Abstract

Context: Data privacy and data security became a priority among the problems faced by many Brazilian organizations that should be compliant with the Lei Geral de Proteção de Dados Pessoais (LGPD). This law defines the privacy rights on user data and penalties to the ones that break it. Problem: In a compliance program, business processes are of fundamental importance since they are the most important pillar of information security. However, an approach to guide companies to assess and achieve compliance with LGPD on their business processes is missing. Objective: This work proposes the LGPD4BP (LGPD for Business Process) method, which is composed by an evaluation questionnaire and a modelling method with a modelling patterns catalog. Method: To develop LGPD4BP, we carried out a literature review, an analysis of privacy laws, in particular the LGPD, and relevant works on the area. Results: The method was applied on a case study of Colégio de Aplicação from Federal University of Pernambuco and validated by a postgraduate class which applied the method and answered a questionnaire about easiness and completeness of the method. Conclusions: The results from students evaluations showed that the most hard step is the business process modeling and not the components from the proposed method.