LGPD and “the man who copied” | SEGS

With no financial conditions, but already with the perfect plan of approach, he got the help of his “friend” Cardoso, and began to copy 50 riyals of banknotes, in order to put his plan of happiness on track.

This is the basic script for The Man Who Copied, which illustrates the choice of twisted paths to reach a legitimate goal.

Oops…what does this have to do with GDPR compliance? Who are these “Cardosos” who influence transcription as a means of achieving a coveted fitness plan?

Let’s move on to the facts, but not only a critique of alternate copyists, or even companies that accept such a practice just because of the fact of “lower cost”, but instead to prove that, in addition, the goal is not when met, a great opportunity is lost.Improve the company and to prove to customers Employees and data subjects that the company is ethical and responsible. The opportunity to review processes to reduce unnecessary maintenance expenses is lost. The opportunity to generate more value for the business is lost, which will pay off the actual adaptation investment (ROI) in short order.

Some might say, “But companies don’t know how to tell copywriters about value creators. How do you condemn, then, these managers for falling into the fallacies of imitators? The answer is simple: to be a manager it is necessary, at least, to be a little smart to realize that if they are Some companies charge, for example, R$70-120, and someone offers to do the same for R$20 or R$30, something is wrong.If technical proposals are analyzed with deliveries and adaptation process, it is easy to see the difference , which already indicates an indication that something is wrong.

Another simple way to estimate the investment value of an adaptation is to multiply the average hourly value of the professionals required in the adaptation process (legal, information security, privacy, operations, project manager, etc.) to the work effort.

Taking, for example, a project with an effort of 1500 hours, and an average value of R$150.00 per hour, the value cannot be much less than R$150,000. To find out the estimated hours of effort, ask the consultants for a table of activities, deliverables, and hours/estimated effort.

As we can see, we have several ways to evaluate and verify proposals.

To overcome this potential difficulty in understanding the cost of adaptation, which can vary greatly depending on company size, number of operations, IT complexity, and current information security maturity, among other variables, we will move forward with our topic.

We will publish a basic roadmap for contracting services, with a focus on GDPR compliance, soon! why? Because if you don’t know how to ask, you will receive anything they want to communicate to you!!

It is important for us to understand that adapting to LGPD is not the same as implementing LGPD, although many applications are essential to sufficiency, i.e. we will implement new controls, new processes, new policies and new technologies, within what is necessary and according to each company.

LGPD compliance assumes that it is already understood that we are not compliant. But what is the distance between the current situation and the desired adequacy? To find out, it is necessary to make an assessment of the current scenario, the famous “evaluation”. Without the outcome of this assessment, it is difficult for a consulting firm to price in an assertive manner what will be done.

Here we are facing the first dilemma: Does the company need to hire and pay a consulting fee to conduct the assessment and only then move on to Kefaya? If the contracting company is not clear about what it should do, and depending on the consulting, yes, but in the case of Diferencial, no, since we have a methodology that anticipates some stages, what we call evaluation or further evaluation. This methodology speeds up the adaptation process, so that the company can make and realize improvements even during the evaluation.

After this first stage – Assessment +, the company will have, in addition to a large part of the adaptation that has been implemented, a detailed view of what remains to be done, bringing great assurance in estimating the effort and deadline for completing the adaptation.

The second stage is where new processes, controls, and techniques that were not possible during Assessment+ will be implemented, either due to a deadline, approved budget or the need for budget allocation, as some implementations can be complex and require a project to do so.

The important thing, just to tie the content to the title of this article, is that the policies for security, privacy, access, information technology, and data management, among many other documents, are prepared and implemented according to each company. Although we can use ‘rule’ as a model, there is no way to just copy and apply the model. The model is just a model. Although it seems needless to say this, there are many people who put the form as the final version. It is not enough to change the name of companies, it must be adapted to the company’s scenario, culture, and people. It should be applicable and feasible to implement, monitor, audit, measure and improve. There can be no evidence in the document that will not be followed, as it does not apply to the target company. There is no way to say “appropriate”, if the written document dies, i.e. not tested by the company.

Unfortunately, we have seen this implemented. To give you an idea, in their portfolio there is a large law firm working on “repeat” sufficiency, redo, or doing it right, which was just a rendition of “from the man who copied”.

How do we meet them? How do you get to know them? How do they reproduce? Simple: How long have you been in the security or privacy market? Are they alumni of MBI (Master Business Instagram) courses? Do they charge an hourly wage well below the minimum for a professional with the necessary seniority for the job? Do you promise to make adjustments in 100 hours?

In short, use reason, logical reasoning, and basic comparison with other serious companies in the market, and even with other consulting jobs they hire.

In conclusion: If you don’t know what you need, any fit suggestion will do the trick!

To find out more, consult us at www.diferencial.com.br.

Salumao de Oliveira is a member of ANADD | Anako | ANPPD and Professor of Disciplines related to: Information Security; Privacy, data protection, risk management and IT management. He acts as a Certified EXIN Instructor for Information Security Fundamentals Courses (ISFS) based on the NBR ISO/IEC 27002 Standard and the Green IT Standard and has extensive experience in IT risk management projects, implementing the areas of Information Security, Information Security and IT Governance.

Graduated in Business Administration, with a concentration in Information Systems Management, Oliveira holds an MBA in Information Security, Supplement in Digital Law and a DPO degree from EXIN International (ISFS, PDPF and PDPP certifications).

Leave a Comment