Cemig operationalizes LGPD and privacy program with OneTrust

hydroelectric dam during spring runoff full water

Cemig is one of the largest energy companies in Brazil, operating in the generation, transmission, distribution and sale of electricity and natural gas, with businesses in 24 Brazilian states and the Federal District.

Directly serving more than 8.6 million customers, privacy is fundamental in Cemig’s relationship with customers. Privacy and Data Protection Manager at Cemig, Douglas Heleno Penaforte highlights that privacy adds value to the brand, which holds credibility, trust, ethics and transparency as the main pillars: “Privacy is very important within the company, permeating all processes and areas.” 

As part of their ethics and transparency policy, Cemig was already compliant with several Brazilian regulations that observed the right to data subjects, including the Consumer Protection Code. Compliance with the Lei Geral de Proteção de Dados (LGPD) was another step of the company towards the trust of its customers and employees.

According to Douglas, when Cemig‘s privacy team started the process of adapting to the LGPD, they didn’t realize quite how big a challenge they would face. When they carried out the mapping phase of all processes, including the various systems and databases that are used for essential activities, the team concluded that an automation solution would be needed.

“As the project matured, we identified that without a technological platform that would help us to operationalize our privacy and data governance program, it would not be possible to meet all the requirements of the law,” said Douglas.


"Privacy is very important within the company, permeating all processes and areas".


Douglas Heleno Penaforte, Privacy and Data Protection Manager


Operationalizing compliance with OneTrust

After researching and evaluating several data protection management solutions, Cemig opted for the OneTrust platform to operationalize its privacy and data governance program.

“OneTrust’s solution was the best fit to the project we outlined for our privacy program and it completely meets the mapping of all stages of the processes that we need to implement,” said Douglas.

Cemig implemented OneTrust’s DSAR module to create a standardized and automated way to receive consumer requests regarding personal data and manage them in a centralized system. The cookie compliance module was also implemented, with the creation of a geo–specific cookie banner on the company’s 3 portals, a measure that gives consumers control over cookie preferences and marketing consent.

"With the OneTrust solution it is possible to automate the DSAR process, meeting the deadline established by law, in a more transparent and reliable way for consumers and with a reduction in costs for the company".


Douglas Heleno Penaforte, Privacy and Data Protection Manager

“With the OneTrust solution it is possible to automate the DSAR process, meeting the deadline established by law, in a more transparent and reliable way for consumers and with a reduction in costs for the company,” said Douglas.

The results already permeate the entire company. One of the most relevant points for Douglas is Privacy by Design. With the structuring of the privacy program at Cemig, all products and activities carried out by the company now prioritize the privacy of consumers and employees.

“With the OneTrust platform it is easy to grant and control access, view reports and statistics, perform analyzes, and generate insights,” said Douglas.

Cemig is already implementing other OneTrust modules, including: Assessment Automation, Vendor Risk Management, Incident Response, Policy and Notice Management, Robotic Automation for DSAR, as well as Awareness Training.

With Robotic Automation for DSAR, fulfilling orders from data subjects will be even faster and safer. Cemig will be able to easily discover all systems and data sources within the company. It will then be possible to categorize, classify and connect the data back to an individual identity map to instantly process access and deletion requests.

Douglas stresses that privacy should not be limited to just one area within the company. Training the entire workforce, around 25 thousand employees, including direct and indirect employees, is essential for building a culture that prioritizes privacy. This is another step that will be supported by OneTrust with the Awareness Training modules.

“We are looking forward to training all employees, automating processes, reviewing all mapping and the data life cycle, as well as managing risks using the OneTrust platform,” said Douglas.

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more