LGPD Framework: An Implementation and Compliance Guide for Technology Areas

  • Sara B. O. G. Carturan UFABC
  • Beatriz M. A. Matsui UFABC
  • Denise H. Goya UFABC


Considering the unrestrained consumption of personal data, the LGPD came to protect and regulate the treatment of data, whether digital or physical. Due to the lack of technical guides to interpret the LGPD and apply it in the technology area, a gap arises that impacts IT management. This paper proposes a conceptual framework composed of domains and components to facilitate the LGPD interpretation and implementation by technology areas. The framework was mainly inspired by the essential principles of COBIT 2019 and DevOps, which transform a concept into a practical method of understanding and implementation. The LGPD framework will guide organizations to be compliant in a shorter time and to provide cultural and behavioral changes.

Palavras-chave: LGPD, framework, privacy, GDPR, DevOps, compliance


Abrahams, M. Z. and Langerman, J. J. (2018). Compliance at velocity within a devops environment. In Intl. Conf. on Digital Information Management, pages 94–101. IEEE.

Audit, I. S. and Association, C. (2018). COBIT 2019 Framework: Introduction and Methodology. ISACA.

Axelos and Office, T. S. (2019). ITIL Foundation, ITIL. ITIL 4 Foundation Series. Stationery Office.

Barata, A. and Prado, E. (2015). Governança de dados em organizações brasileiras. In Anais do XI Simpósio Brasileiro de Sistemas de Informação, pages 267–274. SBC.

Brasil (2018). Lei geral de proteção de dados (lgpd) nº 13.709 (versão compilada). Acesso em 21 de Julho de 2020.

Brodin, M. (2019). A framework for gdpr compliance for small-and medium-sized enterprises. European Journal for Security Research, 4(2):243–264.

Calder, A. (2008). ISO/IEC 38500: the IT governance standard. IT Governance Ltd.

Canedo, E. D., Toffano Seidel Calazans, A., Cerqueira, A. J., Teixeira Costa, P. H., and Seidel Masson, E. T. (2021). Agile teams’ perception in privacy requirements elicitation: Lgpd’s compliance in brazil. In 2021 IEEE 29th International Requirements Engineering Conference (RE), pages 58–69.

Carturan, S. B. O. G. and Goya, D. H. (2019). A systems-of-systems security framework for requirements definition in cloud environment. In Proceedings of the 13th European Conference on Software Architecture Volume 2, ECSA ’19, page 235–240. ACM.

Carvalho, A. P. (2021). Proposta de um framework de compliance à lei geral de proteção a dados pessoais (lgpd): um estudo de caso para prevenção a fraude no contexto de big data. Master’s thesis, UNB, Faculdade de Tecnologia, Dept. Engenharia Elétrica.

Cavoukian, A. (2020). Understanding how to implement privacy by design, one step at a time. IEEE Consumer Electronics Magazine, 9(2):78–82.

Checkland, P. and Holwell, S. (1998). Action research: its nature and validity. Systemic practice and action research, 11(1):9–21.

Dyck, A., Penners, R., and Lichter, H. (2015). Towards definitions for release engineering and devops. In IEEE/ACM 3rd Intl. Workshop on Release Engineering, pages 3–3.

Erich, F. M., Amrit, C., and Daneva, M. (2017). A qualitative study of devops usage in practice. Journal of Software: Evolution and Process, 29(6):e1885.

European-Parliament and Council (2016). Regulation (eu) 2016/679 of the european parliament and of the council of 27 april 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/ec (general data protection regulation). Acesso em 21 de Julho de 2020.

Fernandes, M. A. d. S., de Oliveira, F. G., Ferraz, F. S., da Silva, D. A., Canedo, E. D., and de Sousa Jr, R. T. (2021). Impactos da lei de proteção de dados (lgpd) brasileira no uso da computação em nuvem. Revista Ibérica de Sistemas e Tecnologias de Informação, (E42):374–385.

Graciano Neto, V., Oquendo, F., and Nakagawa, E. (2016). Systems-of-systems: Challenges for information systems research in the next 10 years.

Habl, A., Kipouridis, O., and Fottner, J. (2017). Deploying microservices for a cloudbased design of system-of-systems in intralogistics. In 2017 IEEE 15th International Conference on Industrial Informatics (INDIN), pages 861–866.

ISO 9000 quality systems handbook: increasing the quality of an Hoyle, D. (2017). organization’s outputs. Routledge.

Huth, D. (2017). A pattern catalog for gdpr compliant data protection. In 10th IFIP WG 8.1 Working Conference on the Practice of Enterprise Modelling, PoEM 2017, page 34–40. CEUR-WS.

Janvrin, D. J., Payne, E. A., Byrnes, P., Schneider, G. P., and Curtis, M. B. (2012). The updated coso internal control—integrated framework: Recommendations and opportunities for future research. Journal of Information Systems, 26(2):189–213.

Kunas, M. (2012). Implementing service quality based on ISO/IEC 20000: A management guide. IT Governance Publishing.

Leite, L., Rocha, C., Kon, F., Milojicic, D., and Meirelles, P. (2019). A survey of devops concepts and challenges. ACM Computing Surveys (CSUR), 52(6):1–35.

Lwakatare, L. E., Kilamo, T., Karvonen, T., Sauvola, T., Heikkilä, V., Itkonen, J., Kuvaja, P., Mikkonen, T., Oivo, M., and Lassenius, C. (2019). Devops in practice: A multiple case study of five companies. Information and Software Technology, 114:217–230.

Marques, S., Lisboa, A., Érico Amaral, and Lampert, V. (2021). Pdagro: Uma proposta de protocolo para compliance à lgpd. In Anais do XIII Congresso Brasileiro de Agroinformática, pages 378–381, Porto Alegre, RS, Brasil. SBC.

McCarthy, M. A., Herger, L. M., Khan, S. M., and Belgodere, B. M. (2015). Composable devops: Automated ontology based devops maturity analysis. In 2015 IEEE International Conference on Services Computing, pages 600–607.

Mendes, J. R. B., Cierco, A., and Santana, P. (2021). Privacidade Ágil: implantação da LGPD de forma ágil. Brasport.

Meriah, I. and Rabai, L. B. A. (2019). Comparative study of ontologies based iso 27000 series security standards. Procedia Computer Science, 160:85–92.

Oliveira, A. P. d., Zanetti, D., Lima, F. S., and Sampaio, T. O. (2019). A lei geral de proteção de dados brasileira na prática empresarial. Revista Jurídica da Escola Superior de Advocacia da OAB-PR. Acessado em: 15 de Janeiro de 2022.

Orlikowski, W. J. and Gash, D. C. (1994). Technological frames: making sense of information technology in organizations. ACM Transactions on Information Systems (TOIS), 12(2):174–207.

Perkins, K. (2013). Chapter 88 data loss protection. In Vacca, J. R., editor, Computer and Information Security Handbook (Third Edition), pages 1155–1172. Morgan Kaufmann, Boston, third edition edition.

Pitta, P. E. B., Costa, E., de Siqueira, J. P. L., and Lazarin, N. M. (2020). Lgpd compliance: A security persistence data layer. In Anais da XVIII Escola Regional de Redes de Computadores, pages 123–127, Porto Alegre, RS, Brasil. SBC.

Presthus, W. and Sørum, H. (2018). Are consumers concerned about privacy? an online survey emphasizing the general data protection regulation. Procedia Computer Science, 138:603–611.

Purdy, G. (2010). Iso 31000: 2009—setting a new standard for risk management. Risk Analysis: An International Journal, 30(6):881–886.

Rapôso, C. F. L., de Lima, H. M., de Oliveira Junior, W. F., Silva, P. A. F., and de Souza Barros, E. E. (2019). Lgpd-lei geral de proteção de dados pessoais em tecnologia da informação: Revisão sistemática. RACE-Revista de Administração do Cesmac, 4:58–67.

Riungu-Kalliosaari, L., Mäkinen, S., Lwakatare, L. E., Tiihonen, J., and Männistö, T. (2016). Devops adoption benefits and challenges in practice: A case study. In Intl. Conference on product-focused software process improvement, pages 590–597. Springer.

Schwartz, S. H. (1992). Universals in the content and structure of values: Theoretical advances and empirical tests in 20 countries. volume 25 of Advances in Experimental Social Psychology, pages 1–65. Academic Press.

Sharma, D. H., Dhote, C. A., and Potey, M. M. (2016). Managed data loss prevention security service in cloud. In 3rd Intl. Conf. Electrical, Electronics, Engineering Trends, Communication, Optimization and Sciences (EEECOS 2016), pages 1–4.

Teixeira, G. A., Silva, M. M., and Pereira, R. (2019a). The critical success factors of gdpr implementation: a systematic literature review. Emerald Publishing Limited, 21 No. 4:402–418. Digital Policy, Regulation and Governance.

Teixeira, P. G., Lopes, V. H. L., Pereira dos Santos, R., Kassab, M., and Graciano Neto, V. V. (2019b). The status quo of systems-of-information systems. In 2019 IEEE/ACM SESoS/WDES.

Tikkinen-Piri, C., Rohunen, A., and Markkula, J. (2018). Eu general data protection regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1):134–153.

Venkatraman, N., Henderson, J. C., and Oldach, S. (1993). Continuous strategic alignment: Exploiting information technology capabilities for competitive success. European Management Journal, 11(2):139–149.
CARTURAN, Sara B. O. G.; MATSUI, Beatriz M. A.; GOYA, Denise H.. LGPD Framework: An Implementation and Compliance Guide for Technology Areas. In: SEMINÁRIO INTEGRADO DE SOFTWARE E HARDWARE (SEMISH), 49. , 2022, Niterói. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2022 . p. 176-187. ISSN 2595-6205. DOI: https://doi.org/10.5753/semish.2022.223289.