Using MCDA for Selecting Criteria of LGPD Compliant Personal Data Security

The protection of personal data is a problem that has been discussed in several countries. Most countries create laws and regulations to protect fundamental rights and privacy. The main data protection regulation approved by the European Union (EU) is the General Data Protection Regulation (GDPR). This regulation regulates how personal data should be protected and how data may be shared between other countries. Brazil recently enacted the Brazilian General Data Protection Law (LGPD) with various standards for security and privacy of personal data. This paper aims to select the best alternatives for the implementation of security criteria at the University of Brasília (UnB). We use the Multiple Criteria Decision Analysis (MCDA) process with the Preference Ranking Organization Method for Enriched Evaluation (PROMETHEE) II method to select the best to worst alternatives, according to the criteria selected in the MCDA process using the method Analytic Hierarchy Process (AHP). The results found demonstrate that the Data Privacy Risks criterion is the highest priority criterion for the implementation of personal data security at UnB since LGPD’s main objective is to keep personal data private and accessible only to the data subject. Furthermore, it was found that the LGPD principles with the highest implementation priority were: 0.28 Priority Security, 0.26 Priority Needs and 0.25 Priority Prevention.