On 26, April 2024, Resolution “CD/ANPD” 15 was published, establishing the regulatory framework for reporting security incidents involving personal data. It outlines notification timeframes, procedural requirements, and measures to safeguard the rights of data subjects.
The regulation came into effect on the date of publication and introduces various definitions and obligations for data controllers to comply with Article 48 of the General Data Protection Law (“LGPD”). It mandates that data controllers report cases of significant risk or damage to the ANPD and affected data subjects.
The regulation clearly defines “significant damage,” a crucial factor in determining whether notifications to the ANPD and data subjects is mandatory. The resolution defines “significant risk or damage” as situations posing a substantial threat to the fundamental interests and rights of data subjects, particularly when involving any combination of the following types of data:
- sensitive personal data;
- data of children, adolescents, or elderly individuals;
- financial data;
- authentication data in systems;
- data protected by legal, judicial, or professional secrecy;
- large-scale data.
For full compliance with the new regulation, organizations must conduct thorough risk assessments of security incidents. These assessments will help identify situations that require notification and ensure timely and appropriate action.
Data controllers must notify the ANPD of security incidents within three business days of becoming aware of the breach. For small entities, this deadline is extended to six business days. Notifications must include the specific information requirements outlined in the regulation, covering 12 topics for the ANPD and 7 topics for affected data subjects.
Failure to comply with the notification requirement may trigger administrative proceedings against the controller. These proceedings will investigate the non-compliance and determine the appropriate penalties as per the legislation.
All security incidents, whether or not they require notification to the authority, must be documented and kept in a comprehensive record for at least five years. The regulation outlines requirements to ensure the completeness and accuracy of this record.
In addition to other provisions and in alignment with the General Data Protection Law, the regulation states that the ANPD may request supplementary documentation, such as:
- Incident Handling Report;
- Data Processing Activities Mapping;
- Impact Report.
The Mapping and Impact Report must be developed in advance and regularly reviewed to stay aligned with the evolving realities of the data controller’s processing operations.