On December 23, 2022, the National Data Protection Authority (ANPD) published its new general guidelines on Security Incident Notifications (in Portuguese “CIS”), which shall be submitted by means SUPER.BR platform (Single Electronic Process Network System). Pursuant to its recommendations, the ANPD establishes guidelines for personal data controllers to comply with the obligation to notify a security incident involving personal data, as set forth in Art.48 of the Brazilian General Data Protection Law – LGPD.
On its website, the ANPD made all information available in a very comprehensive manner, and provides data controllers with a number of guidelines, definitions, and examples related to a Security Incident involving personal data. The main goal, according to the DPA, is to offer concrete bases for agents to comply with the obligation to submit a Security Incident Notification to the Authority, as established by the LGPD.
The ANPD’s General Investigation Coordination will be the main division in charge of receiving and processing such notifications, as well as to overseeing data controllers and applying the appropriate administrative sanctions (Art.52, LGPD).
The ANPD also reaffirms its responsive regulatory model, according to which supervisory activities do not only result in the application of sanctions and penalties by the Authority, but also overall guidance, good practices, and prevention measures for data privacy stakeholders.
L.O.Baptista’s Privacy and Data Protection team prepared a summary of the main ANPD’s updates and guidelines:
- Definition of a Security Incident
- Which incidents must be notified
- Risk assessment of a personal data security incident
- Deadline for communication
- How to proceed in case of delay in obtaining information
- Main roles of the data processor in the incident reporting process
- How to report security incidents to data subjects
- What happens after the incident is communicated to the ANPD
Compliance with the recommendations published by the ANPD will be considered as a mitigating factor as to sanctions that may be applied by virtue of administrative proceedings. That is why it is advisable that companies, especially those that have the processing of personal data as their core business, keep an adequate level of data privacy governance; use robust protective tools and essentially keep their employees well-trained to undertake an effective security incident response plan.
The Privacy and Data Protection team at LO.Baptista is available to provide you with clarifications and guidance on the subject.
Coauthors: Fabrício Bertini Pasquot Polido, Denise de Araujo Berzin Reupke and Ana Carolina Gontijo
