TRUNOMI SOLUTIONS TO THE BRAZIL GENERAL DATA PROTECTION LAW (LGPD)
This whitepaper offers a comprehensive overview of the incoming Brazilian General Data Protection Law (LGPD), and how the Trunomi platform helps Controllers efficiently solve key articles of incoming regulation, avoid heavy fines and sanctions, and empower Data Subjects with improved transparency and actionable, extended data rights.
Background to LGPD: Brazil takes inspiration from Europe’s GDPR.
Brazil’s new General Data Protection Law (LGPD) was approved on August 14, 2018, with this regulation coming into effect in February 2020. The LGPD, federal law 13.709/2018, aims to secure and extend the basic rights of Data Subjects whilst fostering technological innovation through the adoption of clear and transparent legislation that outlines the appropriate methods for the processing of personal data. It is worth noting that Brazil’s new legislation is similar, although not identical, to the EU’s General Data Protection Regulation (GDPR) which came into force on 25th May 2018.
The LGPD has 65 articles and creates a new legal framework for the online and offline processing of personal data in Brazil in both the private and public sectors. This new legislation represents a major change to Data Privacy regulation and details the legal basis for the processing of personal data, highlighting best-practice data processes based around the legitimate interests of the Data Controller and the extended rights of the Data Subject, and defines the obligations and limitations of large-scale processing of personal data.
The following bullet points offer an overview of the key elements of the LGPD :
LGPD AND GDPR, A TABLE OF COMPARISON: The LGPD is similar, although not identical, to the EU’s GDPR.
|Covers processing of data by individuals and entities, in or out of Brazil, provided that either the data is collected or processed in Brazil or processing is for the purpose of offering or providing goods or services in Brazil.||Covers processing of personal data by all entities (for-profit or nonprofit) with an “establishment” in the European Union, or entities outside of the European Union that offer goods and services to individuals in the European Union or trace their data.|
|Uses a broad definition of “personal data” to include information related to an identified or identifiable individual. Publicly available information is included in the definition, but with limitations allowing for use consistent with the purposes for which the information was made public.||Uses a broad definition of “personal data” to include categories of data that directly or indirectly identify a person. Publicly available information is included.|
|Third-party vendors reviewing documents are bound to the same principles as the entity requesting the data treatment.||Third-party vendor agreements must contain a standard set of EU-approved commitments.|
|Grants consumers the right to be informed of, access, correct, obtain a portable copy of, anonymize and delete their personal data.||Grants consumers the right to be informed of, access, correct and (in more limited circumstances) delete, restrict processing of or obtain a portable copy of their personal data.|
|Requires entities to have a lawful basis for processing information if not seeking subjects’ consent.||Requires entities to have a lawful basis for processing information if not seeking subjects’ consent.|
So What Now?
Data controllers and processors should adopt effective measures if they are to demonstrate LGPD compliance. This can be done through data protection assessments and the implementation of technologies that enable best-practice consent and data privacy management (i.e. Privacy by Design and Default). Under the LGPD, all personal data processing activities must be recorded and indicate the types of personal data collected, as well as the legal basis for processing.
TRUNOMI IS HERE TO HELP: The Universal Solution to Data Rights Management
Trunomi is a global market leader in Consent and Data Rights Management technology. Our unique, patented technology, TruCert, proves the legal basis of processing under LGPD. Trunomi provides Data Controllers and their DPOs with the tools to power seamless Consent Management, minimising the distance between them and Data Subjects whilst improving transparency and building trust. We offer peace of mind to DPOs and Marketers in their past, present and future data operations.
Privacy by Design and Default:
Trunomi’s solutions cover a wide-range of LGPD regulation including:
The incoming LGPD, like the GDPR, places the onus on Controllers and Processors to demonstrate present and past regulatory compliance. Although current Data processes may be compliant under the LGPD, Controllers and Processors should be able to demonstrate the lawful basis of past processing, or risk leaving themselves vulnerable to sanctions.
Trunomi is designed to easily evidence LGPD-compliance. Every ‘Consent Event’ generates an audit-ready TruCertTM, a digital certificate that creates an immutable record of the event. The TruCertTM can also be used to record, at an individual level, all legal basis for processing data such as legitimate interest, ensuring that accidental processing does not occur. TruCertTMs can be accessed via the Ledger/Notary API, or directly by the customer through the “Data Rights” widget.
Trunomi analytics, available through the Enterprise DPO Portal, can also be used to demonstrate the lawful basis of processing across the Controller and KPIs in delivering upon data subject requests.
Obtaining consent for individually defined purposes without inadvertently generating ‘consent-fatigue’ amongst Data Subjects is absolutely critical in the effort to maintain and strengthen the customer-relationship. As such, avoiding ‘consent fatigue’ amongst Data Subjects will be key factor in a Controller’s ability to harness, increase and improve the volume and quality of available data, whilst also driving a transparent and seamless customer experience.
Trunomi allows Controllers to transform the consent-capture process from a static and monolithic operation into a dynamic and direct customer-interaction. The objective is to seek correct consent from each individual, at the right time, and in the appropriate context.
The TruCert Consent Receipt certifies any consent-event requested via a Trunomi widget and confirms the exact notice that was presented to the customer. Trunomi then transforms the ‘consent-event’ into machine readable Data Rights that can be accessed by Controller systems via the Rights API in order to verify whether or not lawful processing is possible. Trunomi also calculates the duration (time limit) of individual consents, and expires these data rights at the appropriate time.
Consent Request Widgets are integrated into web applications using java script tags. These can be triggered by context or by using 1:1 targeting lists, uploaded through a provisioning process and accessed via the Context API. The actual consent widgets can appear inline or as an overlay (mounted in the page as a DIV or iframe). Using Trunomi widgets, the DPO can ensure ‘consent notices’ are standardised across multiple touch points, and that interactions are presented clearly.
LAWFUL BASIS FOR PROCESSING:
There exists a total of 10 conditions: (i) consent; (ii) legal obligation; (iii) implementation of public policies by the public administration; (iv) research by public study entities; (v) contractual performance; (vi) exercise of rights in legal proceedings; (vii) life protection; (viii) health protection; (ix) legitimate interest; and (x) protection to credit. Businesses should be able to evidence the lawful basis of processing in their data operations.
The legal basis for processing data is referred to as data rights within the Trunomi platform. Beyond explicit consent management, Trunomi also allows other lawful bases for processing to be notarised at an individual level and updated as necessary. This is achieved by populating the Method of Collection (MOC) and Justification fields when invoking the API. For example, when a data subject enters a new service agreement, the Controller can notarise an array of data processing that will occur to achieve contract performance. Once the service is closed, the array of rights associated with the contract can be withdrawn. Trunomi’s RESTful APIs allow real-time access to up-to-date data rights. This ensures Controller systems and platforms can easily access the data rights in order to process data.
DSRS: RIGHT OF ACCESS, RECTIFICATION, ERASURE & OBJECT REQUESTS:
Data Protection Officers face the singularly daunting task of overseeing the processing of Personal Data without a single, harmonised and holistic tool that offers both a global view of Data Subject Requests, and the tools to manage outstanding DSRs.
Trunomi’s DPO dashboard assists the Data Protection Officer in their Data Rights Management. Trunomi offers assistance in the customer, DPO and back-end system messaging associated with such requests. The tools include specific Data Subject Request widgets that can be embedded into web apps to provide a customer interface to log and review requests. Review and status monitoring allows DPOs to review and manage the status of outstanding DSR (Data Subject Request) from within the DPO Enterprise Portal, whilst the Message Event Service can pass DSRs to backend systems.
All requests and interactions are captured and evidenced by TruCertTM digital certificates so the Data Controller can easily demonstrate to regulators and Data Subjects the specific interactions that have taken place.
Trunomi also offers Controllers the ability to act as the system of record for data location. However, it remains the Controller’s responsibility to embed this metadata pointer into the TruCert and act on the detail.
There are four levels: Request, Triage, Action, and Delivered.
Request: Controllers have two options for managing and recording data subject requests. They can create a website / app section that allows the customer to digitally lodge these requests on a universal basis or when referencing an individual data type then processed by the Controller. The front-end can be rendered independently, or a series of Trunomi widgets (My Data, Data Subject Requests, My Requests) can be embedded into secure web pages to manage elements of the customer communication. Four types of requests are possible: Access, Erase, Rectify or Object. The Object function can also be used to achieve the Right to Restriction of Processing.
Triage: During the provisioning process, Controllers can configure whether a request should undergo triage, review or automatic processing according to the request type, the reason provided by customer or the data type. The DPO can view all outstanding requests from within the Trunomi Enterprise Portal. Once the appropriate review of the request has taken place (outside of Trunomi platform) the DPO can change the request status to reject or accept. An Accept status will initiate the Actioning phase. During this phase, Data Subjects can see the status of their request e.g. Reviewing in the relevant widgets, as well as an accompanying explanation.
Actioning: During the Actioning phase a message is passed from the Trunomi Event Service to the Controller’s back end system, such as an Enterprise Service Bus (ESB) or message queue, informing it of the outstanding customer request. N.B, it is the Controller’s responsibility to ensure that requests are enforced across all platforms containing personal information.
Controllers also have the option to use Trunomi to inform their back-end system of the location of data types affected by the customer request. This can be achieved if the Controller has inserted opaque data location information and pointers into API interactions with Trunomi. The DPO will receive visual notification in the Enterprise Portal if delivery of a request is taking too long (against configurable Service Level Agreements (SLAs)). The ability to inform the customer of the late delivery of a request can be delivered by widgets and provide an explanation of the delay.
Complete: Once the Controller has completed the Data Subject Request, the Controller’s systems should provide a message to the Trunomi Event System informing it of a successful completion. Manual updates are also possible. The status of the request will subsequently update within the Enterprise Portal and the MyRequests widget. Although Trunomi’s technology can evidence each Consent Event, it is the Controller’s active responsibility to share the relevant data with the recipient.
TREATMENT OF SENSITIVE INFORMATION:
Personal Data deemed as sensitive (e.g racial, ethnic origins, religious beliefs, political opinion, health related data) must be processed with additional security and under a different legal basis. Sensitive information refers to information on the Data Subject that could lead to discrimination. Any data that allows identification of the data subject, such as genetic data or biometric, is likewise considered sensitive.
Trunomi enables express consent to be used to lawfully capture and process sensitive data. Furthermore, consent & associated data types can be labelled as ‘sensitive’ and subsequently excluded from specific processing.
In Summary the LGPD allows for a clear and unambiguous harmonisation of Data Privacy Regulation that serves to improve consumer confidence in the marketplace whilst fostering a best-practice approach to data processing operations. To that end, the LGPD should not be seen as a regulatory hurdle to existing operations but rather an opportunity to optimise Consent and Data Management, improve trust between Controllers and their Data Subjects, and ultimately enhance the quality of data held.
At Trunomi, we believe that Controllers that expedite LGPD-compliance will be better placed to anticipate future changes to regulation in Brazil and across the globe, and maintain their competitive advantage in a digitally connected world and shifting regulatory landscape.