André Cilurzo, Director of Data Privacy and LGPD Compliance, Protiviti Brasil, outlines eight essential actions toward implementing Privacy by Design practices.
With the LGPD (General Data Protection Law), many actions became necessary for companies to comply with this new regulation.
One of the most effective controls in managing risks related to the LGPD is ‘Privacy by Design’, a framework that allows privacy to be implemented from the beginning of the development of products, services, systems, applications or processes involving third parties.
A well-implemented ‘Privacy by Design’ can ensure that the purpose, adequacy and necessity, which are the principles set out in article 6 of the Law, are complied with and reduce the risk of improper processing of a person’s data, as well as minimize impacts related to leakage.
For this control to be well implemented, it is essential that the company puts into practice the eight actions shown below.
- Collection of third parties that collect, process and store personal data on behalf of the contracting company.
- Third-party risk assessment, understanding potential threats to data privacy and security, as well as sharing factors, access to personal data, and security controls in place at the contracted company.
- Third-party selection and approval process considering that privacy and data security risks are mitigated through certifications, security regulations, privacy controls and policies, and the process of storing logs and audit trails in systems that store and transact personal data.
- Specific contractual privacy and security clauses in contracts with third parties, aiming to establish requirements for the collection, processing and storage of personal data minimum necessary – as well as establishing responsibilities of the parties involved and measures to be taken in the event of a data breach.
- Minimal and limited access to third-party data, as well as a continuous program to reduce non-essential data for existing purposes, and only information strictly necessary to carry out its activities will be processed for the duration of thecontract. In addition, after the term or termination of the contract, anonymization measures must be taken by the third party in relation to the contractor’s data.
- Continuous monitoring and regular audits to verify that third parties are complying with contractual requirements and dealing exclusively with what is essential and necessary to achieve the contracted purpose.
- Training and awareness for third-party professionals who will have access to the company’s personal data to understand the risks, responsibilities and impacts related to data processing.
- Continuous review and evaluation of the data elements collected whenever there is a change in the processing process by the contracted third party – always aiming to collect the minimum necessary.
By adopting ‘Privacy by Design’ practices in contracting and relating to third parties, companies can significantly reduce the risks associated with sharing data with external entities, ensuring the privacy and security of their clients’ and professionals’ data.
In addition, this will contribute to building a solid and responsible reputation regarding the rights required by the LGPD.
