LGPD and changes in electronic security

SHARE

Share on facebook
Share on twitter
Share on linkedin

LGPD and Changes in Electronic Security
A study conducted by the consultancy Daryus in September 2022 showed that 80% of Brazilian companies are still not fully compliant with the General Data Protection Law (LGPD).

In addition to compliance being a necessity, concern for customer data is a significant differentiator for companies, as many customers define their choices by analyzing how their data will be handled.

1. What is the General Data Protection Law?

The General Data Protection Law (LGPD) establishes specific rules regarding the processing of personal data in Brazil, from collection to classification, use, and storage.

All data processed, both physically and digitally, are subject to regulation. The LGPD stipulates that regardless of the location of an organization’s headquarters or data center, if there is processing of information about individuals, whether Brazilian or not, who are within the national territory, the LGPD must be observed.

To oversee compliance with the LGPD, there is the National Data Protection Authority (ANPD), which also provides preventive guidance on the application of the law if necessary.

Security breaches can result in fines of up to 2% of a company’s annual revenue in Brazil – limited to R$50 million per violation.

The ANPD sets penalty levels according to the severity of the breach and issues alerts and guidance before imposing sanctions.

 

2. Visitor Access Control According to LGPD

It is essential for large companies and condominiums, whether residential or commercial, to have visitor and service provider access control data processed in accordance with the rules set by the LGPD.

Any information collected for access control falls under data processing rules. To enable this collection, a reason for this processing must be defined, following legal bases.

It is important to define the real need for the collected data, requesting the minimum amount of information possible, allowing for the security and efficiency of access control without excess data to be processed.

Once the data to be collected and their functions are defined, the legal basis for justifying this action comes into play. According to Article 7 of the LGPD, there are hypotheses for the processing of personal data:

Consent: This is the most applied for access control. In this case, the individual needs to provide consent for their data to be collected. Care must be taken to ensure that they are clearly informed of the use and necessity.

Legitimate Interest: Under this basis, the controller assumes responsibility for ensuring that data processing is carried out for the benefit of the data subject, but without obtaining consent. It is essential to clarify that collecting data such as photos or biometric identification does not fall under this basis.

Protection of Life: If a person’s data is collected for their security, this legal basis can be used. It is primarily applied when there is a risk that involves the need to use personal data for the data subject’s security.

There are systems that meet the specific security and access control needs of various types of companies and locations, compliant with LGPD data processing regulations. The Invenzi access control system is one such system. If you are interested in the subject, please contact us.

3. Closed-Circuit Television (CCTV) and LGPD

The LGPD also applies to the collection of audio and images and the storage of recordings, including Closed-Circuit Television (CCTV).

Here are some tips to help in adapting CCTV to the General Data Protection Law:

Transparency about CCTV use: Transparency is at the core of the LGPD. Everyone should be informed about the collection of images and why it is done. Providing contact information for the person responsible for protecting this data creates a channel for questions and information.

Who will have access to CCTV images: There are several possibilities regarding who will have access to these images. However, the first step is to convene a meeting to discuss the rights of image holders and then determine who will be responsible for managing this content.

Training for operators: Employees dealing with generated images should be knowledgeable about the LGPD. Providing courses or instructional materials mentioning common occurrences will greatly facilitate the work of these employees.

4. Benefits of LGPD for Companies

Many companies were startled by the changes caused by LGPD regulations, but it is positive for both the company and the data provider.

Let’s list some benefits that LGPD offers:

  • Better customer relations: By protecting customer data, the company demonstrates concern for privacy, increasing trust and attracting new business.
  • Greater legal certainty: By creating standards of norms and procedures, an equal legal security scenario is established.
  • Protection against cyber attacks: Cyber attacks in Brazil have been increasing, so with changes to data management due to LGPD rules, your company will be more protected.
 

These are some analyses of the impacts caused by the General Data Protection Law, LGPD, in the electronic security and access control segment, which is the expertise of Invenzi, which has software that meets LGPD compliance.

In the Invenzi access control software, there is a consent step for the use of photos in facial recognition equipment. Additionally, the user registration form can be parameterized so that only the minimum data is required, and sensitive data can have its access restricted.

In the self-service solution, the user receives a link via email or messaging app to complete the registration, where they will have access to the Privacy Policy. Only after accepting the terms will their access credential be released.

Some infrastructure recommendations that should be highlighted are:

→ Windows Security Policy configurations (GPO).

→ Adaptations to comply with the ISO 27701 reference standard, establishing data privacy control.

→ Adaptations to comply with the ISO 27001 reference standard, reevaluating the organization’s internal process and risks related to Information Security.

LGPD resolutions allow the company’s practice with the client to be even more transparent and consider a greater concern for the analysis and management of private data, making the company-client relationship closer and more secure.