On October 4, 2021, the Brazilian National Data Protection Authority (“ANPD”) published an Information Security Guidance for Small Businesses that Process Personal Data, as well as a checklist suggesting measures to be adopted by such businesses. Both documents are addressed to the controllers and processors who, due to their size and possible limitations, often do not have employees specialized in information security and need to improve it in relation to the processing of personal data.
The new documents developed by the ANPD are in line with art. 55-J, XVIII of the LGPD, which provides for the edition of simplified and differentiated standards, guidelines and procedures for micro and small businesses, as well as for companies that declare themselves startups or innovation companies, in order not only to facilitate, but also to encourage compliance with the law by these companies. In addition, the Guide seeks not only to protect the rights of personal data subjects, considering the risk applied to the processing and the damage that a possible data leak could cause, but also the high financial impact to the small-sized controllers and processors in case of breach of the LGPD guidelines.
The Information Security Guide seeks to comply with the Security Principle, provided for in Article 6, VII of the LGPD, which consists of the use of technical and administrative measures capable of protecting personal data from unauthorized or illegal access. More specifically, the Law establishes in its articles 46 to 49 that controllers and processors must: (i) guarantee the security of the information of personal data, even after the end of its processing; (ii) report security incidents to the National Authority and to the data subject; and (iii) have security systems structured in accordance with the standards of good practices and governance and the general principles of the Law.
Therefore, the Guide and Checklist suggests for information security measures capable of promoting, on small-sized controllers and processors, a safer institutional environment. Such measures were divided in:
- administrative measures;
- technical measures;
- measures related to the use of mobile devices; and
- measures related to cloud services.
Among the administrative measures, the creation of an Information Security Policy stands out. Its main purpose is to be a tool that supports the implementation of a structured process of information security, considering the business and size of each organization. In addition, the importance of awareness campaigns and training of employees of processing agents is mentioned, as well as the inclusion of information security clauses to ensure adequate protection of personal data in relevant contracts.
The technical measures, on the other hand, include access controls, to ensure that personal data will only be accessed by authorized personnel; make sure that only personal data that is strictly necessary for the fulfillment of the processing purpose are being collected and communications security through the management of network traffic. It also includes maintaining a vulnerability management program, keeping your systems and applications up to date with the latest versions and adoption of anti-virus softwares.
Measures related to the use of mobile devices are similar to the access control procedures for other IT equipment, as well as the use of multi-factor authentication; features that allow for one to remotely erase personal data on the device; keep the devices in safe places when not in use and the separation of mobile devices for private use and for institutional use.
Finally, considering the growing use of cloud data storage, ANPD suggests the execution of service level agreements that cover the security of stored data and the assessment of whether the service provided meets the requirements defined by the controller.
The measures presented therein are not exhaustive and should be complemented by others that might be needed to promote safety on the informational flow of the organization.
It should be noted that several important issues regarding the application of the LGPD for small businesses must still be regulated by means of ANPD Resolution, whose draft was open to public consultation until October 14, 2021. The issuance of the official version of the Resolution is expected after the consideration by the National Authority of all received contributions.
However, another important Resolution was issued by the Authority less than a month after the Guidance was published. On October 29, 2021, the Resolution approving the Regulation of the Monitoring Process and the Sanctioning Administrative Proceeding by the ANPD Board of Directors was published, through the Resolution CD/ANPD No. 1, which entered into force on the same day, and will have its first monitoring cycle from January 2022. The main objective of the Regulation is to establish procedures inherent to the monitoring process, as well as the rules that must be observed in the scope of sanctioning administrative proceedings by ANPD.
Among the new rules, some important are:
- the counting of deadlines in the administrative process, which will be counted in business days, excluding the start day and including the due date;
- the means by which administrative acts will be carried out, including subpoena, preferably being carried out electronically;
- the premises of the monitoring by the National Authority, which consist of (i) prioritizing actions based on evidence and regulatory risks, with a focus and orientation towards results; (ii) encouragement of direct conciliation between the parties and prioritizing the resolution of the problem and the repair of damages by the controller; (iii) minimum intervention requirement in the imposition of administrative constraints on the processing of personal data; (iv) encouragement of accountability by processing agents, (v) acting in a responsive manner, with the adoption of measures proportional to the identified risk and the approach of the regulated agents, among others;
- the process of receiving requests and reports, which, in addition to considering its admissibility requirements, must also verify whether the petition of the data subject is accompanied by evidence that it was previously submitted to the controller and not resolved within the period established by regulation;
- the possibilities of guiding and preventive activities that may be applied by the ANPD, including suggested training, implementation of a Privacy Governance Program and preparation of a compliance plan;
- General Monitoring Coordination responsible for first level decision and the possibility of filing an administrative appeal for the Board of Directors, as the highest administrative level; and
- possibility of signing a Conduct Adjustment Agreement, which once signed will cause the suspension of the administrative proceeding.
For more information, please contact Saud Advogados.