Could you point strategies to attend the general data protection laws ?
Hi Experts
Could you point strategies to attend the general data protection laws ?
My concerns are about the implementation of our brazilian law (LGPD - general data protection law) that is somehow similar (GDPR) from UE or (CCPA) from USA, that will take effect soon.
Probably you faced these laws and had taken providences about.
Our law here is somewhat generic, tells about the "goals" to be obtained.
Some law's interpretations suggest to encrypt data, access control, network and endpoint security.
I guess it's not a matter of encryption but related to people's access to the systems and infrastructure, isn't it?
Could you suggest something about based on your own experience?
Thanks in advance
Could you point strategies to attend the general data protection laws ?
My concerns are about the implementation of our brazilian law (LGPD - general data protection law) that is somehow similar (GDPR) from UE or (CCPA) from USA, that will take effect soon.
Probably you faced these laws and had taken providences about.
Our law here is somewhat generic, tells about the "goals" to be obtained.
Some law's interpretations suggest to encrypt data, access control, network and endpoint security.
I guess it's not a matter of encryption but related to people's access to the systems and infrastructure, isn't it?
Could you suggest something about based on your own experience?
Thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It is not solely cybersecurity controls that guards the legal intent. In Singapore PDPA, it suggested the Data Protection By Design (PDF) approach which set off a set of security objectives. These direct the appropriate controls to devise and implement by the organisation and doing it by not overly prescriptive on the "doing". That is one goal for protection but we know there are likely more from legal perspective. I see it as setting higher level goals which may continuously derive priorities to chart the legislative and security technology development. Below are examples from PDPC (guardian for the legal act)
E.g. Saying Goodbye to the Individual Control Paradigm of Personal Data Protection Protection
E.g. Welcoming Organisational Accountability
E.g. Promoting Accountable Free-Flow of Data
Accountability frameworks, such as certifications and codes of conduct will have to become part and parcel of any effective comprehensive data protection law and framework around the world. This includes certifications based on ISO standards, EU binding corporate rules, APEC CBPR or similar formal accountability frameworks. The Singapore PDPC, in fact, has taken a leadership role in advancing the use of certifications and CBPR. Organisations should be actively considering these certifications and start using them not only as transfer mechanisms, but also to provide assurance of compliance with the ever-growing body of national laws, and to demonstrate being responsible partners to businesses, consumers and regulators. Organisations that have comprehensive personal data protection programmes will automatically be ready to go this extra step and successfully obtain such certifications.E.g. Expanding the Beneficial Use of Data through Accountable Data Sharing Arrangements
Data sharing also improves effectiveness of governments and public policy, from health, education and tax to social policy, all of which increasingly rely on data-driven decisions. There is a real need to develop frameworks for trusted data sharing based on organisational accountability. Indeed, here too, Singapore has taken a leadership role with its Trusted Data Sharing Framework. An overly “user centric” approach that makes data sharing dependent on choices made by individuals may actually defeat the benefits and full potential of data sharing.
E.g. Saying Goodbye to the Individual Control Paradigm of Personal Data Protection Protection
In Singapore’s context, for example, consent remains important for purposes such as direct marketing for which consumers still wish to exercise choice and control. But in many cases, there are better ways to protect individuals that don’t require consumers to become full-time data protection professionals. ...Even where personal data protection laws, such as GDPR, do not privilege consent over other bases for processing personal data, deep rooted habits of regulators and policy makers continue to treat notice and consent as a sine qua non of personal data protection at the expense of better options grounded in “organisational accountability” that are available in plain sight.
E.g. Welcoming Organisational Accountability
Organisational accountability requires organisations to implement comprehensive personal data protection programmes governing all aspects of the collection and use of personal information....It ensures robust protections for individuals and their data while enabling responsible data collection, use and sharing, placing more responsibility on organisations that are collecting and using data and less burden on individuals. Such data protection programmes may also be provided by or based on formal data protection codes of conduct or certifications and a good example is Singapore’s Data Protection Trustmark (DPTM).
ASKER
Hi
Thank you for the replies.
Still Interpreting it.
Thank you for the replies.
Still Interpreting it.
ASKER
Thank you!
You're welcome!
The core about GDPR is consent about the data usage with the user/client/customer/data origin. This means the data usage must be exactly defined and of a narrow specification. These use-cases also define the audience, which can use the data. It does not allow additions like for unknown business future use-cases.
Data access control depends thus on those defined usage targets and audiences. This means in a strict interpretation that you need separate ACL for each use-case.
Consent can be revoked. Then your systems must be capable of deleting data. This includes, sadly but true, backups.
So you need documentation about the data, intended usage, time range for usage and ACL.
Furthermore, the parties processing and storing data must ensure that the data is protected. Obviously against any kind of (criminal) attacks.
Thus encryption/data at rest are concepts you need to implement in most cases.
EDIT:
- Payment data has its own rules depending on the country (fiscal obligaionts) and involved payment providers (what data maybe stored, e.g. Warner's recent data loss included CVC, which was never allowed to be stored at all).
- Health data has also country specific legal rules.
- PI from ID, like the German nPA, has also its own rules.