"The human being at the center of the system."
Stop blaming people. Start fixing systems. The aviation-grade GRC framework for privacy governance and organisational resilience.
Most organisations have the policies. Few have the culture. When people hide mistakes instead of reporting them, no audit, firewall, or compliance checklist will save you.
A Monday morning. An employee opens an email that looks legitimate. One click. Ransomware spreads across the network. The company loses access to critical data.
70% of security incidents involve human error — yet the standard response is to punish the human, not fix the system.
What if aviation had taken the same approach?
We would never have reached 99.999% safety.
Three frameworks, adapted from aerospace safety science, now applied to privacy governance and GRC. Each one answers a different question.
Instead of asking "who failed?", SHELL forces us to map every contributing factor across 5 system interfaces. In a phishing case, 26 factors were identified — none of them were "the employee was careless."
Applications, systems, tools — was the email filter updated?
Devices, infrastructure — was the workstation patched?
Culture, policies — was there a reporting culture?
The individual — training, fatigue, cognitive load
Team, communication — was the threat shared?
Three frameworks. One methodology. One question remains:
What does this look like in the real world?
Select your industry
story.act3.intro.healthcare
TechMed is not unique. These results replicate across industries — healthcare, finance, retail, manufacturing, government. Anywhere humans interact with systems, Just Culture works.
The question is not whether it works. The question is: when does your organization start?
The SHELL-Privacy™ and MEDA-Privacy™ frameworks — with templates, decision trees, case studies, and step-by-step implementation guides — documented in full.
The SHELL-Privacy™ and MEDA-Privacy™ frameworks bring aviation's Just Culture methodology into privacy governance — helping organisations move from reactive compliance to genuine accountability.
shell.diagram.caption
Each NIST 800-53 control family is a slice of Swiss cheese — with its own holes. An incident occurs only when the holes align across multiple layers. SHELL-Privacy™ investigates why those holes exist in the first place.
"NIST 800-53 maps the cheese. SHELL-Privacy™ investigates why the cheese has holes."
Systemic Analysis
Analyze the 4 critical interfaces: Software, Hardware, Environment, and Liveware.
Root Cause Investigation
A structured investigation process to find root causes, not scapegoats.
Human Factors Model
Contextualize every incident by analyzing People, Environment, Actions, and Resources — a human factors model adapted from aviation to privacy governance.
Who was involved? Training, experience, fatigue, cognitive biases, and human limitations that influenced the incident.
What was the context? Physical, organizational, regulatory, and cultural conditions surrounding the event.
What was done or omitted? The specific behaviors, decisions, and omissions that contributed to the incident.
What tools were available? Technology, time, information, and support that were present or absent during the incident.
Inspired by aviation's proven safety culture — where incidents are learning opportunities, not punishments. Applied to privacy governance and GRC.
Join hundreds of organizations adopting the Just Culture approach.
For 14 years, Anderson practiced law. He drafted contracts, navigated regulations, and watched organizations invest millions in compliance — only to remain vulnerable.
The pattern was always the same: when something went wrong, someone got fired. The fear spread. People stopped reporting. The real vulnerabilities stayed hidden. And the incidents kept coming.
Then he found aviation. An industry that achieved 99.999% safety — not by punishing pilots, but by designing systems that learn from every error. That insight changed everything.
"Security and privacy are, at their core, human challenges — not technical ones."
— Anderson Andrade
Graduated in Law from Centro Universitário de Belo Horizonte. Beginning of a 14-year legal career focused on compliance and organizational protection.
Specialized in Regime Jurídico dos Recursos Minerais e Hídricos at Faculdade Milton Campos. Deepened understanding of regulatory frameworks and systemic risk.
Founded Privacy Default Consulting to help organizations build privacy and security cultures that create competitive advantage through trust, not just regulatory compliance.
Led full LGPD implementation at Clinicarx, training 100% of 50+ employees. Worked with major pharmaceutical industry players across Brazil on data protection contracts and negotiations.
Elected Vice-Coordinator of APDADOS (National Association of Data Privacy Professionals) in Paraná. Advocated for professionals, delivered courses, and established partnerships with SEBRAE/PR and major organizations.
As DPO as a Service at Brotto Campelo Advogados, implemented LGPD across medium and large organizations in healthcare, government, manufacturing, real estate, startups, retail, and hospitality — including Biotrop, SESI Paraná, and organizations in São Paulo and Santa Catarina. Trained 1,000+ employees.
Co-authored Bill PL-4/2022 at APDADOS, proposing tax incentives for LGPD compliance investments. Submitted to the Brazilian Federal Senate — translating field experience into national policy.
After years observing how blame culture undermined privacy governance, adapted aviation's Just Culture methodology to GRC. Published 4 books in EN/PT/FR/ES. The frameworks are now used in conferences, workshops, and consulting engagements worldwide.
Enrolled in MBA in Information Security Management at FACINT, deepening expertise in SOC analysis, ethical hacking, risk management, and PMBOK. Continuing to bridge legal, human, and technical dimensions of security.
INSIGHTS & RESEARCH
Grounded in law, human factors research and 15+ years of GRC practice.
Ann Cavoukian's 7 principles are now legal obligations in GDPR, LGPD, and PIPEDA. Most organisations treat them as intent. SHELL-Privacy™ maps each principle to a specific organisational interface with concrete, auditable actions.
Certifications expire in practice, not on paper. Since 2022, ANPD, EDPB, PIPEDA and Quebec's Law 25 have all shifted. Four critical gaps — incident management, RoPA, AI governance, SARs — and why accumulating badges solves none of them.
Aviation achieved 99.999% safety not by punishing pilots, but by designing systems that learn from every error. SHELL-Privacy™ applies the same systemic logic to data privacy incidents.
NIST AI RMF, EU AI Act, ISO 42001 — none of them answer the question the regulator asks first: what did the human do, or fail to do? SHELL-Privacy™ and MEDA-Privacy™ fill the missing layer.
The LGPD defines what organisations must do. The SHELL-Privacy™, MEDA-Privacy™ and PEAR frameworks provide the how — mapping the human, systemic and investigative dimensions that the law demands but does not detail.
As AI systems make decisions faster than humans can review them, mature governance frameworks become the only sustainable path. The PEAR model offers a human-centred lens for AI risk classification.
When employees hide mistakes for fear of punishment, no audit or firewall will save you. MEDA-Privacy™ replaces the punitive cycle with a structured investigative process that turns incidents into organisational learning.
Verizon DBIR 2024 shows 68% of breaches involve the human factor — yet security awareness spending grows every year. The problem is not the training. It is the question being asked. SHELL-Privacy™ investigates why the system failed, not just who clicked the wrong link.
A French Navy officer jogged 35 minutes on the deck of the Charles de Gaulle. His Strava profile was public. Within 24 hours, a newspaper located the carrier in near real-time. No hacker. No cyberattack. Just a habitual behavior in a system without proportional controls. SHELL-Privacy™ analysis across 5 interfaces.
Want to go deeper?
The book covers all three frameworks in detail, with case studies, templates and implementation guides.
Episodes on LGPD, GDPR, PIPEDA, cybersecurity incidents, and human-centric governance. Videos in Portuguese · Subtitles in EN · FR · ES.
"Be inspired and fly."
Interested in lectures, workshops, consulting or partnerships? Send a message.
MBA | DPO | CISO | GRC Leader
Privacy Default Consulting
We use cookies to improve your experience and analyse site traffic. As a DPO-led platform, we take your privacy seriously — in compliance with LGPD, GDPR, and PIPEDA. Learn more
LGPD · GDPR · PIPEDA compliant · DPO: Anderson Andrade
