Privacy Policy

PRIVACY RISK MANAGEMENT STRUCTURE

PIPEK ADVOGADOS

  1. Definition of Roles and Responsibilities

1.1. Appointment of the Person in Charge (DPO – Data Protection Officer)

  • Document: DPO Appointment Term with his responsibilities and qualifications.

1.2. Establish a Privacy Committee.

  • Document: Minutes of Creation of the Committee and definition of members.

  1. Privacy Risk Assessment (Privacy Impact Assessment – PIA)

2.1. Identify all processes that involve personal data.

  • Document: List of processes and categories of personal data processed.

2.2. Assess risks associated with each process.

  • Document: Privacy Risk Assessment Report for each process.

  1. Privacy Policies and Procedures

3.1. Create or review the office’s Privacy and Data Protection Policy.

  • Document: Updated Privacy Policy.

3.2. Establish procedures for holders’ rights (access, rectification, deletion, etc.).

  • Document: Procedures for Responding to Holders’ Rights.

  1. Training and Awareness

4.1. Create a privacy training program for all employees.

  • Document: Training Material and record of employee participation.

  1. Incident Response Processes

5.1. Define a clear security incident response process.

  • Document: Incident Response Procedure and Incident Registration Form.

  1. Review and Monitoring

6.1. Establish a frequency for reviewing risk and policy assessments.

  • Document: Privacy Review Calendar.

  1. Processing Agreements

7.1. Ensure that all service providers and correspondents have agreements that comply with the LGPD and GDPR (if applicable).

  • Document: Data Processing Agreement Models.

  1. Audit Mechanisms

8.1. Implement regular audit processes to ensure compliance.

  • Document: Audit Procedure and LGPD Compliance Checklist.

  1. Legal Review

9.1. Assess specific legal obligations related to legal proceedings and how they align with the LGPD.

  • Document: Legal Compliance Report.

  1. Communication with Stakeholders

10.1. Establish clear channels of communication with interested parties regarding privacy issues.

  • Document: Privacy Communication Guidelines.

HANDLING PRIVACY INCIDENTS

PIPEK ADVOGADOS

  1. Objectives:

Establish a structured and effective process to manage and respond to privacy incidents, ensuring compliance with the General Data Protection Law (LGPD) and minimizing potential adverse impacts.

  1. Scope of application:

This procedure applies to all employees, service providers, correspondents and lawyers, whether partners, associates or sole proprietorships, who have access to, manipulate or are involved in the processing of personal data within the office.

  1. Definitions:

  • Privacy Incident: Unplanned event that results in unauthorized access, disclosure, alteration, destruction or loss of personal data.

  • Equipe de Resposta: Grupo multidisciplinar designado para gerir incidentes, incluindo membros da área jurídica, TI, e comunicação.

  1. Procedures:

4.1. Detection and Reporting:

  • Reporting Responsibility: Every member of the organization, including temporary workers, contractors and service providers, has a duty to report incidents. This responsibility must be clearly communicated during integration and training processes.

  • Detection Mechanisms: Implement detection solutions, such as intrusion detection systems (IDS) and security monitoring solutions that generate automatic alerts in the face of suspicious activity.

  • Communication Channels: Establish clear and accessible channels for reporting incidents, such as hotlines, specific emails and online forms.

  • Training: Conduct periodic training so that employees recognize signs of possible security incidents and know how and when to report them.

4.2. Initial Assessment:

  • Assessment Criteria: In addition to severity, assess the type of data involved, the number of people affected and the potential reputational impact.

  • Assessment Team: The team must be multidisciplinary, involving information security, legal and communication experts, for a holistic assessment.

  • Documentation: Create a detailed record of the incident, including date, time, who reported it, nature of the incident, data involved and initial actions taken.

4.3. Containment:

  • Rapid Response: Establish a rapid response team that can be mobilized immediately upon detection of the incident.

  • Backup Evidence: Before making any changes, make backup copies of all affected systems for later forensic analysis.

  • Contingency Plans: Have pre-defined plans for different incident scenarios, allowing quick and effective action.

4.4. Research and Analysis:

  • Forensic Tools: Use appropriate tools to collect and analyze evidence without compromising its integrity.

  • Outside Experts: In complex cases, consider hiring outside experts in forensic analysis.

  • Detailed Report: This report should include a chronology of events, attack methods, exploited vulnerabilities, compromised data, and recommendations to prevent future incidents. It is recommended to use the model provided by ANPD

4.5. Notification to ANPD and Holders:

  • Clear Communication: Notifications must be clear, transparent and in accessible language, avoiding complicated technical terms.

  • Relevant Information: Include what happened, what data was affected, what the consequences are, what the organization is doing about it, and how individuals can protect themselves.

  • Legal Advice: Before sending any notification, consult the legal team to ensure that all legal obligations are being met.

4.6. Mitigation and Recovery:

  • Action Plan: Establish a specific action plan for each type of incident, taking into account the type of data compromised, the number of data subjects affected and the nature of the incident.

  • Data Recovery: If data is lost, initiate recovery from the most recent backups, ensuring that these backups have not been compromised. Verify the integrity of recovered data.

  • Vulnerability Remediation: Identify and remediate the vulnerabilities that caused the incident, whether through software updates, configuration changes, or process reviews. Conduct penetration tests or audits to confirm effective resolution of flaws.

  • Internal Communication: Inform relevant departments and teams about the status of mitigation and recovery, ensuring everyone is aware of the actions taken and any implications for their operations.

4.7. Post-Incident Review:

  • Critical Analysis: Convene the multidisciplinary team for a post-incident review session. The goal is to evaluate what worked, what didn’t work, and why.

  • Feedback from Stakeholders: Collect feedback from all parties involved in managing the incident. This includes IT, legal, communications teams, among others.

  • Detailed Report: Prepare a detailed report of the incident, including timeline, causes identified, actions taken, and results. This report must be archived and available for future review or regulatory inspections.

  • Improvement Recommendations: Based on review and feedback, list specific recommendations to improve prevention, detection, and response to future incidents.

Based on the LGPD and best information security and data protection practices, item 5, “Training and Awareness”, can be improved as follows:

  1. Training and Awareness:

5.1. Continuous Awareness Program: Establish a continuous training and awareness program in personal data protection and information security, aiming to ensure the continuous updating of everyone involved in the face of changing scenarios, emerging risks and legal updates.

5.1.1. Session Frequency: Conduct training sessions every 6 months, or at shorter intervals if necessary, especially after updating policies, procedures or in case of relevant incidents.

5.1.2. Specific Target Audience: Training must be segmented according to the participant’s role and level of access to information, ensuring that each individual receives instructions relevant to their role and responsibilities.

5.1.3. Updated Content: Ensure that training content reflects the latest updates to the LGPD, as well as other applicable legislation, and incorporates best market practices.

5.1.4. Interactive Methods: Use interactive methods, such as simulations and practical scenarios, to better engage and understand the public.

5.1.5. Assessment and Feedback: At the end of each session, conduct an assessment to measure participants’ understanding of the content presented and collect feedback for continuous improvement.

5.1.6. Documentation and Registration: Maintain a detailed record of all training carried out, including dates, participants, content covered and evaluation results, for audit purposes and proof of compliance with the LGPD.

5.1.7. Digital Resources: Consider implementing e-learning platforms to facilitate access and attendance at training, allowing greater flexibility for employees and ensuring broader coverage.

5.1.8. Alerts and Communications: Establish a routine of communications and periodic alerts on security and data protection issues, reinforcing the importance of awareness in everyday life and promoting a culture of data protection in the organization.

  1. Monitoring and Update:

  • Review the procedure quarterly, or whenever there are significant changes in the organization’s technological, operational or legal environment. Additionally, a review is required immediately after each significant incident.

  • Establish a review committee comprised of representatives from legal, information security, and operations to ensure that all perspectives are considered in the review.

  • Proactively monitor legal changes related to data protection and information security to ensure ongoing compliance with the LGPD and other relevant legislation.

  • Participate in specialized forums and discussion groups to stay up to date with best practices and trends in security incident management.

  1. Documentation and Registration:

  • Maintain detailed records of all incidents, including the nature of the incident, the personal data affected, the measures taken to contain and remediate the incident, and all communications related to the incident.

  • Ensure incident records are maintained securely, encrypted, and accessible only to authorized individuals to protect the integrity and confidentiality of information.

  • Establish a retention period for incident records, taking into account legal and regulatory obligations, as well as the organization’s operational needs.

  • Document all review processes and procedures, including dates, participants, and recommended and implemented changes.

  • Establish a robust audit trail for all records, ensuring transparency and accountability regarding incident management.