October 28, 2021 – The National Data Protection Authority (ANPD), which is the regulatory and supervisory body for the protection of personal data in Brazil, has published on October 4, 2021 a new guide called “Information Security Guidelines for Small Processing Agents”.
The guidelines are divided into two major sections:
1. Information Security Regarding Personal Data
2. Information Security Measures
Information Security regarding Personal Data
The guidelines start this subsection by defining information security as the set of actions aimed at preserving confidentiality, integrity, and availability of information – a concept derived from the ISO 27.001 standard – wherein the risks regarding information security within the organization must be identified, quantified, and managed.
Naturally, the guidelines allude to the Principle of Security, provided for in Article 6, VII of the General Data Protection Act (LGPD), which consists of using technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful destruction, loss, alteration, communication, or dissemination.
Likewise, Articles 46, 47, 48, and 49 of the LGPD deal with information security, obliging data processing agents to:
All of the standards above, which take into account international good practices, may however be unfeasible for small processing agents due to their complexity and specificity. For this reason, the information security measures are presented in section 2 and described below.
Information Security Measures
The information security measures suggested by ANPD are divided into administrative and technical measures.
Regarding administrative measures, the measures suggested by ANPD are as follows:
4. Information Security Policy (PSI).
5. Awareness and Training.
6. Contract Management, with signing of non-disclosure agreements with employees.
Regarding technical measures, the measures suggested by ANPD are as follows:
5. Access control.
6. Security of Stored Personal Data.
7. Communications Security.
8. Vulnerability Management Program Maintenance
In addition to the above-described measures, the guidelines also provide security measures for using mobile devices and cloud services.
Regarding the use of mobile devices, the guidelines only advise that the same measures above are applicable to information technology (IT) equipment, which must follow the same information security measures, especially access control, multi-factor authentication, safekeeping, and the functionality to remotely erase personal data related to processing activity. It is also recommended that personal mobile devices are not used for institutional purposes.
As for cloud computing service providers, it is suggested that they observe and implement international recommendations and good information security practices, signing a service-level agreement contemplating the security of stored data. Finally, it is suggested to specify the user requirements for accessing each cloud service used, as well as the use of multi-factor authentication techniques, such as authentication apps or SMS to access cloud services related to personal data.
It is important to point out that small processing agents are defined as micro and small businesses, as well as business initiatives of incremental or disruptive nature which declare themselves as startups or innovation companies.
Lastly, an interesting complementary measure was the creation of a safety measures checklist for small processing agents, which will greatly aid in adapting to ANPD requirements and can be found here.
There remains one last comment. Although there was an attempt to simplify the requirements for small business owners, such measures still seem very far from the reality of Brazilian business. Such implementation requires resources and investment unfeasible to most small businesses in the country. ANPD's task is complex and will require further study to bring such good practices to the reality of Brazilian small business. Incidentally, this is challenging not only to micro and small businesses. Gradual implementation, segmenting the requirements, should indeed be considered.