Data protection authority announces public consultation for security incidents

​On February 22, 2021, the Brazilian Data Protection Authority (ANPD) announced a public consultation for regulating the mandatory notification of security incidents as per Law No. 13,709/2018 – the Brazilian Data Protection Law (LGPD). The announcement was made in the wake of the release of a related guide and a template form for notifying personal data security incidents to the ANPD.

These initiatives are part of ANPD’s 2021-2022 Regulatory Agenda, approved by Ordinance No. 11 of January 27, 2021. This agenda provides for the regulation of a range of foreseen issues in the LGPD that are yet to be formally defined.

Security incident-related measures

A growing number of personal data security incidents have been reported in recent months, involving both private and public entities. Consequentially, debating the accurate and timely notification of these incidents has become a priority. For this reason, the ANPD developed its Personal Data Security Incidents and Assessment for Notification guide and released its notification form template prior to the public consultation.

ANPD’s guide addresses important questions related to:

• Defining personal data security incidents;
• Steps that should be taken in the event of a data security incident;
• What should be communicated to the ANPD;
• What should be communicated to people whose data is involved, and when;
• Deadlines regarding the notification of incidents to the ANPD;
• How to report incidents to the ANPD.

This guide addresses a new issue regarding notification deadlines. According to the ANPD, “while regulation remains pending, any incidents and their associated risks should be reported to the ANPD as soon as possible, indicated as within two working days of the incident’s detection.”

Meanwhile, ANPD’s notification form template is designed to help objectively describe such incidents. Together with the items listed in Brazilian Data Security Law Article 48, paragraph 1, the form includes fields such as:

• Date and time of detection of the incident;
• Date, time and duration of the incident;
• Summary of the incident itself, indicating the physical location and the data storage medium;
• Any potentially related cross-border issues.

This template, available on ANPD’s website, must be submitted via the SEI electronic petition system. It is worth highlighting that both the ANPD’s guide and notification form template may still undergo changes after the public consultation and subsequent enacting of regulations.

How to contribute to incident notification regulations

The model for incident notification regulations to ANPD includes important topics that should be considered when submitting contributions. Their inclusion is intended to orient contributions so that they may strengthen the process of formulating future regulations. Some of the most important topics relate to:

• Criteria for risk and damage assessment;
• Distinctions between risk and damage;
• Essential considerations when assessing risk or damage;
• Reasonable timeframes for notifying the ANPD and those whose data has been compromised;
• Possible exceptions regarding this notification.

Contributions may be submitted to [email protected] by March 24, 2021, with the phrase ‘Tomada de Subsídios 2/2021’ (‘Public Consultation 2/2021’) included in the subject.

For more information regarding data security issues, please see Mattos Filho’s Data Protection and Cybersecurity practice area.