PUBLICATIONS & WHITE PAPERS

Evidence-Based Research on Privacy Governance

Analytical white papers, comparative studies and frameworks documentation — available in four languages. Each publication includes a full syllabus and learning outcomes so you know exactly what you will gain before downloading.

All content is protected by copyright. Reproduction without written permission is strictly prohibited. © 2025 Anderson Andrade.
Filter:4 publications
GRC & Compliance★ FeaturedMarch 202512 min read7 pagesSP-WP-001

LGPD & the SHELL-Privacy™, MEDA-Privacy™ and PEAR Frameworks: A Comparative Analysis

How human-centric GRC frameworks operationalise the 10 principles of Brazil's General Data Protection Law — transforming legal compliance into a living privacy governance programme. Analytical white paper with full LGPD × SHELL × MEDA × PEAR mapping table. Referenced by APDADOS library.

LGPDSHELL-Privacy™MEDA-Privacy™PEARANPDAPDADOSJust CultureGRC

Document Structure — 7 sections

1

Introduction

Context & Scope

  • The gap between legal obligation and organisational culture
  • Why 68–85% of data breaches involve the human element (Verizon DBIR 2024)
  • The aviation analogy: from 40 fatal accidents per million flights (1970) to 0.07 (2023)
  • Overview of the three frameworks and their relationship to the LGPD
2

Part I

The 10 Principles of the LGPD (Art. 6)

  • Full table: Principle · Legal definition · Operational implication
  • Finality, Adequacy, Necessity, Free Access, Data Quality
  • Transparency, Security, Prevention, Non-discrimination, Accountability
  • APDADOS library reference on systemic compliance programmes
3

Part II

SHELL-Privacy™ Framework

  • Origin: adaptation of the SHELL model from civil aviation (Edwards, 1972)
  • The 5 components: Software · Hardware · Environment · Liveware (central) · Liveware (peripheral)
  • Mapping table: SHELL component × LGPD principles addressed
  • Interface analysis as the foundation of Accountability (Art. 6, X)
4

Part III

MEDA-Privacy™ Framework

  • Origin: adaptation of Boeing's MEDA (Maintenance Error Decision Aid)
  • The 5-step investigation process: Identification → Error Analysis → Contributing Factors → Behaviour Classification → Preventive Action Plan
  • Just Culture vs. Blame Culture in privacy incident response
  • Mapping table: MEDA stage × LGPD principle × ANPD reporting requirements
5

Part IV

PEAR Model

  • The 4 factors: People · Environment · Actions · Resources
  • How PEAR contextualises each incident beyond individual blame
  • Connection to Non-discrimination (Art. 6, IX) and proportionate response
  • PEAR as a post-incident analysis lens complementary to SHELL and MEDA
6

Part V

Integrated Comparative Analysis

  • Consolidated mapping table: 10 LGPD principles × SHELL-Privacy™ × MEDA-Privacy™ × PEAR
  • Which framework addresses which principle — and how they complement each other
  • Practical reading guide for DPOs, GRC teams and legal counsel
7

Part VI + Conclusion

Why LGPD Needs Human Factors Frameworks

  • Lessons from 15 years of GDPR implementation in Europe
  • APDADOS: systemic compliance integrates culture, process and technology
  • From legal obligations to a living governance programme
  • Full reference list (LGPD, ANPD, APDADOS, Verizon DBIR, Boeing MEDA)
GRC & ComplianceMarch 202512 min read7 pagesSP-WP-002

GDPR & the SHELL-Privacy™, MEDA-Privacy™ and PEAR Frameworks: A Comparative Analysis

A structured mapping of the GDPR's 7 principles and 8 data-subject rights to the SHELL-Privacy™ interface model, MEDA-Privacy™ incident investigation process, and PEAR human-factors contextualisation — operationalising EU data protection law through a human-centric GRC lens.

GDPRSHELL-Privacy™MEDA-Privacy™PEAREDPBDPOJust CultureGRC

Document Structure — 6 sections

1

Introduction

Context & Scope

  • The GDPR as the global gold standard for data protection regulation
  • Why technical compliance alone fails: the human element in 68% of breaches (Verizon DBIR 2024)
  • The aviation analogy: systemic safety culture applied to privacy governance
  • Overview of the three frameworks and their relationship to the GDPR
2

Part I

The 7 Principles of the GDPR (Art. 5)

  • Full table: Principle · Legal definition · Operational implication
  • Lawfulness, Fairness & Transparency · Purpose Limitation · Data Minimisation
  • Accuracy · Storage Limitation · Integrity & Confidentiality · Accountability
  • The 8 data-subject rights: Access, Erasure, Portability, Restriction, Objection, Rectification, Withdraw consent
3

Part II

SHELL-Privacy™ × GDPR Mapping

  • Software: GDPR Art. 25 (Privacy by Design & Default), Art. 32 (Security of Processing)
  • Hardware: Physical security of processing systems and devices
  • Environment: Organisational culture, policies, DPA supervision context
  • Liveware (central): DPO obligations (Art. 37–39), staff training requirements
  • Liveware (peripheral): Data subjects, processors, joint controllers — interface management
4

Part III

MEDA-Privacy™ × GDPR Incident Response

  • 72-hour breach notification requirement (Art. 33) and the MEDA investigation timeline
  • Mapping MEDA's 5 steps to GDPR's breach assessment and documentation requirements
  • EDPB Guidelines on Art. 33 and 34 — how MEDA-Privacy™ satisfies documentation obligations
  • Just Culture approach to GDPR enforcement: systemic remediation vs. individual blame
5

Part IV

PEAR × GDPR Human Factors

  • PEAR contextualisation of GDPR Art. 5(1)(f) — Integrity & Confidentiality
  • How PEAR supports proportionate response under GDPR's non-discrimination principle
  • Resources analysis: adequacy of DPO support, training budgets, and tooling
  • Environment analysis: supervisory authority culture and organisational privacy maturity
6

Part V + Conclusion

Integrated Mapping & Practical Roadmap

  • Consolidated mapping table: 7 GDPR principles × SHELL-Privacy™ × MEDA-Privacy™ × PEAR
  • 5-step implementation roadmap for GDPR-compliant organisations
  • From legal obligations to a living privacy governance programme
  • Full reference list (GDPR, EDPB, Verizon DBIR, Boeing MEDA, APDADOS)
GRC & ComplianceMarch 202512 min read7 pagesSP-WP-003

PIPEDA & the SHELL-Privacy™, MEDA-Privacy™ and PEAR Frameworks: A Comparative Analysis

A structured mapping of Canada's PIPEDA 10 Fair Information Principles to the SHELL-Privacy™ interface model, MEDA-Privacy™ incident investigation process, and PEAR human-factors contextualisation — with direct relevance to the incoming Bill C-27 (CPPA) transition.

PIPEDASHELL-Privacy™MEDA-Privacy™PEAROPCBill C-27CPPACanadaGRC

Document Structure — 6 sections

1

Introduction

Context & Scope

  • PIPEDA as Canada's federal private-sector privacy law since 2000
  • The PIPEDA breach reporting regulations (2018) and their operational demands
  • Bill C-27 (CPPA) — Canada's proposed GDPR-equivalent and what changes
  • Overview of the three frameworks and their relationship to PIPEDA
2

Part I

The 10 Fair Information Principles of PIPEDA

  • Full table: Principle · Legal definition · Operational implication
  • Accountability · Identifying Purposes · Consent · Limiting Collection · Limiting Use
  • Accuracy · Safeguards · Openness · Individual Access · Challenging Compliance
  • Comparison with GDPR principles: convergences and divergences
3

Part II

SHELL-Privacy™ × PIPEDA Mapping

  • Software: PIPEDA Safeguards principle — technical security measures
  • Hardware: Physical security of personal information storage and processing
  • Environment: Organisational policies, Privacy Management Programme (PMP) requirements
  • Liveware (central): CPO/DPO accountability obligations under PIPEDA Principle 1
  • Liveware (peripheral): Third-party processors, data-sharing agreements, consent management
4

Part III

MEDA-Privacy™ × PIPEDA Breach Response

  • PIPEDA's breach reporting regulations: real risk of significant harm (RROSH) assessment
  • Mapping MEDA's 5 steps to PIPEDA's breach assessment and OPC notification requirements
  • Record-keeping obligations (24 months) and how MEDA-Privacy™ satisfies them
  • Just Culture approach to PIPEDA enforcement: systemic remediation vs. individual blame
5

Part IV

PEAR × PIPEDA Human Factors

  • PEAR contextualisation of PIPEDA's Safeguards principle
  • How PEAR supports proportionate response under PIPEDA's Challenging Compliance principle
  • Resources analysis: adequacy of privacy training, tools, and budget in Canadian organisations
  • Environment analysis: OPC guidance culture and organisational privacy maturity in Canada
6

Part V + Conclusion

Integrated Mapping, Bill C-27 & Practical Roadmap

  • Consolidated mapping table: 10 PIPEDA principles × SHELL-Privacy™ × MEDA-Privacy™ × PEAR
  • 5-step implementation roadmap for PIPEDA-compliant Canadian organisations
  • Preparing for Bill C-27 (CPPA): what the SHELL/MEDA/PEAR approach already covers
  • Full reference list (PIPEDA, OPC, Bill C-27, Verizon DBIR, Boeing MEDA)
GRC & ComplianceMarch 202514 min read7 pagesSP-WP-004

US Privacy Laws & the SHELL-Privacy™, MEDA-Privacy™ and PEAR Frameworks: A Comparative Analysis

A structured mapping of the US privacy law mosaic — HIPAA, COPPA, GLBA, CCPA/CPRA, NY SHIELD Act, Florida FDBR, Texas TDPSA and Washington My Health MY Data — to the SHELL-Privacy™ interface model, MEDA-Privacy™ incident investigation process, and PEAR human-factors contextualisation.

HIPAACCPACOPPASHELL-Privacy™MEDA-Privacy™PEARUS PrivacyAPRAGRC

Document Structure — 5 sections

1

Introduction

Context & Scope

  • The US privacy law mosaic: why there is no federal comprehensive law (yet)
  • Federal sectoral laws: HIPAA, COPPA, GLBA, FERPA — scope and obligations
  • State comprehensive laws: CCPA/CPRA, NY SHIELD, TDPSA, FDBR, WA My Health MY Data
  • The American Privacy Rights Act (APRA) — the emerging federal baseline
2

Part I

Federal Privacy Laws × SHELL-Privacy™

  • HIPAA: PHI safeguards (S+H+Lc), 60-day breach notification (Lp+E), minimum necessary standard
  • COPPA: verifiable parental consent (S+Lc), data minimisation and deletion (S+H)
  • GLBA: Safeguards Rule — reasonable security across all 5 SHELL interfaces
  • FERPA: student record access rights and disclosure restrictions
3

Part II

State Privacy Laws × SHELL-Privacy™

  • CCPA/CPRA: consumer rights portal (S+Lp), GPC signal recognition (S+E), DPIAs (Lp+E)
  • NY SHIELD Act: reasonable security programme — all 5 SHELL interfaces
  • Texas TDPSA & Florida FDBR: opt-out architecture, 45-day response windows
  • WA My Health MY Data: geofencing controls (S+Lc+E), consumer health data definition
4

Part III

MEDA-Privacy™ × US Incident Response

  • HIPAA breach notification: 60-day rule and the MEDA investigation timeline
  • CCPA private right of action: how MEDA documentation supports legal defence
  • FTC enforcement patterns: Consent Orders and Corrective Action Plans — MEDA alignment
  • Just Culture approach to US privacy enforcement: systemic remediation vs. individual blame
5

Part IV + Conclusion

PEAR × US Privacy & Practical Roadmap

  • PEAR contextualisation of HIPAA's workforce training requirements
  • How PEAR supports proportionate response under CCPA's non-discrimination principle
  • Consolidated mapping table: US privacy obligations × SHELL-Privacy™ × MEDA-Privacy™ × PEAR
  • 5-step implementation roadmap for multi-state US privacy compliance
  • Preparing for APRA: what the SHELL/MEDA/PEAR approach already covers
📝

More publications coming soon

AI Governance & GRC · Just Culture in Practice · PEAR Model Deep Dive · MEDA-Privacy™ Investigation Workbook

Want to go deeper?

The book covers all three frameworks in detail — with case studies, templates, implementation guides and the full LGPD comparative analysis.

📖 Buy (Brazil)International
Arbitragem — EP25
1/17
Cookie Settings

We use cookies to improve your experience and analyse site traffic. As a DPO-led platform, we take your privacy seriously — in compliance with LGPD, GDPR, and PIPEDA. Learn more

LGPD · GDPR · PIPEDA compliant · DPO: Anderson Andrade