INTELLIGENT BRANDS // Enterprise Security

André Cilurzo , Director of Data Privacy and LGPD Compliance , Protiviti Brasil , outlines eight essential actions toward implementing “ Privacy by Design ” practices .

One of the most effective controls in managing risks related to the LGPD is “ Privacy by Design ”, a framework that allows privacy to be implemented from the beginning of the development of products , services , systems , applications or processes involving third parties .

A well-implemented “ Privacy by Design ” can ensure that the purpose , adequacy and necessity , which are the principles set out in article 6 of the Law , are complied with and reduce the risk of improper processing of a person ’ s data , as well as minimize impacts related to leakage .

For this control to be well implemented , it is essential that the company puts into practice the eight actions shown below .

1 . Collection of third parties that collect , process and store personal data on behalf of the contracting company .

2 . Third-party risk assessment , understanding potential threats to data privacy and security , as well as sharing factors , access to personal data , and security controls in place at the contracted company .

3 . Third-party selection and approval process considering that privacy and data security risks are mitigated through certifications , security regulations , privacy controls and policies and the process of storing logs and audit trails in systems that store and transact personal data .

4 . Specific contractual privacy and security clauses in contracts with third parties , aiming to establish requirements for the collection , processing and storage of personal data minimum necessary – as well as establishing responsibilities of the parties involved and measures to be taken in the event of a data breach . 5 . Minimal and limited access to third-party data , as well as a continuous program to reduce non-essential data for existing purposes , and only information strictly necessary to carry out its activities will be processed for the duration of the contract . In addition , after the term or termination of the contract , anonymization measures must be taken by the third party in relation to the contractor ’ s data .

6 . Continuous monitoring and regular audits to verify that third parties are complying with contractual requirements and dealing exclusively with what is essential and necessary to achieve the contracted purpose .

7 . Training and awareness for third-party professionals who will have access to the company ’ s personal data to understand the risks , responsibilities and impacts related to data processing .

8 . Continuous review and evaluation of the data elements collected whenever there is a change in the processing process by the contracted third party – always aiming to collect the minimum necessary .

By adopting “ Privacy by Design ” practices in contracting and relating to third parties ,

André Cilurzo , Director of Data Privacy and LGPD Compliance , Protiviti Brasil

companies can significantly reduce the risks associated with sharing data with external entities , ensuring the privacy and security of their clients ’ and professionals ’ data .

In addition , this will contribute to building a solid and responsible reputation regarding the rights required by the LGPD . p

56 INTELLIGENTCIO LATAM www . intelligentcio . com