The ANPD publishes “Guidelines on Information Security for Small Data Processing Agents”

The Brazilian Data Protection Authority (ANPD, Autoridade Nacional de Proteção de Dados in Portuguese) has published the “Safety Information Guide for Small Handling Agents” this week.

The new “Best Practices” Handbook has been edited to help small and microenterprises, as well as self-declared startups, implement data protection procedures in a way that mitigates possible compliance burdens.

Even in the absence of a final definition (so far) of what “small data processing agents” would be, the new Guide is helpful to any agent that needs to improve its information security standards, regardless of budgetary or personnel limitations, due to its size.

In this way, the document clarifies some central themes, concepts, and obligations of the Brazilian General Data Protection Act (LGPD, Lei Geral de Proteção de Dados[1] in Portuguese) and suggests security measures that can be taken by these organizations towards a safer institutional environment, regarding the processing of personal data. The suggestions are not exhaustive and can (should) be complemented by other initiatives that are deemed pertinent. They include, in summary:

1. Information security: The ANPD recommends establishing an “information security policy” with guidelines on controls related to the treatment of personal data (e.g.: guidelines on security copies; use of passwords; access to information; sharing of data; updating software; use of e-mail; use of antivirus, among others), whenever possible. The policy can be simplified, but it is important to review it periodically.
2. Personal data training: the Guide recommends conducting training sessions and awareness campaigns for all employees (especially those directly involved in data handling processes). Useful information to be shared in these trainings can range from ways to use IT systems security controls to guidelines for filing physical documents in drawers, among others.
3. Creating an organizational environment that encourages users of company systems (both customers and employees) to report incidents and vulnerabilities when they are detected.
4. Contract management: Non-Disclosure Agreements (NDAs) should be signed by company employees or outsourced employees, guaranteeing their commitment to maintain strict secrecy of information involving personal data. When third parties are hired, the ANPD advises on specific clauses to include in the contracts to address themes, such as data sharing, controller-operator relations, guidelines on specific treatment to be carried out, and other treatments that are prohibited from being used, as they are incompatible with the instructions.
5. Data access control: only authorized persons should access the data. The system access must have authentication, allowing for the identification and tracking of who has access to the data and authorizations for its specific processing.
6. Security of stored data: (i) collect and store only necessary data; (ii) use solutions to store sensitive personal data[2] to prevent the identification of whose it is (e.g. use of cryptography); (iii) ensure that the data is only accessed by means of a password for individual use, instructing the employees about the importance of this security measure; (iv) avoid data transfer by physical devices, such as USB sticks or external HDs, among others; (v) back up data regularly and store the copies in devices other than the main storage (if stored in clouds, it is important to avoid real-time synchronization); and (vi) for the elimination of data stored in media, the ANPD suggests formatting prior to disposal and, if possible, destroying the disks (which also applies to data on paper). If there is a contract with third parties for disposal, the Handbook recommends establishing a clause to record the destruction carried out.
7. Ensure the security of data communications between customers and employees (and among employees themselves): use encrypted connections or applications with encryption, if possible, manage network traffic and ensure removal of personal data unnecessarily made available on public sites.
8. Keep a vulnerability management program: constant update and scan systems, applications, and software in use.
9. Control data access by mobile devices (such as smartphones and laptops) used for institutional purposes: employees, whenever possible, should have a device exclusively for professional purposes. Moreover, as mobile devices are more susceptible to loss or theft, the guide suggests how to evaluate the implementation of functionalities that allow for remote deletion of personal data stored on these devices.
10. Evaluation of services offered by cloud storage providers: verify if the storage providers meet the level of protection required for the intended data processing. In addition, service users should be educated on these requirements and on the use of multi-factor authentication techniques (e.g. tokens or SMS code delivery) for accessing the data room.

To ease the verification of the implementation of these measures, the ANPD has made a checklist available for internal use by these organizations, along with the Guide.

The Guide supports the differentiated application of the LGPD by small agents, since the regulation recognizes that smaller players may face greater budgetary or staffing difficulties in implementing these standards.

The debate over the rules for small data processing agents has been considered a priority. On one hand, it is understood that compliance with the LGPD may represent a burden for these enterprises, yet on the other hand, exemptions or simplifications may generate greater insecurity and reduce the businesses volume.

Following the ANPD’s Regulatory Agenda 2021-2022, a new resolution implementing this differentiated treatment for small and microenterprises and self-declared startups is under regulatory impact assessment. The draft has already been discussed at two Public Hearing sessions (held on 09/14 and 09/15), and it is currently under Public Consultation. Contributions will be accepted through the official platform until October 14.

[1] Law No. 13,709/2018 has been in effect since September 2020.

[2] According to the LGPD, art. 5, II, sensitive data are defined as any data that can be used for discriminatory purposes, such as personal data on racial or ethnic origin, religious conviction, political opinion, membership of a trade union or organization of a religious, philosophical, or political nature, data concerning health or sexual life, genetic or biometric data, when linked to an individual.