Evaluating and Evolving the Compliance to the Brazilian General Data Protection Law in a Federal Government Agency

Abstract

AbstractThe General Data Protection Law (LGPD) determines the principles to carry out the processing of personal data, encouraging the Brazilian Federal Public Administration (FPA) agencies to implement good practices related to data privacy. To achieve compliance with the LGPD, it is necessary to adapt the processes that involve the implementation of the digital and document compliance program, improving the procedures and internal data flows and the control in the treatment carried out on users’ personal data. This work aims to analyze an agency’s compliance with the LGPD and verify adherence to the proposed implementation process to implement and maintain general data protection in an agency. We carried out an exploratory study to elaborate the proposed process and after that we carried out a survey to collect the perception of the 54 ICT practitioners who work at the agency in relation to issues of access, transfer, security and privacy of personal and sensitive data. The survey also addressed issues related to data governance and the agency’s suitability for the LGPD. Our findings revealed that access to personal data at the agency is restricted by ICT practitioners and access is based on their activities. Most ICT practitioners recognize that the agency is concerned with the handling of personal and sensitive data, as well as recognizing the existence of governance policies to ensure the privacy and security of user data.KeywordsBrazilian General Data Protection LawPerception of IT PractitionersData privacyBrazilian Federal Public AdministrationData Protection Laws