Data Protection Officer (Encarregado) - Ed. 2020

How To Operationalize Privacy Compliance And Data Subject Requests?

Entre no Jusbrasil para imprimir o conteúdo do Jusbrasil


Sabina Jausovec 1

1. Introduction

A robust privacy compliance function is strategically important for any organization where customer trust is a bedrock of its operations and its business success. Designing, implementing, maintaining, and maturing a privacy program in today’s global environment requires substantial effort, time, and resources by an organization. An organization’s privacy office typically must coordinate compliance across multiple business functions within its organization, while navigating complex technology landscapes and ever-changing regulatory environments. An organization’s privacy staff must have sufficient privacy expertise. Moreover, it must also be able to align privacy compliance activities to its organization’s business strategy, understand organizational culture and values, and be able to collaborate with many areas across the business to implement privacy controls.

Both the GDPR and the LGPD require a strategic approach to how an organization handles personal data and requires organizations to be able to demonstrate its compliance (accountability principle). 2 Organizations subject to the LGPD compliance can leverage learnings from organizations that had to implement similar requirements under the GDPR. Organizations that must comply with these-type of privacy laws should use their compliance function to their advantage. By strategically planning compliance and applying good privacy practices in line with the principle of organizational accountability, an organization will be able to leverage these practices in support of building stronger customer relationships based on trust.

This chapter will first provide a high-level overview of applicable data subject rights under the GDPR and the LGPD. We will then discuss how setting up a privacy program based on the essential elements of organizational accountability can help an organization demonstrate its compliance with data subject rights. This chapter will also discuss practical considerations for implementing privacy compliance workflow to fulfill data subject requests.

2. Data Subject Rights Under the GDPR and the LGPD

Both the GDPR and the LGPD require organizations to extend certain rights to data subjects over their personal data, including rights such as data access, rectification, deletion, and portability. The LGPD is introducing new rights for Brazilian residents with shorter deadlines for organizations to respond and comply with the data subject requests than the timeline available under the GDPR (15 days under the LGPD instead of one month allowed under the GDPR). 3 These short timelines will be extremely challenging for organizations if processes are not well designed and implemented.

The GDPR establishes the following data subject rights:

The LGPD establishes the following data subject rights

1. The right to be informed 4

2. The right of access 5

3. The right to rectification 6

4. The right to erasure 7

5. The right to restriction of processing 8

6. The right to data portability 9

7. The right to object 10

8. Automated individual decision making 11

9. The right to withdraw consent 12

1. The right to confirmation of the existence of the processing 13

2. The right of access 14

3. The right of correction (of incomplete, inaccurate, or outdated data) 15

4. The right of anonymization, blocking or elimination of unnecessary or excessive data processed in non-compliance with the provisions of the LGPD 16

5. The right to data portability 17

6. The right to delete personal data processed with the consent of the data subject 18

7. The right to information about public and private entities with which the controller has shared data. 19

8. The right to information about the possibility of denying consent and the consequences of such denial 20

9. The right to withdraw consent 21

10. The right not to be subject to discrimination for the exercise of rights 22

One critical area of operationalizing privacy compliance for an organization will be developing a sustainable process for efficiently fulfilling data subject requests. Because the LGPD introduces new rights for data subjects, it is imperative that organizations develop a sustainable process to timely respond to data subjects when the new law becomes applicable. An organization will not only need to meet the requirements of the new law, but it will also need to be prepared to demonstrate compliance in the event of a consumer complaint or regulatory inquiry.

3. Designing and Maintaining Privacy Compliance Program

There is no one-size-fits-all approach for developing an effective privacy program. However, there are certain general best-practice approaches that an organization can leverage when setting up its privacy program framework. Whether an organization already has a mature privacy program in place or whether it is starting from the beginning, an organization must consider its business operations, organizational structure, culture, and its values when designing privacy compliance controls that must be implemented within its business operations. Operationalizing compliance and delivering the necessary governance, accountability, and control environment will enable an organization to protect and responsibly use personal data of its customers and employees, while seizing the benefits of data-driven initiatives within its organization.

One challenge when implementing privacy controls is typically balancing privacy compliance requirements against the business needs and the burdens additional compliance steps can put on an organization’s business operations. However, an organization can minimize time to compliance if responsibilities for privacy are shared within the organization the right way. When considering how to most efficiently and effectively implement and operationalize privacy compliance, it is important to begin with the end in mind. Namely, understanding what specific privacy compliance requirements must be met and how the implementation of required controls to meet these requirements can also benefit the strategic business objectives overall.

3.1. Organizational Accountability and Privacy Program Governance

3.1.1. Principle of Organizational Accountability

We have seen a substantial focus on the principle of “accountability” in the privacy world over the years. Both the GDPR and the LGDP mandate accountability as a legal obligation. 23 Canada included accountability into its data protection law and many privacy and data protection authorities 24 have published opinions on the principle of accountability and guidelines for implementing an effective privacy management program to help ensure and demonstrate compliance.

The LGDP recognizes accountability as a fundamental principle of data protection. Article 6 of LGPD states that accountability is the “demonstration by an organization of the adoption of measures which are efficient and capable of proving compliance with the rules of personal data protection, including the efficacy of such measures.” We cannot overstate the importance of considering this fundamental principle when building a privacy compliance framework – the measure and controls that an organization adopt must be “efficient and capable of proving compliance.” Therefore, it is extremely important to consider the principle of organizational accountability at the outset of the program design, including how an organization will set up its processes to fulfil data subject requests. Considering this principle in the light of executing data subject requests under the LGPD 25 , an organization can set up a process with the end in mind and implement measures and controls in a way that will enable an organization to demonstrate accountability and compliance with the LGPD obligations.

The Center for Information Policy Leadership (“CIPL”), a global privacy and security think tank, launched an accountability project in 2009 26 intending to define the essential elements that an organization t adopt to be accountable and have raised the importance of incorporating the concept of “organizational accountability” into privacy laws. In 2019 CIPL published a paper outlining the following essential elements of accountability 27 :

1. Leadership

2. Risk Assessment

3. Policies and Procedures

4. Transparency

5. Training and Awareness

6. Monitoring and verification

7. Response and enforcement

These essential elements of accountability provide a great framework for an organization to consider when designing a privacy program. In the United States, we have seen a greater emphasis on organizations to have a comprehensive program and procedures to comply with relevant legal requirements. This is specifically highlighted in the recent Facebook settlement with the Federal Trade Commission. 28 This settlement indicates expectations about measures that should be implemented as part of an organization’s accountable privacy program. CIPL mapped the requirements of this settlement back to the essential elements of accountability that can serve as a great framework for an organization in designing their privacy and data protection programs. 29

3.1.2. Designing a Privacy Program With the End in Mind

When designing and implementing a privacy program management framework, it is important to first identify any existing compliance frameworks that exist within an organization. The concept of organizational accountability exists in many other compliance areas such as anti-corruption, anti-money laundering and others 30 , and can be leveraged when establishing a program governance for implementing privacy controls. The table below illustrates a program development steps that privacy leaders can adopt when operationalizing privacy compliance obligations.

Source: Elaborated by the author.

Program Planning. Designing a privacy program requires thoughtful planning to determine the correct scope, participants, processes, and systems needed to manage privacy compliance activities. A compliance readiness assessment can help determine the level of effort and resources needed to design, implement, and maintain a privacy program. A baseline assessment can also help determine what action plans and prioritization roadmap must be developed.

One important step when planning privacy program design is to secure the support of an organization’s executive leadership to ensure the “tone at the top” for privacy and the responsible use of personal data. When starting to plan the implementation of privacy compliance requirements, an organization must first identify an executive sponsor for their privacy program. An executive sponsor can help secure support for an organization’s privacy program, its budget, staff and expertise required to design, implement, and maintain a privacy program. An organization can also select a privacy program leader who will set and direct data privacy initiatives for the organization. This privacy program leader can then assess any existing controls in place, the overall compliance readiness and the ability of its organization to comply with data protection legal requirements, such as fulfilling data subject requests.

Program Design. By designing a privacy program management framework, an organization can strategically align its program design to a broader business strategy. An organization can design its privacy compliance activities within its broader corporate compliance program. Building a privacy program management framework in alignment with a broader corporate compliance structure can help accelerate the design and implementation of a privacy program.

To be able to comply with the LGPD accountability principle, an organization can adopt the essential “elements of accountability” in its design of the program by: (i) appointing a privacy leader that will provide strategy and program direction; (ii) planning for regular risk assessments; (iii) developing privacy policies, standards and controls to implement compliance requirements; (iv) training its staff based on roles employees have in processing personal data; (v) monitoring, verifying and enforcing compliance; (vi) implementing response procedures for data subject requests and complaints.

A centralized privacy program governance model may be suited for smaller businesses, while a federated model – with distributed resources throughout business functions – may be more appropriate for larger organizations. It is important to set the structure of the privacy team in a way that is suitable for the size and complexity of an organization.

Program implementation. Privacy compliance and privacy program management are not one-time activities and should be considered in an organization’s long-term business planning. To ensure an organization’s privacy program aligns with an organization’s business strategy, a privacy program leader must also understand their organizational objectives and business priorities to design privacy compliance activates and controls accordingly. Integrating privacy controls at the system, business process, program and enterprise levels ensures a robust and resilient privacy program. Building privacy controls into the operations, business...

Uma experiência inovadora de pesquisa jurídica em doutrina, a um clique e em um só lugar.

No Jusbrasil Doutrina você acessa o acervo da Revista dos Tribunais e busca rapidamente o conteúdo que precisa, dentro de cada obra.

  • 3 acessos grátis às seções de obras.
  • Busca por conteúdo dentro das obras.
Ilustração de computador e livro
7 de Dezembro de 2021
Disponível em: