Solidatus for LGPD, THE BRAZILIAN DATA PROTECTION LAW
Organisational compliance is costly, time-consuming and complex. The new legal framework protecting the use of personal information of Brazilian individuals applies to all organisations holding this data. The Solidatus Data Privacy Module provides a digitised version of LGPD that enables an organisation to directly link regulatory clauses against their processes, the people who interact with them and the data that is generated and utilised by them, accelerating the assessment of impact on the business.
Using Solidatus, an organisation can gain valuable insight into their data landscape where it relates to LGPD and other global data privacy regulations. The software enables an organisation to discover, document, catalog, visualise and analyse their data and its lineage to understand what data they hold, what type of data they have, who uses it for what purpose, and how it moves through their systems. This transparency enables the complex compliance process to be completed in up to a 60% shorter time period, saving considerable costs.
The module also allows organisations to track changes in the regulation over time to automatically assess the impact of regulatory change. It also allows businesses to create a common taxonomy of several data privacy regulations such as GDPR, PDPA, CCPA, LGPD and the India Data Protection Bill, to allow for simplification of implementation and re-use of regulatory work product, compounding the savings and accelerating the return on investment.
Organisations can additionally compare privacy regulations across several dimensions including scope and jurisdiction.
Demonstrate PIA risk
Solidatus helps demonstrate to the regulator how and when Privacy Impact Assessments (PIA) were conducted and prove how information is collected, stored, used, deleted, and who has access to it. It also clearly shows that data privacy is a key consideration for future change.
Visualise and map Metadata
Data flow can be mapped out to visualise each contact point and ownership can then be assigned. Once an organisation has this knowledge, they can quickly and confidently fulfil a ‘Right to Erasure’ request knowing that they have removed it from every possible place it has been held.
Through its collaborative crowdsourcing model, Solidatus allows for quick and effective enterprise-wide identification of where personal information is held. It gives all departments the ability to gain and share a clear understanding of exactly where data is and how it’s being used in business and IT processes.
Proactive approach to compliance
Solidatus enables companies to prove to the regulator that they are taking a proactive approach to LGPD, documenting and auditing their data landscape and privacy impact assessments. Solidatus can quickly discover, document and share models, simplifying the process of being compliant.
LGPD’s 10 key principles:
- Purpose limitation: The user must be informed of the purpose of collecting data.
- Adequacy: The data must be processed in accordance with the purpose declared by the company.
- Necessity: The organisation may only request the information necessary for the fulfilment of its purpose.
- Free access: The data subject has the right to know the form and duration for which their data will be used.
- Quality of data: The company will be responsible for maintaining correct and updated information.
- Transparency: The data subject must receive a notice with a detailed list of how their personal data can be used and the information shared by the company must be explicit and true.
- Security: Companies must protect personal data through procedures and technologies to ensure that only authorised people have access to such data.
- Prevention: Companies should be proactive in the prevention of problems rather than reactive.
- Non-discrimination: Personal data can never be used for unlawful or abusive discriminatory purposes.
- Accountability: Organisations must demonstrate the adoption of measures that are efficient and capable of proving compliance with the rules of personal data protection.
DATA MANAGEMENT, CATALOGING AND LINEAGE ARE VITAL TO LGPD
Data management, data cataloging and data lineage play a vital role in LGPD by understanding the data, its purpose for use and the mapping of its flow within an organisation, full transparency is available on who, why, when and how it is used. Solidatus helps to build a digital dashboard demonstrating to managers and the regulators how personal data is being used, enabling the right to access to data, rectification, cancellation or exclusion, opposition to treatment, right to information and explanation about the use of data.
Appropriate tooling is required to adhere to and facilitate the effectiveness of the principles to mitigate risk of personal data misuse. A solution that is both strategic and operational is required. A digital operational blueprint that allows an organisation to be truly compliant, while enhancing the business’ use of data to meet its obligations.
Solidatus allows organisations to adhere to all ten LGPD principles by providing a tool that can model LGPD data requirements against their data management capabilities and onto their people, processes, policies and data. It provides an end-to-end holistic view of data governance and a more group-wide view of data sharing while remaining compliant.
A significant right of LGPD is the ‘right to data portability’, allowing a data subject not only to request an entire copy of their data but also to have them provided in an interoperable format. This right will require significant IT investment from organisations to achieve. Utilising Solidatus, the complexity, costs and time to compliance are significantly reduced.
LGPD, THE BRAZILIAN GENERAL DATA PROTECTION LAW
The aim is to not only guarantee individual rights but also to foster economic, technological and innovative development through clear, transparent and comprehensive rules for the adequate use of personal data.
LGPD aligns with the existing legislation to the new international standard set by the EU’s General Data Protection Regulation (GDPR). LGPD will have extraterritorial application where the duty of compliance exceeds the geographical limits of Brazil, therefore, any foreign company that has at least a branch in Brazil or offers services to the Brazilian market and collects and treats personal data of data subjects located in the country, regardless of the nationality, will be subject to the new law.