Enhancing LGPD Compliance: Evaluating a Checklist for LGPD Quality Attributes within a Government Office

Resumo

The purpose of establishing the Brazilian General Data Protection Law (LGPD) was to introduce regulations for organizations regarding collecting, transmitting, and storing individuals’ data. However, understanding the LGPD poses a significant challenge for requirements analysts, particularly in extracting and operationalizing privacy requirements. This experience report proposes to assess and enhance an existing checklist known as LGPD-Check, which serves as a method for evaluating software systems’ compliance with the quality attributes specified by the LGPD. The assessment checklist consists of multiple attributes distributed among several evaluation categories, including data transparency, holder consent, holder’s rights, data security, and controller’s responsibility. The LGPD-Check was applied within a government office to evaluate the checklist’s effectiveness, involving eight IT professionals responsible for different web applications, followed by a focus group meeting. Moreover, we evaluate the office’s systems regarding compliance with the LGPD. Preliminary findings indicate that the current version of the checklist facilitates the identification of issues related to software systems’ compliance with the LGPD and shows that we have a long journey to attend the LGPD in our software systems.