ANPD publishes new guidelines for reporting security incidents involving personal data
On December 23rd, the Brazilian National Data Protection Authority (ANPD) updated its guidelines related to reporting information security incidents involving personal data. The update included a new form needed to report incidents to ANPD. This is the first major update to the ANPD guidelines, originally published in February 2021.
As set forth by article 48 of Law No. 13.709/2018 – the General Personal Data Protection Law (LGPD) – the occurrence of a security incident that may entail significant risk or harm to data subjects must be communicated to the ANPD and data subjects. In the update, the ANPD outlines what can be interpreted as a security incident and significant risk or harm for the purposes of the LGPD.
What is a personal data security incident?
ANPD states that security incidents involving personal data are confirmed adverse events that compromise the confidentiality, integrity or availability of personal data. Therefore, not only undue disclosure of personal data, but also data loss or undue alteration of personal data are communicable events under the terms of article 48 of the LGPD provided that these events are capable of causing significant risk or harm to the data subject.
What criteria should be considered for defining the occurrence of risk or relevant damage to the data subject?
The ANPD indicates that the following criteria should be considered when determining if a security incident may cause significant risk or harm to the data subject:
- The context of the data processing activity
- The categories and number of data subjects affected
- The types and amount of breached data
- Potential material, moral or reputational damages caused to the holders
- If the personal data was protected in such a way as to make it impossible to identify the data subjects
- The mitigation measures adopted after the incident.
In addition, the ANPD states that incidents that may cause material or moral damage to data subjects, expose them to situations of discrimination or identity theft, especially if they involve data on a large scale, or could affect sensitive or vulnerable groups including minors and the elderly, are capable of causing significant risk or harm to the data subjects.
Who is responsible for reporting the incident?
Incidents that fall under the mandatory reporting hypothesis provided for by the LGPD must be reported by the controller of personal data through the data protection officer or by by a representative.
The ANPD reinforces that it is the responsibility of the controller to obtain from processors the information necessary for reporting the incident. The ANPD recommends that the obligations regarding the communication of incidents between controllers and processors are established in a contract in order to improve speed of the communication procedure and minimize the risks to the data subjects.
What is the procedure for communicating a security incident involving personal data to the ANPD?
Security incidents with personal data that may cause significant risk or harm to data subjects must be communicated to the ANPD by completing a specific form. The update of the ANPD guidelines was accompanied by a new incident communication form, replacing the prior form. The new form should be used from January 1st, 2023.
The new form requires more details about the incident, its impacts, the security measures adopted and the communication to data subjects affected by the incident
The report is made to the ANPD submitting the completed form to the SUPER.BR system (Single System of Electronic Process in Network) – an electronic process system.
What is the deadline for reporting the incident?
The ANPD ratified the previously recommended deadline for communication of up to two (2) working days as of the controller becomes aware of the incident. The ANPD also recommends that delays in communication must be fully justified and that unjustified delays in reporting incidents may subject controllers and/or processors to the administrative sanctions provided for in the LGPD.
This two-day period raises some criticism given the difficulties to obtain the minimum necessary information to communicate ANPD during the crisis management resulting from an information security incident.
Although the initial communication of the incident may be preliminary, the new guidelines require that a complete report must be made as quickly as possible and within a maximum period of 30 calendar days from the preliminary communication.
What is the interpretation of the ANPD on the duty provided for by the LGPD to communicate the data subject about the incident?
Unlike the previous guidelines, the new version highlights the importance of communicating data subjects affected by the incident to comply with the communication obligation provided for in the LGPD. The ANPD states the incident report will not be considered complete if the data subjects affected by the incident have not been informed yet.
Additionally, the ANPD lists the information that must be included in the communication and recommends that this must be done individually and directly to the affected data subjects. If it is not possible to identify the affected data subjects, it may be necessary to notify all data subjects whose data was in the violated database. In exceptional cases, indirect communication may be made through announcements in the media.
Click here to access the complete ANPD guidelines (in Portuguese).
Lefosse’s Technology, Data Protection and Intellectual Property team is available to assist our clients with information security incidents and other issues related to the General Personal Data Protection Law.
+55 11 3024 6490