MMAI-LGPD: A Maturity Model for Governance and Data Compliance in Information Systems Institutions
Resumo
Context: The General Data Protection Law (LGPD) in Brazil demands organizations implement governance, compliance, and data security frameworks. This requirement is particularly significant for institutions managing Information Systems (IS), which face challenges in aligning technological innovation with regulatory demands. The MMAI-LGPD addresses this gap by integrating legal, organizational, and technological dimensions into a structured compliance framework tailored for IS institutions. Problem: Despite the urgency of LGPD compliance, there is no widely adopted maturity model specifically designed for IS institutions, leaving organizations struggling to balance governance, security, and operational efficiency while meeting legal and ethical requirements. Solution: This paper presents the MMAI-LGPD, a model that categorizes compliance into five maturity levels and defines 57 items across six dimensions, offering a pathway for improving governance, security, and data management practices. IS Theory: The research adopts a sociotechnical approach, building on maturity models in Information Systems to integrate governance, technology, and legal perspectives. Method: A qualitative, prescriptive approach was used, including content analysis of LGPD requirements and case studies with six IS institutions. Axial coding validated the model's applicability and identified organizational gaps in compliance practices. Results: The MMAI-LGPD provides a practical tool for assessing and improving compliance maturity. Validation results demonstrate its effectiveness in aligning governance, technology, and legal frameworks in IS institutions. Contributions and Impact on IS: This research bridges academia and practice, advancing maturity model studies in IS. The MMAI-LGPD enables IS institutions to meet regulatory demands while fostering ethical and sustainable practices in digital ecosystems.
Referências
Brasil. (2018). Lei Geral de Proteção de Dados (LGPD), Lei nº 13.709, de 14 de agosto de 2018.
Daryus. (2023). LGPD está fora da realidade de 80% das empresas no Brasil, diz estudo. FEBRABRAN TECH. Recuperado de [link].
Autoridade Nacional de Proteção de Dados (ANPD). (2023). Guia de Elaboração de Inventário de Dados Pessoais. Brasília, DF: ANPD. Recuperado de [link]
Souza, C. A. A. de. (2022). Os reflexos das leis protetivas de dados nos contratos. Monografia de Especialização, Pontifícia Universidade Católica de São Paulo, São Paulo, Brasil.
McGruer, J. (2020). Emerging Privacy Legislation in the International Landscape: Strategy and Analysis for Compliance. Wash J Law Tech Arts, 15, 120. Recuperado de [link].
Branche, P., & Thomaz, A. (2018). Brazilian Data Protection Law – A New Scenario For Business In Brazil Compared To Eu-GDPR. Computer Law Review International, 19(4), 130-132. DOI: 10.9785/cri-2018-190405.
Abigayle, E. (2019). Comparative Analysis of the EU’s GDPR and Brazil’s LGPD: Enforcement Challenges with the LGPD. 44 Brooklyn Journal of International Law, 859. Recuperado de [link]
Espindola, H. A. (2022). How does the legal bases for processing personal data differ between GDPR and LGPD? [Tese de mestrado, University of Oslo].
Ringmann, S. D., Langweg, H., & Waldvogel, M. (2018). Requirements for Legally Compliant Software Based on the GDPR. In H. Panetto et al. (Eds.), On the Move to Meaningful Internet Systems. OTM 2018 Conferences. OTM 2018. Lecture Notes in Computer Science, 11230. Springer. DOI: 10.1007/978-3-030-02671-4_15.
Lincke, S. (2024). Complying with the European Union General Data Protection Regulation (GDPR). In Information Security Planning. Springer. DOI: 10.1007/978-3-031-43118-0_17.
SEBRAE. (2020, 11 de maio). Painel de Empresas Dashboard. SEBRAE. Recuperado de [link].
Data Center Dynamics (2023). LGPD Brasil. Aderência à LGPD: apenas 36% das empresas brasileiras estão em conformidade total. LGPD Brasil. Disponível em [link].
NIC.br. (2024). Cinco falhas de segurança cibernética que não podem se repetir em 2024. NIC.br. Disponível em [link].
Bryant, A., & Charmaz, K. (2019). The SAGE Handbook of Current Developments in Grounded Theory. SAGE Publications Ltd.
Muncinelli, G., Pinheiro de Lima, E., Deschamps, F., Gouvea da Costa, S., Lara Souza, J., dos Santos Pereira, A., & Cestari, J. (2020, April). Components of the Preliminary Conceptual Model for Process Capability in LGPD (Brazilian Data Protection Regulation) Context. Advances in Transdisciplinary Engineering, [link].
Muncinelli, G., Pinheiro de Lima, E., Deschamps, F., Gouvea da Costa, S., Lara Souza, J., dos Santos Pereira, A., & Cestari, J. (2021, April). Process Capability in LGPD Context: Characterization and Potential Future Directions. In 2nd South American International Conference on Industrial Engineering and Operations Management, DOI: 10.46254/SA02.20210121.
Neitzke, C., Mendes, J., Rivero, L., Teixeira, M., & Viana, D. (2023). Enhancing LGPD Compliance: Evaluating a Checklist for LGPD Quality Attributes within a Government Office. In Anais do XXII Simpósio Brasileiro de Qualidade de Software, (pp. 218–227). Porto Alegre: SBC.
Pereira, I., Mendes, J., Viana, D., Rivero, L., Ferreira, W., & Soares, S. (2022). Extending an LGPD Compliance Inspection Checklist to Assess IoT Solutions: An Initial Proposal. In Anais Estendidos do XIII Congresso Brasileiro de Software: Teoria e Prática, (pp. 28-31). Porto Alegre: SBC. DOI: 10.5753/cbsoft_estendido.2022.226679.
Canedo, E., Cerqueira, A., Gravina, R., Ribeiro, V., Camões, R., Reis, V., Mendonça, F. and Sousa Jr., R. Proposal of an Implementation Process for the Brazilian General Data Protection Law (LGPD). In Proceedings of the 23rd International Conference on Enterprise Information Systems (ICEIS 2021) - Volume 1, pages 19-30 ISBN: 978-989-758-509-8. DOI: 10.5220/0010398200190030
Mendes, J., Viana, D., & Rivero, L. (2021). Developing an Inspection Checklist for the Adequacy Assessment of Software Systems to Quality Attributes of the Brazilian General Data Protection Law: An Initial Proposal. In Anais do XXXV Simpósio Brasileiro de Engenharia de Software. Porto Alegre: SBC.
Marques, L. N. (2020). O mapeamento do modelo data management maturity (DMM) à Lei Geral de Proteção de Dados (LGPD) [Trabalho de conclusão de curso, Pontifícia Universidade Católica de Goiás]. Repositório PUC Goiás. [link]
