, 53% of the total data was old and should no longer be in the possession of companies.

Add these findings to the fact that most companies were working with permissions to more folders than they can manage and, to use a popular expression, we have a scenario with a lot of important information lying around.

Compliance and LGPD

The report mentions that “highly exposed data represents a major risk for organizations regardless of size, area or location”.

Apart from the main laws on the use of confidential and sensitive data, such as GDPR and LGPD, this widespread exposure of sensitive information can lead to legal problems for companies through other legislation.

But here in Brazil, with the General Data Protection Law knocking on the door, it is important that companies seek compliance so as not to be negatively affected anytime soon.

The LGPD has clear sections on data anonymization, as well as liability and access registration, but here we highlight article 46.

It states that “processing agents must adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or un lawful destruction, loss, alteration, communication or any form of improper or unlawful processing”.

In short, not just anyone can have access and even “accidental situations” must be taken care of.

Progress must be made on the challenge of exposing sensitive data

The study also found that only 5% of folders were protected. So there is an important road ahead.

In cases such as those mentioned in this article, it is necessary to change the culture regarding data storage and security measures.

You can’t be left behind by cybercriminals or out of compliance with the law.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

Is Proper Key Management Really a Challenge?

Data protection leads companies to implement various encryption solutions. In this sense, one aspect that cannot be overlooked is the need for proper key management.

This is mainly due to the widespread use of encryption as a result of governance and compliance requirements. This shows that we have made progress in terms of data protection, but exposes the major challenge of key management.

After all, it’s common to manage keys in Excel spreadsheets, which can bring a great risk to organizations, since losing control or even losing cryptographic keys can cause the company to lose its data.

Key Challenges of Proper Key Management

Management is vital for the effective use of encryption. The loss or corruption of keys can lead to loss of access to systems and render them completely unusable.

Proper key management is a challenge that increases with the size and complexity of your environment. The larger your user base, the more difficult it will be to manage efficiently.

Some of the biggest challenges involve:

User training and acceptance

Users don’t like change. Although not really part of the key management process, failure to accept them can be a major impediment to the success of a project.

Therefore, it is necessary to map the impact of adopting and using cryptography in your production cycle and the difficulties in recovering or resetting keys or passwords.

Listen to user feedback and develop appropriate training to address their specific concerns or difficulties. Develop system benchmarks to check performance before and after the product is implemented.

In other words, manage user expectations.

System administration, key maintenance and recovery

These problems can have a major impact on the organization and should be addressed with the supplier before they are purchased. On an enterprise scale, manual key management simply isn’t feasible.

Ideally, management should integrate with the existing infrastructure, while providing easy administration, delivery and recovery of secure keys.

Recovery is a fundamental process, especially in situations such as an employee leaving the organization without a proper return or when a key is damaged and can no longer be used. It should also be a simple but very safe process.

In proper key management, the generation procedure should be restricted to one person. In practice, we have, for example, a product process that allows a recovery key to be split into several parts.

From there, the individual parts of the recovery key can be distributed to different security agents. Owners must be present when it is used. This process is simple, but secure, because it requires several parties to recreate the key.

What’s more, forgotten passwords can have an additional impact on the support team. The process must therefore not only be simple, but also flexible. Remote and off-network employees need to be considered as well as internal ones. In this case, remote key recovery is an indispensable feature.

Best practices for proper key management

When dealing with key management problems, who can organizations turn to for help?

The specifics of proper key management are largely dealt with by cryptographic software, where standards and best practices are well established.

In addition, like the National Institute of Standards and Technology (NIST) and the Brazilian Public Key Infrastructure (ICP-Brasil), standards are developed for government agencies that can be applied in any business community. This is usually a good starting point when discussing encryption products with your suppliers.

In the meantime, here are some industry best practices to get you started:

  • The usability and scalability of proper corporate key management should be the main focus of product analysis. The ability to leverage existing assets must play an important role in decision-making. Integration with an authentication environment will reduce costs and eliminate the need for redundant systems;

  • Two-factor authentication is a necessary security measure for financial organizations. Due to the increased processing power and capabilities of today’s computers, the strength of passwords alone is no longer enough.

Control and training

Management means protecting encryption keys from loss, corruption and unauthorized access. Therefore, at the end of the procedures and techniques applied to the management process, it is necessary to guarantee:

  • That the keys are kept securely;

  • That they undergo regular change procedures;

  • That management includes who the keys are assigned to.

Once the existing keys have been controlled, the policies and processes for provisioning, monitoring, auditing and termination need to be rigorously applied. For this reason, the use of automated tools can greatly ease the burden of responsibility.

Finally, information security professionals, infrastructure professionals, database professionals, developers and other professionals who need to use encryption keys should be trained, as a lack of awareness of the risks of protection failures is one of the main factors in problems.

If there is no control over access, there will be no security.

For more tips on proper key management and other more strategic topics for information security and data protection, subscribe to our newsletter and stay up to date!

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Categories
Data Protection

General Data Protection Law and its impact on the financial sector

Recently approved by Congress, the General Data Protection Law (LGPD) aims to make companies more transparent. It also intends to expand data subjects’ privacy rights.

Basically, Brazilian legislation follows the General Data Protection Regulation (GDPR), which came into force in Europe in May 2018.

The LGPD is a very significant law when it comes to the confidentiality requirements governing financial services institutions and other types of business processes that must protect users’ personal data.

Learn more about the LGPD and its main impacts on the financial market.

The LGPD, a major change in data protection and privacy

The LGPD was conceived with the aim of defining data privacy guidelines throughout Brazil. In this way, it aims to protect and give Brazilians the right to data confidentiality.

The LGPD is the most important Internet bill since the regulatory framework. In addition, it must be followed by all companies that process the personal data of residents in Brazil. It defines the procedures for collecting information, storing it, securing it and how it is processed and used.

Following the presidential approval and sanction of PLC 53/2018, the General Data Protection Law is going through a period of awareness and adoption by companies and should come into force at the beginning of 2020.

According to the LGPD, data processing will only be allowed under the following conditions:

  • The express consent of the data subject is required for the processing of personal data;
  • For the performance of a contract with the data subject or to take steps to enter into a contract;
  • To fulfill a legal obligation;
  • To protect the vital interests of a data subject or another person;
  • The processing will be necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority;
  • For the legitimate interests of the controller or a third party. Except where such interests are overridden by the interests, rights or freedoms of the data subject.

After the LGPD comes into force, if any company fails to comply with the law, the legal consequences could include fines and the company could have its activities suspended, in whole or in part.

In addition, where appropriate, companies can be held liable for other violations provided for by law.

LGPD and its consequences for the financial market

Failure to comply with the new Brazilian legislation results in major regulatory penalties, reputational damage and loss of consumer confidence.

For this reason, the damage done to the prestige of companies in the market is of greater concern than the financial impact of non-compliance with the new legislation.

The solution for financial institutions is to address the LGPD as a priority. Thus, allocating the necessary resources and flexibility to comply with any new regulatory requirements or one-off issues.

A comprehensive approach provides the financial market with the visibility needed to establish a clear understanding of the personal data held by the company. It also guarantees the ability to respond to requests to completely delete data when it is no longer useful.

Considering the scope of data privacy, the LGPD prohibits the processing of personal data for the purpose of unlawful or abusive discrimination.

For the financial market, this type of scenario can happen when the cross-referencing of information on a specific person or group is used to support commercial decisions, such as the consumption profile for the dissemination of offers of goods or services.

 

The General Data Protection Law also applies to foreign companies

The LGDP applies to data processing operations carried out in Brazil or abroad. If the information is collected on national territory, it is subject to the law.

This means that if a financial company or even Google collects data from a user here, but sues them in the United States, for example, they will have to follow the General Data Protection Act.

According to the new legislation, the company can still transfer the data to a foreign subsidiary or headquarters. However, the destination country must also have comprehensive data protection and privacy laws. Another option is for the other government to guarantee treatment mechanisms equivalent to those required in Brazil.

Citizens’ rights are preserved

The LGPD was unquestionably created to protect every citizen and their right to the confidentiality of their personal information. But the law also guarantees two fundamental aspects regarding the use of information in financial and online transactions:

  • Obligation on companies to notify in the event of a data breach;
  • The right to be forgotten.

The aim of the legislation is to protect citizens’ right to confidentiality and data privacy. In this way, it gives consumers the right to request that their personal information be consulted by financial institutions and, likewise, to request its deletion without requiring external authorization.

These queries allow, for example, financial institutions to retain certain data if it is necessary for compliance purposes and other legislation. However, in the absence of a valid justification, the person’s right to be forgotten prevails.

This will be a major challenge for financial institutions and other companies focusing on the digital market.

For many organizations, the difficulty will be implementing the data management practices needed to respect the right to be forgotten and the demand for greater transparency and coordination in all market segments.

About Eval

A Eval está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.  

Com valor reconhecido pelo mercado, as soluções e serviços da Eval atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.  

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.  

Eval, segurança é valor. 

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Facebook Instagram Linkedin
logo-tales-azul
keyfactor-logo
logo-valid-certificadora-digital
google-safe-browsing
Privacy Policy

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97