Brazil: Operationalising the LGPD: Part two - Data mapping & assessments
The advent of a comprehensive data protection law such as the incoming Law No. 13.709 of 14 August, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD') in Brazil requires organisations to react in order to meet its demands. Alan Campos Eliaz Thomas, Partner at AT | Advogados, breaks down some practical steps that can be taken to map data flows through an organisation and subsequently identify any legal gaps in how such data is handled in order to satisfy the provisions of the LGPD.
Seeking compliance with privacy and protection laws, particularly the LGPD, which soon will come into effect, is a challenging task. In this regard, each organisation needs to establish a strategy to implement its privacy governance program and achieve compliance with the new requirements imposed by the LGPD.
To establish a good privacy governance program and achieve the desired level of compliance, the organisation must define its privacy goals before looking into the specifics of the LGPD. While one organisation may set their sights on complying with the minimum regulatory requirements alone, others may find it essential to implement a sophisticated privacy governance program. In a data-driven era, organisations having an excellent governance program are likely to obtain a competitive advantage and improve their pubic reputation. In knowing its goal from the outset, an organisation will be better placed in designing their compliance project and meeting the standards of the LGPD. Each privacy compliance or governance structure should be tailored to the organisation's risks and complexity, regulatory environment, organisational structure, and the available budget, among other things.
This article intends to present some aspects of the compliance process with regards to the LGPD, particularly in the data mapping and assessment phases. Data mapping collects information about data processing activities and flows within the organisation. The assessment identifies the gaps between the current privacy program (if any) and the requirements of applicable law. Such phases are essential so that the organisation duly understands and can design a roadmap for achieving compliance with the LGPD and applicable privacy laws, among other purposes.
Note that there is not a singular way in which data mapping and assessment should be conducted, and this article does not intend to be an exhaustive guide on the subject. Therefore, the content of this article should be understood as briefly informing on some of the aspects of data mapping and assessment. Before looking into data mapping itself, two aspects to consider at the beginning of a compliance project are:
Obtaining top-down engagement
In most cases, successful compliance depends on the allocation of human, financial, and technical resources, as well as on the active engagement of those who participate in the compliance process. Therefore, obtaining awareness and support of shareholders and directors is essential for the process and to obtain appropriate engagement of the ones involved.
Establishing a privacy team
An LGPD compliance project is usually a multidisciplinary project. Many areas of an organisation may process personal data, and those areas go beyond the legal and IT teams. Thus, the work team in the compliance process must include different groups with distinct views of business processes and possible flows of personal data within the organisation. Such units typically include, without limitation, people from the legal department, human resources, marketing, sales, compliance, audit, and IT, among others. While the team must be complete and have a comprehensive view of the business, it should not be so extensive as to sacrifice agility in the process.
Data mapping strategy
Data mapping is critical to identify the source, types, and uses of personal data within the organisation and how such data interlace with applicable laws. In this regard, identifying and evaluating business areas relevant to the LGPD may be the first step. Different business areas can manage specific data flows or parts that cannot be seen by other individuals within the organisation. Thus, identifying the organisation's internal structure and the streams of personal data managed by each of the business areas are vital to obtaining complete data mapping.
Typically, the privacy team conducts data mapping through interviews. Such interviews are appointed with key individuals in the organisation first to raise awareness about privacy issues in the organisation and, secondly, obtain details about the data flows controlled by such individuals. Another approach is using platforms that perform the mapping activity in an automated way, covering structured and unstructured data. In any case, using a hybrid mapping (i.e. through automated systems and interviews) may allow the organisation to both benefits from the granularity of the technical detail perceived in automated mappings and the subjective human perception.
Data mapping through interviews and electronic means may serve to provide a record of processing activities ('RoPA'). As organisations must document and keep records of personal data processing operations to achieve compliance with Article 37 and the principle of accountability set forth in the LGPD (Article 6, item X), creating a RoPA in the data mapping phase is highly recommended. Besides, such RoPA may help to identify the respective lawful bases to justify each of the organisation's processing activities (Article 7 and 11 of the LGPD) and achieve compliance with other requirements of the LGPD.
In addition to mapping existent data processing flows, projects under development should also be included in the data mapping, even if not yet fully implemented in the organisation. Besides mapping the internal data processing flows, the organisation should consider mapping any third parties involved in its data processing activities or to which personal data is shared. By analysing the shared use of personal data with a third party, the privacy team may be allowed to define each party's responsibilities and later adjust (where necessary) the data processing agreements entered with such third parties.
In the mapping phase, the organisation may map data flows (i.e. collection, use purposes, data sharing, retention, etc.) and obtain information about specific practices that might involve personal data, particularly on how employees handle personal data internally. For example, by identifying:
- if the organisation has different access controls to personal data (i.e. who has access to personal data in each circumstance);
- the retention and deletion policies or practices;
- if corporate policies are duly observed;
- the monitoring practices involving employees; and
- the security requirements implemented in work-related devices and personal devices (if applicable), among other aspects.
Identifying such specific practices may help implement a good privacy governance program at a later stage.
Assessment - gap analysis
With the data mapping concluded, the privacy team should be able to produce a document addressing the gaps to achieve adequacy to the LGPD. This activity is known as gap analysis. Gap analysis involves a comparison between the current scenario identified and the scenario expected after the LGPD compliance project is implemented in the organisation. To better address the points to address, the gaps identified may be divided into two categories:
- general gaps, which are adjustments necessary in the governance structure of the organisation and its corporate policies, widely applicable to the organisation; and
- specific gaps, which are required adjustments to specific processing operations.
The general gaps usually include the implementation or review of the following aspects (non-exhaustive list):
- the organisation's privacy governance structure;
- the record of processing activities, either for lack of existence or incompleteness;
- corporate policies regarding privacy and data protection, such as employee and client privacy policies on how personal data is handled by the organisation, security information policies, and data retention policies, among others; and
- information security procedures and incident response plans, which include technical and organisational measures to be adopted to protect personal data from and handle security incidents.
Specific gaps usually include the implementation or review of the following aspects (non-exhaustive list):
- consistency of the processing activity with the principles of the LGPD;
- if there is an appropriate lawful basis to justify the processing activity;
- if consent would be required and how to implement a proper consent flow;
- if clear and adequate information is made available to data subjects;
- if the organisation can observe the data subject's rights granted by the LGPD;
- if data of minors is processed according to the specific rules imposed by the LGPD;
- if international transfers of data take place, and whether appropriate mechanisms as required by the LGPD are implemented;
- identifying the participation of third parties in the processing flows and conducting any contractual adjustment where necessary;
- identifying the need for adequate specific privacy policies;
- identifying technical and organisational measures to be adopted to protect personnel data from security incidents in specific processing flows; and
- drafting Privacy Impact Assessments, where required by law.
After conducting the gap analysis, defining a strategic roadmap for implementation of adjustments is critical for executing a compliance project. This phase consists of ensuring organisational and financial investment in the priorities identified in the gap analysis.
This article has presented a few aspects of the data mapping and assessment phases typically used to reach compliance with the LGPD. While there are some common challenges in these phases, the implementation of compliance projects may well differ from organisation to organisation. Therefore, each organisation must consider its peculiarities when designing and executing data mapping and assessment. If duly executed, such a work product will help the organisation obtain the appropriate level of compliance with the LGPD.
Alan Campos Elias Thomaz Partner
AT | Advogados, São Paulo