How COBIT 2019 Supports the Brazilian GDPR

The General Personal Data Protection Act¹ (LGPD) is the Brazilian law that regulates the processing of personal data. It was sanctioned on 14 August 2018 and entered into force 18 months after its publication.

Thus, Brazil became one of the countries that has specific legislation for data protection and privacy of their citizens. Brazil’s law is similar to the EU General Data Protection Regulation (GDPR), which became mandatory on 25 May 2018 and is applicable to all EU countries.

Application of the Law

The LGPD applies to natural or legal persons governed by public or private law, regardless of medium, country of headquarters or the country where the data are located, provided that:

• The treatment operation is carried out in the national territory.
• The purpose of the processing activity is to offer or provide goods or services or to process data of individuals located in the national territory.
• The personal data, object of the processing, have been collected in the national territory.²

The LGPD does not apply when the treatment operation is performed by a natural person for exclusively private and noneconomic purposes, such as activities related to journalism and the arts, academics, national defense, state security, or investigation and prosecution of criminal offenses.

Data Principles and Types

The law was built on various principles relating to the collection, use and processing of data. Those principles include:

• Finality—What is the purpose of the use of private data, to be declared by the holder
• Adequacy—Use of data according to the finality declared by the holder
• Need—The use of data must be limited to the minimum necessary, according to the finality declared by the holder
• Transparency—Information about the data must be clear and easily accessible to the holder
• Safety—Protection of the data must be provided
• Prevention—Specific measures to prevent any damage to the data must be adopted
• Nondiscrimination—The use of the data to generate any kind of discrimination is prohibited
• Accountability—Enterprises must be in compliance with the law
• Free access—Free and easy consultation about the form and duration of treatment, along with the completeness of their personal data must be guaranteed to the holder
• Data quality—Accuracy, clarity, relevance and updating of the data according to necessity and for the fulfillment of the purpose of their processing must be guaranteed to the holder

The law applies to two general categories of data:

1. Personal data—Information related to an identified or identifiable natural person
2. Anonymized data—Unidentifiable holder data
   • Anonymized data are not considered personal data for the purposes of the law, except when the anonymization process to which the data were submitted is reverted, using its own means, or when, with reasonable efforts, may be reversed. The determination of what is “reasonable” should consider objective factors such as cost and time required to reverse the anonymization process according to available technologies and the exclusive use of owned technology resources.

Examples of type of sensitive personal data include racial or ethnic origin, religious belief, political opinion, health or gender, and genetic/biometric data. As can be implied by these examples, personal data may indicate affiliation to a syndicate, religion, political view and/or philosophy.

Data Treatment and Organizational Preparation

Understanding the rules surrounding treatment of the personal data requires comprehension of related terms, including “treatment” itself, which encompasses various operations with personal data such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, archiving, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction. Other pertinent terms include:

• Holder—Data owner
• Controller—Data collector
• Operator—Handles on behalf of controller
• Data privacy officer—Channel between controller, holder and authority
• Anonymize—Reasonable means to eliminate direct association of data with a specific holder
• Lockout—Temporary suspension of data treatment
• Deletion—Data deletion
• Consent—Free, informed and unambiguous expression by which the holder agrees to the processing of her or his personal data for a particular purpose.

Consent has strict requirements to make it applicable within the intent and purpose of the law. Indeed, without proper consent, personal data cannot be processed. Consent must be provided in writing or by other means that demonstrate the will of the holder. There must be a specific clause in the consent terms dealing with consent, and consent shall be provided for specified purposes; generic authorizations for the processing of personal data are void. The burden of consent lies with the controller.

When the processing of personal data is a condition for the provision of a product or service, the holder must be clearly informed of this fact and the means by which the holder may exercise her or his rights.

There are specific requirements surrounding the treatment of personal data. As noted, data can be treated only upon consent of the holder (and specific if treatment is required for the controller to comply with a legal or regulatory obligation). Treatment is allowed in the following cases:

• Where necessary, for the performance of a contract or preliminary contract-related procedures to which the holder is party, at the request of the data subject
• For the protection of health, in procedures performed by health professionals or health entities
• Where necessary to meet the legitimate interests of the controller or third party, except when the fundamental rights and freedoms of the holder that require the protection of personal data prevail. The processing of personal data whose access is public should consider the purpose, good faith and public interest that justify its availability.

Treatment must be concluded when the purpose of the treatment is reached, the agreed treatment period is completed or at the request of the holder. There are exceptions, however, that would override these conditions and support continuation of the treatment. Such instances include:

• Compliance with legal or regulatory obligation by the controller
• Existence of a study by a research body that ensures, where possible, anonymization of personal data
• Necessity of a transfer to a third party, provided that the data processing requirements of the law are respected
• Exclusive use of the controller (access by third parties is not allowed), provided the data are anonymized

Most organizations need to take some preparatory actions to comply with the LGPD. Some organizations will require more adjustments than others. At a minimum, it is recommended that each organization elect trusted advisors. These individuals are partners who truly understand the needs of the business and can support the organization from awareness to data mapping, and with the technical and operational implementation of new concepts. It is also recommended that each organization implement a data privacy management system (DPMS).

Penalties

Failure to comply with the law may cause the organization to incur various penalties, as outlined in the law’s Article 52.³ Penalties range from corrective or punitive measures to monetary fines, as follows:

• A warning, indicating the time limit for the adoption of corrective measures
• A fine of up to 2% of the revenues of the legal entity under private law, group or conglomerate in Brazil in its last financial year, excluding taxes, limited in total to R $50 million per infringement (equivalent to approximately US$12 million)
• A daily fine, subject to the total limit referred to in the previous bullet
• Publication of the infraction after its occurrence is duly ascertained and confirmed
• Blocking of the personal data to which the infringement refers until the data’s regularization
• Deletion of the personal data to which the infringement relates

Data Privacy Management System

The DPMS was created to explain how the enterprise should handle private data in order to comply with the law. It consists of 5 phases, described in this section.

Phase 1: Preparation

Goal—Prepare the organization for the privacy of its data.

Objectives—Analyze personal data and privacy (PD&P) requirements and their impacts; identify relevant laws, regulations, and standards; and establish an action plan.

Steps and actions:

1. Conduct a privacy analysis.
2. Identify laws relevant to the subject.
3. Analyze the impact on privacy.
4. Perform an audit and initial evaluations of data.
5. Establish and organize a data governance approach.
6. Establish the flow and inventory of personal data.
7. Establish the privacy program.
   7.1 Privacy training plan
   • Establish the best form of communication and identify the aspects that should be addressed with all employees.
   • Create a privacy awareness plan.
   7.2 Privacy strategy
   
   • Base the strategy on a risk assessment in relation to privacy.
   • Create a mission, vision and value statement in relation to privacy.
   • Define the scope of the privacy program.
   • Establish the data privacy officer (DPO) functions.
   • Create detailed strategies to achieve priorities.
   7.3 Privacy program
   
   • Emphasize the mission in relation to privacy.
   • Identify the main objectives in relation to privacy.
   • Define detailed strategies and controls in relation to privacy.
   • Gather pertinent evidence: policies, rules and procedures, among other sources.
8. Develop action plans for implementation.

Outcome—An organization prepared to be more efficient in handling and managing risk and minimizing impacts on data protection and privacy in the event of any breach

Phase 2: Organization

Goal—Establish organizational structures and mechanisms for the organization’s privacy needs.

Objectives—Prepare and configure the privacy program and engage with all relevant stakeholders.

Steps and actions:

1. Maintain the PD&P governance program, policies and controls.
2. Assign and maintain responsibilities in relation to privacy (using a responsible, accountable, consulted, informed [RACI] matrix).
3. Manage the involvement of top management. Organizations that involve top management may achieve better results in complying with the LGPD. This support may include:
   • Sponsoring all data protection and privacy issues at a board meeting, presidency, etc.
   • Communicating the importance of data protection and privacy to all employees, partners and third parties
   • Participating effectively in data protection and privacy initiatives
   • Ensuring adequate resources to support data protection and privacy activities
4. Maintain the commitment to privacy.
5. Manage the communication process.
6. Manage stakeholder involvement.
7. Implement and operate automated privacy systems. This may involve:
   • Verifying original and backup files using hash algorithms
   • Encrypting data in transit and/or stored data
   • Providing a centralized data management compliance interface
   • Generating a backup success and failure report
   • Measuring and reporting on compliance with relevant laws

Outcome—Establishment of an organizational structure focused on privacy

Phase 3: Development

Goal—Develop and implement research and development (R&D) measures and controls.

Objectives—Prepare a data classification system, and develop and implement policies, procedures and controls.

Steps and actions:

1. Develop and implement strategies, plans and policies.
2. Implement approval procedures for processing personal data.
3. Create a database for personal data.
4. Develop and implement a cross-border data transfer system.
5. Perform PD&P integration activities.
6. Execute the PD&P training plan. Organizations should train their employees to better implement data protection and privacy in all their programs, systems, projects and functions. This plan includes:
   • Conducting ongoing data privacy training by the DPO
   • Performing basic privacy training for staff
   • Performing additional privacy training for new situations
   • Maintaining data privacy awareness
   • Maintaining professional data privacy certification for privacy personnel
   • Measuring data privacy awareness and training activities
7. Implement data security controls.

Phase 4: Governance

Goal—Establish privacy governance mechanisms.

Objectives—Develop and configure governance structures, such as the privacy program and DPO; build the involvement and commitment of all stakeholders; and report all privacy issues, with a goal of continuous improvement.

Steps and actions:

1. Implement practices to manage the use of personal data.
2. Keep privacy alerts about personal data.
3. Execute a plan of requests, complaints and rectifications.
4. Perform a risk assessment of personal data.
5. Issue privacy reports.
6. Keep updated documentation.
7. Establish and maintain a data breach plan and response.

Outcome—Establishment of the best governance structure regarding data protection and privacy

Phase 5: Assessment and Continuous Improvement

Goal—Evaluate and improve all specific aspects of the organization's privacy.

Objectives—Monitor the operation and resolution of all privacy matters, regularly assess compliance with internal processes and policies, and improve data protection and privacy measures.

Steps and actions:

1. Perform an internal audit:
   • The internal audit department must regularly assess whether the organization is in compliance with internal data protection and privacy policies and operational processes.
   • The privacy audits and assessments are to be used to inform and guide the privacy department’s decisions to create or update policies, design or adapt procedures, conduct training, or participate in other activities to minimize risk and comply with internal or external privacy requirements.
   • The scope of this privacy audit activity should cover the privacy department’s role in participating in privacy audits and responding to findings and performing audits of all personal data held in electronic form or contained in a structured manual filing system.
   • Audits are to be conducted based on an audit methodology, an audit program and a set of privacy questionnaires.
2. Hire an external entity for evaluations.
3. Conduct evaluations and set benchmarks.
4. Perform a data protection impact assessment (DPIA).
5. Treat the risk.
6. Generate a risk and result analysis report.
7. Monitor laws and regulations.

Outcome—Generation of audit reports, a gap analysis and a continuous improvement plan

COBIT 2019 Approach

Considering the governance approach and applying COBIT^® 2019 as the appropriate framework, it is necessary to map the most relevant governance/management objectives (processes) in view of the objective of compliance with the law.

This discussion uses COBIT 2019 Design Guide an Toolkit: Designing and Information and Technology Governance Solution.

Design Factors

Figure 1 illustrates the design factors defined in COBIT 2019. For each design factor, the baseline values and the results provided by the spreadsheet are shown.

Figure 1—COBIT 2019 Design Factors

Prioritized Governance/Management Objectives

An importance rating can be derived for each of COBIT 2019’s governance/management objectives, as illustrated in figure 2.

Figure 2—Importance Rating for Governance/Management Objectives

Priorities for Investment on Process Improvement

Based on figure 2, resulting from the application of the Design Factors method, 4 matrices were created to represent high, medium, low and no priority for investments in maturity improvement (figures 3, 4, 5 and 6).

Figure 3—High Priority for Investments in Maturity Improvement

Figure 4—Medium Priority for Investments in Maturity Improvement

Figure 5—Low Priority for Investments in Maturity Improvement

Figure 6—No Priority for Investments in Maturity Improvement

Obviously, this prioritization takes into account only the organization's goal of LGPD compliance. Other motivating factors (pain points and triggers) may change this picture, but they are not the object of this analysis.

Conclusion

The process investment priorities should be used to develop a gap analysis procedure that considers all processes to determine the current state of each one. Based on the gaps identified by the analysis, process improvement projects can be developed and implemented. These activities will help organizations raise the level of maturity of their practices and be more prepared for LGPD compliance.

Andre Pitkowski, CRISC, CGEIT, COBIT Foundation Trainer, CRMA, ISO 27001 LA, ISO 31000 LA, OCTAVE, DPO, Scrum PSM

Has been a member of ISACA^® since 2003. He served as international vice president from 2015-2017, president of the ISACA Sao Paulo Chapter (Brazil) from 2013-2019, and director of the chapter from 2003-2006. He is also a member of the ISACA Framework Committee, and a subject matter expert and CSX liaison for Brazil. He has more than 25 years of experience as a senior consultant in corporate governance of IT, IT risk assessment projects and compliance, and as an instructor and guest lecturer in governance risk and compliance (GRC) in Brazil and internationally. He works on projects that seek to align IT to the business goals of its clients, with business cases presented internationally. He can be reached at http://www.linkedin.com/in/andrepitkowski.

Orlando Tuzzolo, CRSIC, CISM, CGEIT, COBIT 5 Trainer, ITIL v3

Is the chief financial officer of the ISACA São Paulo Chapter, Brazil. Since 2003, he has been a senior information technology consultant at APIT/Belenus Consultancy specializing in IT governance, information security and IT risk management. He works on and trains in the implementation of information security programs and IT governance projects such as process maturity analysis, gap analysis, implementation and audit of IT controls using COBIT 2019, COBIT 5, COBIT 4.1 and ITIL v3 frameworks, and the International Organization for Standard (ISO)/International Electrotechnical Commission standard (IEC)ISO/IEC 27000. He has provided services in major Brazilian companies. Previously, Tuzzolo held corporate positions at BankBoston and Lloyds Bank in the areas of information security, systems audit and information technology. He also teaches at Senac University (São Paulo, Brazil).

Endnotes

¹ International Association of Privacy Professionals, LGDP, Law No. 13.709/2018, Brazil, 2018
² Ibid.
³ International Association of Privacy Professionals, LGPD, Law No. 13.709/2018, Article 25, Brazil, 2018