The law has rules on the collection and processing of personal and sensitive data. Check out how information security is affected.
Have you ever stopped to think about how information security is affected by GDPR? That’s what we’ll talk about in this article. Keep reading and check it out!
The Relationship Between Information Security And GDPR
The relationship between information security and GDPR concerns privacy and the protection of personal data. The law brings many benefits to the company in terms of security practice by providing for the use of administrative and technical measures that improve cybersecurity.
It can be said that many points of the General Data Protection Law already constitute good practices in information security. A key IT dynamic, for example, is fraud prevention assurance, which ensures data integrity. This practice is provided for in the LGPD (the Brazilian version of GDPR).
In summary, talking about information security and LGPD is, in addition to talking about technologies and technical best practices, addressing the universe of governance, risks and compliance. This makes it possible to understand information encryption, access control, creation of security layers, analysis and testing, authentication enablement. All these practices, already present in the day-to-day business, are reinforced by the law.
It is worth remembering that 2018 data presented in the Global Risk Report, from the World Economic Forum, pointed out that, by 2025, we will reach US $10.5 trillion in cybercrime costs against companies. Breach of privacy and data leakage is the biggest threat.
Considering this context, the conduct appropriate to the LGPD minimizes the risk of financial loss and companies’ reputation.
The Impacts Of LGDP On Companies
The adoption of cutting-edge technological solutions does not guarantee compliance with the LGPD. For this reason, companies need to understand the main impacts of the law on their activities to ensure compliance.
The first point that deserves the attention of the IT manager is the need to invest in cybersecurity, in order to implement effective protection systems for the prevention, detection and remediation of data leakage. This is fundamental, because the law considers the adoption of good practices as a mitigating criterion for possible penalties.
Another key issue is the appointment of the Data Protection Officer (DPO ), whose main activity will be the monitoring and dissemination of good practices for personal data protection within the organization and towards stakeholders. He will also be the interface with the National Data Protection Authority (ANPD – Autoridade Nacional de Proteção de Dados ).
Finally, attention will need to be given to practices to ensure compliance between information security and GDPR.
Information security compliance and GDPR
A 2019 Serasa Experian survey found that 81% of large organizations were already aware that there would be an impact on technological resources to ensure compliance established by the LGPD.
However, it is necessary, in fact, to take measures aimed at digital and cyber security that include people, processes and technology. The ideal is to have services, applications and solutions that are based on information security and GDPR.
Data stored on local infrastructure, for example, may require an additional layer of protection to encrypt files. In turn, these cannot be accessed without authorization, which is why it will be necessary to have an efficient access policy, with identity management.
For data stored on mobile devices, you can utilize management features that move the encryption layer to the applications and apply additional controls over sharing.
In any case, GDPR compliance must take into account governance, document compliance (legal adequacy of terms, contracts and privacy and data protection policies) and awareness. Governance deserves special mention.
Information security governance and GDPR includes incident and risk management, data map and DPO.
Good incident management includes a committee that deals with the event that occurs, in order to minimize its effects on the company. It also makes a database of incidents that have occurred, in order to document vulnerabilities and optimize prevention.
At this point, it is worth remembering that the LGPD obliges the information of any incident involving the leakage of personal data to the ANPD.
Risk management, in turn, is one of the good governance adequacy practices. Through it, the manager identifies the inherent risks, drawing up a heat map of the risks according to their impact and probability of occurrence.
The identification of risks and threats in the organizational environment involves vulnerability and invasion tests, with the objective of finding threats and weaknesses in the technological environment. From the identification, an analysis is made of the relationship between information security and LGPD. What needs to be adjusted according to the law?
This practice provides the manager with a forecast of how risks can be controlled and mitigated.
The Data Map is an extensive activity, as it involves all areas of the business. After all, they all process personal data, such as employee data, which is also personal. A mere medical certificate for the employee, with ICD, already brings sensitive information.
This map, then, helps the manager to identify the company’s processes that process personal data. They range from individual customer service to supplier and employee. In this way, it helps to give visibility to the way in which personal data is processed, as well as the gaps in the treatment.
The Data Officer (DPO), as noted, will monitor and disseminate personal data protection practices within the organization. It will be fundamental for the awareness and training of managers and employees.
The relationship between information security and LGPD is close, because the law requires the adoption of technical security measures and good Data Protection practices. Vulnerability analysis, suitability and process automation, and data digitization is just one approach.