The recent publication of documents by the working groups of the National Data Protection Council (CNPD) (Brazil's National Data Protection Council) — containing subsidies for the development of the National Personal Data Protection and Privacy Policy — enables a comprehensive assessment of considerations and recommendations related to information security.
Information security and cybersecurity have emerged as indispensable pillars for Brazil's advancement in the digital age. The published reports underscore that these areas are crucial not only for economic and technological development and innovation, but also for protecting the fundamental rights of citizens (CNPPD GTT5-GTT6). In the context of LGPD (Brazil's General Data Protection Law), the effectiveness of data protection is intrinsically dependent on robust security measures, aimed at ensuring digital trust and full citizenship (CNPPD GTT1-GTT5).
Despite the recognition of its importance, Brazil still faces considerable challenges in effectively implementing cybersecurity and data protection (CNPPD GTT1). Alarming data reveals a low level of overall compliance with the LGPD, especially among small businesses — with only 25% of them (22% of small companies) having a dedicated area or staff for personal data protection in 2023 (CNPPD GTT1). Outdated technological infrastructure in many public and private organizations represents a significant obstacle to adopting modern security measures, such as robust encryption and intrusion detection systems (CNPPD GTT1).
In response to this scenario, the National Data Protection Authority (ANPD) (Brazil's National Data Protection Authority) and other institutions have launched initiatives to strengthen cybersecurity and data management (CNPPD GTT1-GTT4). The ANPD, for example, has intensified monitoring of the financial and telecommunications markets (CNPPD GTT1-GTT5) and publishes Guidance Guides and Technical Notes to clarify the application of the law (CNPPD GTT1). Programs such as PPSI (Information Privacy and Security Program) and courses from ENAP aim to train civil servants and citizens in personal data protection and digital security (CNPPD GTT1-GTT4). Adherence to international standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework is also encouraged to strengthen cybersecurity and data management (CNPPD GTT3-GTT4).
Information security permeates several practical areas. In the financial market and e-commerce, the processing of personal data is essential for identifying anomalous behavior and preventing fraud, with the Bacen and SUSEP already having cybersecurity policies and fraud prevention requirements in place (CNPPD GTT5). Robust authentication — including multifactor and behavioral biometrics — is cited as one of the main barriers against scams (CNPPD GTT5).
The LGPD is therefore seen as an essential regulatory framework for formalizing this concern for information security in Brazil (CNPPD GTT5).
The integration of privacy into design (privacy by design) and the application of anonymization and pseudonymization techniques are crucial (CNPPD GTT5). In the healthcare sector, ANVISA has published guidelines on Computerized Systems Validation and Cybersecurity in Medical Devices (CNPPD GTT5), and CNSaúde has established measures for the processing and sharing of sensitive data (CNPPD GTT5). Incidents such as health data breaches reinforce the critical need for preventive and response measures (CNPPD GTT5).
Training and cultural awareness are essential for strengthening information security. The documents emphasize the importance of regular employee training, frequent audits, and the establishment of incident response plans (CNPPD GTT1). The lack of digital literacy among the population and the State's limited capacity to investigate incidents contribute to the rise of digital scams and fraud (CNPPD GTT1). In addition, there is an effort to harmonize the LGPD with the Freedom of Information Act (LAI), dispelling the notion that the LGPD unduly restricts access to public information and promoting transparency alongside security (CNPPD GTT6).
Finally, the documents demonstrate that information security and cybersecurity are fundamental to digital trust, economic sustainability, and the full exercise of citizenship in Brazil. The path forward involves overcoming maturity and infrastructure gaps through clear regulation, continuous training, rigorous enforcement, and effective multi-sector collaboration among government, the private sector, and civil society.
Access here the full content of all CNPD working group documents.
Note: The text includes in-text references (in the format CNPPD GTTx, where X represents the relevant working group number) to support the points made. To access the referenced content, simply follow the link above and select the report of the desired working group.
This post was summarized from its original version with the use of AI, with human review.