Incorporating LGPD Requirements and Restrictions into Database Design
DOI:
https://doi.org/10.5753/jidm.2026.5859Keywords:
LGPD, Data Protection, Database Design, MetadataAbstract
The Brazilian General Data Protection Law (LGPD) specifies how personal data processing, storage, and disposal should be conducted, conditioning it to the prior authorization of the data subject. On the other hand, current information systems rely heavily on personal data and, therefore, must comply with the LGPD. In this context, the database system becomes an even more critical component in software development, as it is responsible for storing, updating, and retrieving data. However, the methodologies and tools used for database design do not incorporate the requirements and constraints of the LGPD, making it difficult to ensure compliance between databases and current legislation. This article presents a methodology, called LGPDbyD, to incorporate the impositions and principles of the LGPD into the database design process. To achieve this, we extend the ER model, the Relational model, and the CREATE TABLE command. Additionally, we discuss how to model, design, and implement the concepts of purpose, consent, and personal data retention period. Finally, we extend the brModelo tool to provide support for the requirements and constraints of the LGPD. LGPDbyD aims to facilitate the processes of database design and auditing in compliance with the LGPD.
Downloads
References
Araújo, E., Vilela, J., Silva, C., and Alves, C. (2021). Are my business process models compliant with lgpd? the lgpd4bp method to evaluate and to model lgpd aware business processes. In XVII Brazilian Symposium on Information Systems, pages 1–9. Sociedade Brasileira de Computação.
Brito, F. T. and Machado, J. C. (2017). Preservação de privacidade de dados: Fundamentos, técnicas e aplicações. Jornadas de atualização em Informática, pages 91–130.
Canedo, E. D., Cerqueira, A. J., Gravina, R. M., Ribeiro, V. C., Camoes, R., dos Reis, V. E., de Mendonça, F. L. L., and de Sousa Jr, R. T. (2021).
Proposal of an implementation process for the brazilian general data protection law (lgpd). In ICEIS (1), pages 19–30. Sociedade Brasileira de Computação.
Carauta Ribeiro, R. and Dias Canedo, E. (2020). Using mcda for selecting criteria of lgpd compliant personal data security. In The 21st Annual International Conference on Digital Government Research, pages 175–184.
Carvalho, G., Bernardino, J., Pereira, V., and Cabral, B. (2023). Er+: A conceptual model for distributed multilayer systems. IEEE Access, 11:62744–62757.
Dani, A. and Getta, J. (2005). Conceptual modelling of computations on data streams. Proceedings of the 2nd Asia-Pacific Conference on Conceptual Modelling, 43.
de Abreu, . C., Praciano, F. D., Amora, P. R., and Machado, J. C. (2021). Consql: Consentimentos em sql para o processamento
de consultas orientado a propósitos. In Anais Estendidos do XXXVI Simpósio Brasileiro de Bancos de Dados, pages 8–14. SBC.
de Castro, E. T. V., Silva, G. R. S., and Canedo, E. D. (2022). Ensuring privacy in the application of the brazilian general data protection law (lgpd). In Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC ’22, page 1228–1235, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/3477314.3507023.
dos Santos Mello, R., Cândido, C. H., and Neto, M. B. S. (2021). brmodelo: An initiative for aiding database design. volume 12.
Favero, E. S. (2019). Um protótipo de referência para ferramentas case de modelagem em ambiente web. Universidade Federal do Pampa; (2019); 105.
Kamble, A. S. (2008). A conceptual model for multidimensional data. In APCCM, volume 8, pages 29–38.
Khan, K. M., Kapurubandara, M., and Chadha, U. (2004). Incorporating business requirements and constraints in database conceptual models. In Proceedings of the first Asian-Pacific conference on Conceptual modelling- Volume 31, pages 59–64.
Lachaud, E. (2020). Iso/iec 27701 standard: Threats and opportunities for gdpr certification. Eur. Data Prot. L. Rev., 6:194.
Mok, W. Y. (2024). A conceptual model based design methodology for mongodb databases. In 2024 7th International Conference on Information and Computer Technologies (ICICT), pages 151–159. DOI: 10.1109/IICICT62343.2024.00030.
Rocha, L. D., Silva, G. R. S., and Dias Canedo, E. (2023). Privacy compliance in software development: A guide to implementing the lgpd principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing, SAC ’23, page 1352–1361, New York, NY, USA. Association for Computing Machinery. DOI: 10.1145/3555776.3577615.
Sarkar, S. and Athanassoulis, M. (2022). Query language support for timely data deletion. In Proceedings of the 25th International Conference on Extending Database Technology, volume 2.
Shastri, S., Banakar, V., Wasserman, M., Kumar, A., and Chidambaram, V. (2019). Understanding and benchmarking the impact of gdpr on database systems. arXiv preprint arXiv:1910.00728.
Éllen Renner Ferrão, S., Ramos Sousa Silva, G., Dias Canedo, E., and Freitas Mendes, F. (2024). Towards a taxonomy of privacy requirements based on the lgpd and iso/iec 29100. Information and Software Technology, 168:107396. DOI: https://doi.org/10.1016/j.infsof.2024.107396.
