On October 25, the Centro de Atendimento a Incidentes de Segurança - CAIS (Security Incident Response Center) and Escola Superior de Redes – ESR (Superior School of Networks) held a webinar about the current scenario and the main challenges to comply with the Brazilian General Data Protection Law, which will take effect in 2020. Accenture Brasil's Cyber ​​Strategy Manager, Vagner Florindo, introduced an overview of users' new rights to their personal data, impacts on business processes of organizations and technical challenges that are part of the compliance with the requirements of the Law.

According to the Information Security Specialist, the main change concerns the rights of data owners. The citizen was empowered in the relationship with the companies that hold the information.

“The holder may refuse or revoke consent to access the data at any time. The company needs to inform the client or citizen what data they are collecting, how they are processing and who they are sharing with. Another interesting point is that this brings an additional demand, which is the issue of data portability. I can ask a mobile provider the portability for all my data to take to another provider. According to this Law, the holder has a broad right over all the data he is entitled to. He can request access to companies at any time. The same has to be provided free of charge and in a reasonable time”, explained Vagner.

As soon as the new Law comes into force, companies will be required to personally notify all owners if their data is leaked.

In this introduction, Vagner Florindo listed the ten main impacts of the General Data Protection Law.

Check it out:

1. Data Protection Officer: Obligation to appoint a DPO to follow the correct application of the Law, perform internal checks and serve as a contact to respond externally;
2. Consent and notification: Right of the holder on his data, including requests for access and express consent for the use of his data;
3. Data Holder Rights: Right to forgetfulness, data portability, access and limitation of processing, accuracy of data and review of consent;
4. Responsibility: Obligation of absolute compliance with the controls imposed by the General Data Protection Law through the implementation of technical solutions and organizational measures of governance;
5. Security measures: Obligation to implement technical data protection solutions (e.g. Cryptography) in order to ensure adequate levels of data protection, destruction, loss, change and availability;
6. Privacy by design/default: Obligation to implement appropriate measures for the treatment of critical data (by design and by default);
7. Notification of data leakage: Obligation to notify competent authorities and data holders in case of potential data leakage within a reasonable period;
8. Activity record control: Obligation to keep records on data processing activities, containing a description of implemented security measures;
9. Privacy Impact Report: Obligation to carry out a preliminary assessment on the impact of processing and data protection criteria, including risks and security measures;
10. Data transfer: Restriction on the transfer of data to other countries or to international organization.

Watch the full webinar here!