Search SIGN IN SUPPORT CAREERS JOIN/REINSTATE MYISACA

WHY ISACA? MEMBERSHIP CREDENTIALING TRAINING & EVENTS RESOURCES ENTERP

! Home / Resources / News and Trends / Industry News / 2020 / How COBIT 2019 Supports the Brazilian GDPR

INDUSTRY NEWS

How COBIT 2019 Supports the Brazilian

GDPR

Author: Andre Pitkowski, CRISC, CGEIT, COBIT Foundation Trainer, CRMA, ISO 27001 LA, ISO 31000 LA, OCTAVE, Scrum
PSM, and Orlando Tuzzolo, CRSIC, CISM, CGEIT, COBIT 5 Trainer, ITIL v3
Date Published: 13 April 2020
SHARE

The General Personal Data Protection Act1 (LGPD) is the Brazilian

law that regulates the processing of personal data. It was
sanctioned on 14 August 2018 and entered into force 18 months
after its publication.

Thus, Brazil became one of the countries that has speciMc

legislation for data protection and privacy of their citizens. Brazil’s
law is similar to the EU General Data Protection Regulation (GDPR), which became mandatory on 25 May 2018
and is applicable to all EU countries.

Application of the Law

The LGPD applies to natural or legal persons governed by public or private law, regardless of medium, country of
headquarters or the country where the data are located, provided that:

The treatment operation is carried out in the national territory.

 The purpose of the processing activity is to offer or provide goods or services or to process data of
individuals located in the national territory.

The personal data, object of the processing, have been collected in the national territory.2

The LGPD does not apply when the treatment operation is performed by a natural person for exclusively private
and noneconomic purposes, such as activities related to journalism and the arts, academics, national defense,
state security, or investigation and prosecution of criminal offenses.

Data Principles and Types

The law was built on various principles relating to the collection, use and processing of data. Those principles
include:

Finality—What is the purpose of the use of private data, to be declared by the holder

Adequacy—Use of data according to the Mnality declared by the holder

Need—The use of data must be limited to the minimum necessary, according to the Mnality declared by the
holder

Transparency—Information about the data must be clear and easily accessible to the holder

Safety—Protection of the data must be provided

Prevention—SpeciMc measures to prevent any damage to the data must be adopted

Nondiscrimination—The use of the data to generate any kind of discrimination is prohibited

Accountability—Enterprises must be in compliance with the law

Free access—Free and easy consultation about the form and duration of treatment, along with the
completeness of their personal data must be guaranteed to the holder

Data quality—Accuracy, clarity, relevance and updating of the data according to necessity and for the
fulMllment of the purpose of their processing must be guaranteed to the holder

The law applies to two general categories of data:

1. Personal data—Information related to an identiMed or identiMable natural person

2. Anonymized data—UnidentiMable holder data

Anonymized data are not considered personal data for the purposes of the law, except when the
anonymization process to which the data were submitted is reverted, using its own means, or when,
with reasonable efforts, may be reversed. The determination of what is “reasonable” should consider
objective factors such as cost and time required to reverse the anonymization process according to
available technologies and the exclusive use of owned technology resources.

Examples of type of sensitive personal data include racial or ethnic origin, religious belief, political opinion, health
or gender, and genetic/biometric data. As can be implied by these examples, personal data may indicate
a`liation to a syndicate, religion, political view and/or philosophy.
Data Treatment and Organizational Preparation
Understanding the rules surrounding treatment of the personal data requires comprehension of related terms,
including “treatment” itself, which encompasses various operations with personal data such as collection,
production, receipt, classiMcation, use, access, reproduction, transmission, distribution, processing, archiving,
storage, deletion, evaluation or control of information, modiMcation, communication, transfer, dissemination, or
extraction. Other pertinent terms include:

Holder—Data owner

Controller—Data collector

Operator—Handles on behalf of controller

Data privacy oJcer—Channel between controller, holder and authority

Anonymize—Reasonable means to eliminate direct association of data with a speciMc holder

Lockout—Temporary suspension of data treatment

Deletion—Data deletion

Consent—Free, informed and unambiguous expression by which the holder agrees to the processing of her
or his personal data for a particular purpose.

Consent has strict requirements to make it applicable within the intent and purpose of the law. Indeed, without
proper consent, personal data cannot be processed. Consent must be provided in writing or by other means that
demonstrate the will of the holder. There must be a speciMc clause in the consent terms dealing with consent,
and consent shall be provided for speciMed purposes; generic authorizations for the processing of personal data
are void. The burden of consent lies with the controller.

When the processing of personal data is a condition for the provision of a product or service, the holder must be
clearly informed of this fact and the means by which the holder may exercise her or his rights.

There are speciMc requirements surrounding the treatment of personal data. As noted, data can be treated only
upon consent of the holder (and speciMc if treatment is required for the controller to comply with a legal or
regulatory obligation). Treatment is allowed in the following cases:

Where necessary, for the performance of a contract or preliminary contract-related procedures to which the
holder is party, at the request of the data subject

For the protection of health, in procedures performed by health professionals or health entities

Where necessary to meet the legitimate interests of the controller or third party, except when the
fundamental rights and freedoms of the holder that require the protection of personal data prevail. The
processing of personal data whose access is public should consider the purpose, good faith and public
interest that justify its availability.

Treatment must be concluded when the purpose of the treatment is reached, the agreed treatment period is
completed or at the request of the holder. There are exceptions, however, that would override these conditions
and support continuation of the treatment. Such instances include:
 Compliance with legal or regulatory obligation by the controller

Existence of a study by a research body that ensures, where possible, anonymization of personal data

Necessity of a transfer to a third party, provided that the data processing requirements of the law are
respected

Exclusive use of the controller (access by third parties is not allowed), provided the data are anonymized

Most organizations need to take some preparatory actions to comply with the LGPD. Some organizations will
require more adjustments than others. At a minimum, it is recommended that each organization elect trusted
advisors. These individuals are partners who truly understand the needs of the business and can support the
organization from awareness to data mapping, and with the technical and operational implementation of new
concepts. It is also recommended that each organization implement a data privacy management system
(DPMS).

Penalties
Failure to comply with the law may cause the organization to incur various penalties, as outlined in the law’s
Article 52.3 Penalties range from corrective or punitive measures to monetary Mnes, as follows:

A warning, indicating the time limit for the adoption of corrective measures

A Mne of up to 2% of the revenues of the legal entity under private law, group or conglomerate in Brazil in its
last Mnancial year, excluding taxes, limited in total to R $50 million per infringement (equivalent to
approximately US$12 million)

A daily Mne, subject to the total limit referred to in the previous bullet

Publication of the infraction after its occurrence is duly ascertained and conMrmed

Blocking of the personal data to which the infringement refers until the data’s regularization

Deletion of the personal data to which the infringement relates

Data Privacy Management System

The DPMS was created to explain how the enterprise should handle private data in order to comply with the law.
It consists of 5 phases, described in this section.

Phase 1: Preparation
Goal—Prepare the organization for the privacy of its data.

Objectives—Analyze personal data and privacy (PD&P) requirements and their impacts; identify relevant laws,
regulations, and standards; and establish an action plan.

Steps and actions:

1. Conduct a privacy analysis.

2. Identify laws relevant to the subject.

 3. Analyze the impact on privacy.

4. Perform an audit and initial evaluations of data.

5. Establish and organize a data governance approach.

h. Establish the iow and inventory of personal data.

7. Establish the privacy program.

7.1 Privacy training plan

Establish the best form of communication and identify the aspects that should be addressed with all
employees.

Create a privacy awareness plan.

7.2 Privacy strategy

Base the strategy on a risk assessment in relation to privacy.

Create a mission, vision and value statement in relation to privacy.

DeMne the scope of the privacy program.

Establish the data privacy o`cer (DPO) functions.

Create detailed strategies to achieve priorities.

7.3 Privacy program

Emphasize the mission in relation to privacy.

Identify the main objectives in relation to privacy.

DeMne detailed strategies and controls in relation to privacy.

Gather pertinent evidence: policies, rules and procedures, among other sources.

k. Develop action plans for implementation.

Outcome—An organization prepared to be more e`cient in handling and managing risk and minimizing impacts
on data protection and privacy in the event of any breach

Phase 2: Organization
Goal—Establish organizational structures and mechanisms for the organization’s privacy needs.

Objectives—Prepare and conMgure the privacy program and engage with all relevant stakeholders.

Steps and actions:

 1. Maintain the PD&P governance program, policies and controls.

2. Assign and maintain responsibilities in relation to privacy (using a responsible, accountable, consulted,
informed [RACI] matrix).

3. Manage the involvement of top management. Organizations that involve top management may achieve
better results in complying with the LGPD. This support may include:

Sponsoring all data protection and privacy issues at a board meeting, presidency, etc.

Communicating the importance of data protection and privacy to all employees, partners and third
parties

Participating effectively in data protection and privacy initiatives

Ensuring adequate resources to support data protection and privacy activities

4. Maintain the commitment to privacy.

5. Manage the communication process.

h. Manage stakeholder involvement.

7. Implement and operate automated privacy systems. This may involve:

Verifying original and backup Mles using hash algorithms

Encrypting data in transit and/or stored data

Providing a centralized data management compliance interface

Generating a backup success and failure report

Measuring and reporting on compliance with relevant laws

Outcome—Establishment of an organizational structure focused on privacy

Phase 3: Development
Goal—Develop and implement research and development (R&D) measures and controls.

Objectives—Prepare a data classiMcation system, and develop and implement policies, procedures and controls.

Steps and actions:

1. Develop and implement strategies, plans and policies.

2. Implement approval procedures for processing personal data.

3. Create a database for personal data.

4. Develop and implement a cross-border data transfer system.

5. Perform PD&P integration activities.

 h. Execute the PD&P training plan. Organizations should train their employees to better implement data
protection and privacy in all their programs, systems, projects and functions. This plan includes:

Conducting ongoing data privacy training by the DPO

Performing basic privacy training for staff

Performing additional privacy training for new situations

Maintaining data privacy awareness

Maintaining professional data privacy certiMcation for privacy personnel

Measuring data privacy awareness and training activities

7. Implement data security controls.

Phase 4: Governance
Goal—Establish privacy governance mechanisms.

Objectives—Develop and conMgure governance structures, such as the privacy program and DPO; build the
involvement and commitment of all stakeholders; and report all privacy issues, with a goal of continuous
improvement.

Steps and actions:

1. Implement practices to manage the use of personal data.

2. Keep privacy alerts about personal data.

3. Execute a plan of requests, complaints and rectiMcations.

4. Perform a risk assessment of personal data.

5. Issue privacy reports.

h. Keep updated documentation.

7. Establish and maintain a data breach plan and response.

Outcome—Establishment of the best governance structure regarding data protection and privacy

Phase 5: Assessment and Continuous Improvement

Goal—Evaluate and improve all speciMc aspects of the organization's privacy.

Objectives—Monitor the operation and resolution of all privacy matters, regularly assess compliance with internal
processes and policies, and improve data protection and privacy measures.

Steps and actions:

 1. Perform an internal audit:

The internal audit department must regularly assess whether the organization is in compliance with
internal data protection and privacy policies and operational processes.

The privacy audits and assessments are to be used to inform and guide the privacy department’s
decisions to create or update policies, design or adapt procedures, conduct training, or participate in
other activities to minimize risk and comply with internal or external privacy requirements.

The scope of this privacy audit activity should cover the privacy department’s role in participating in
privacy audits and responding to Mndings and performing audits of all personal data held in electronic
form or contained in a structured manual Mling system.

Audits are to be conducted based on an audit methodology, an audit program and a set of privacy
questionnaires.

2. Hire an external entity for evaluations.

3. Conduct evaluations and set benchmarks.

4. Perform a data protection impact assessment (DPIA).

5. Treat the risk.

h. Generate a risk and result analysis report.

7. Monitor laws and regulations.

Outcome—Generation of audit reports, a gap analysis and a continuous improvement plan

COBIT 2019 Approach

Considering the governance approach and applying COBIT® 2019 as the appropriate framework, it is necessary
to map the most relevant governance/management objectives (processes) in view of the objective of compliance
with the law.

This discussion uses COBIT 2019 Design Guide an Toolkit: Designing and Information and Technology
Governance Solution.

Design Factors
Figure 1 illustrates the design factors deMned in COBIT 2019. For each design factor, the baseline values and the
results provided by the spreadsheet are shown.

Figure 1—COBIT 2019 Design Factors

Prioritized Governance/Management Objectives
An importance rating can be derived for each of COBIT 2019’s governance/management objectives, as illustrated
in Wgure 2.

Figure 2—Importance Rating for Governance/Management Objectives

Priorities for Investment on Process Improvement

Based on Wgure 2, resulting from the application of the Design Factors method, 4 matrices were created to
represent high, medium, low and no priority for investments in maturity improvement (Wgures 3, 4, 5 and 6).

Figure 3—High Priority for Investments in Maturity Improvement

Figure 4—Medium Priority for Investments in Maturity Improvement

Figure 5—Low Priority for Investments in Maturity Improvement

Figure 6—No Priority for Investments in Maturity Improvement

Obviously, this prioritization takes into account only the organization's goal of LGPD compliance. Other motivating
factors (pain points and triggers) may change this picture, but they are not the object of this analysis.

Conclusion
The process investment priorities should be used to develop a gap analysis procedure that considers all
processes to determine the current state of each one. Based on the gaps identiMed by the analysis, process
improvement projects can be developed and implemented. These activities will help organizations raise the level
of maturity of their practices and be more prepared for LGPD compliance.

ANDRE PITKOWSKI, CRISC, CGEIT, COBIT FOUNDATION TRAINER, CRMA, ISO 27001
LA, ISO 31000 LA, OCTAVE, DPO, SCRUM PSM
Has been a member of ISACA® since 2003. He served as international vice president from 2015-2017, president
of the ISACA Sao Paulo Chapter (Brazil) from 2013-2019, and director of the chapter from 2003-2006. He is also a
member of the ISACA Framework Committee, and a subject matter expert and CSX liaison for Brazil. He has
more than 25 years of experience as a senior consultant in corporate governance of IT, IT risk assessment
projects and compliance, and as an instructor and guest lecturer in governance risk and compliance (GRC) in
Brazil and internationally. He works on projects that seek to align IT to the business goals of its clients, with
business cases presented internationally. He can be reached at https://www.linkedin.com/in/andrepitkowski.

ORLANDO TUZZOLO, CRSIC, CISM, CGEIT, COBIT 5 TRAINER, ITIL V3

Is the chief Mnancial o`cer of the ISACA São Paulo Chapter, Brazil. Since 2003, he has been a senior information
technology consultant at APIT/Belenus Consultancy specializing in IT governance, information security and IT
risk management. He works on and trains in the implementation of information security programs and IT
governance projects such as process maturity analysis, gap analysis, implementation and audit of IT controls
using COBIT 2019, COBIT 5, COBIT 4.1 and ITIL v3 frameworks, and the International Organization for Standard
(ISO)/International Electrotechnical Commission standard (IEC)ISO/IEC 27000. He has provided services in major
Brazilian companies. Previously, Tuzzolo held corporate positions at BankBoston and Lloyds Bank in the areas of
information security, systems audit and information technology. He also teaches at Senac University (São Paulo,
Brazil).

Endnotes
1
1 International Association of Privacy Professionals, LGDP, Law No. 13.709/2018, Brazil, 2018
2 Ibid.
3 International Association of Privacy Professionals, LGPD, Law No. 13.709/2018, Article 25, Brazil, 2018

Previous Article Next Article

QUICK LINKS

Resources

COBIT

ISACA Journal

Press Releases

Resources FAQs

Insights and Expertise "

Audit Programs and Tools

Publications
White Papers
Engage Online Community

News & Trends "

@ ISACA
Industry News
ISACA Now Blog
ISACA Podcasts
ISACA TV

Frameworks Standards and Models "

IT Audit
IT Risk
Glossary
Call for Case Studies
 # $ % & '

Contact Us | Terms | Privacy | Cookie Notice | Fraud Reporting | Bug Reporting | COVID-19
1700 E. Golf Road, Suite 400, Schaumburg, Illinois 60173, USA  |  +1-847-253-1545  |  ©2023 ISACA. All rights reserved.