Brazil’s Data Protection Authority publishes data protection impact assessment guidance

On April 6, 2023, the Brazilian Data Protection Authority (ANPD) launched a webpage concerning the preparation of data protection impact assessments (DPIAs). The clarifications the ANPD has issued are merely preliminary at this stage, as DPIAs are still in the process of being regulated.

The webpage features a series of FAQs with information on the subject of DPIAs, when and how the data controllers should prepare them, data that must be included, and the definition of ‘high-risk’ data processing activities – among other aspects not regulated in the Brazilian General Data Protection Law (LGPD).

Key issues

• High-risk activities:The LGPD states that DPIAs are documents on the topic of data processing activities that may put the civil liberties and fundamental rights of data subjects at risk. The ANPD, however, affirmed that DPIAs relate to data processing activities with potentially high risks for data protection principles and rights. Until specific regulations on the DPIA are published, the definition of ‘high risk’ is provided for in Article 4 of ANPD Resolution Nº 2/2022, which concerns how the LGPD applies to the activities of small data processing agents;
• Preparation:The ANPD recommends controllers prepare DPIAs prior to processing personal data to assess any potential risks beforehand. However, if this is not possible, DPIAs should be prepared as soon as the controller identifies that processing activities conducted are likely to generate high risks. In any case, data controllers must present this documentation if the ANPD asks them to do so;

• Risk management:Identified and analyzed risk factors must be documented and justified to demonstrate that the most appropriate decisions were made based on the information available at the time. For each identified factor, the controller must estimate the probability of the risk materializing and its inherent impact – which will depend on the harm that may be caused to data subjects, particularly in regard to their rights and freedoms;
• Publicly disclosing the DPIA:Disclosing the DPIA to the public is not mandatory. However, the controller may decide to make the DPIA publicly available to comply with transparency, free access, accountability, and responsibility principles. The public version of the DPIA may be modified to protect commercial and industrial secrecy and other information protected by law;
• Revisions:The DPIA must be revised on a continual basis, particularly when new facts emerge with the potential to change the identified risks, or when the ANPD issues new regulations.

DPIA content

DPIAs must be sufficiently detailed for the ANPD and the data controller to attain a broad understanding of how the data is processed and the risks arising from it.

The ANPD recommends DPIAs present the following information, among other topics specified on the webpage:

• The data processing agents and the data protection officer (DPO) should be identified, as well as any other involved or interested parties;
• The need for preparing the DPIA should be explained (e.g., identification of high risks, a request from the ANPD, or as a preventative measure);
• The data processing activity should be analyzed, including a description of the processing (from collection to deletion); the personal data collected; the categories of data subjects involved; whether the data of children, teenagers or other vulnerable demographics (such as the elderly) has been collected; the quantity of personal data processed and number of data subjects involved; the source of the data collection; the purpose of processing, justifying the collection of each set of data; external and internal data sharing, including international data transfers; and the data storage policy with a description of retention periods and disposal methods;
• Compliance with LGPD principles should be analyzed, and the legal basis (provided for in the LGPD) for processing the data should be identified;
• Each potential risk should be identified, with an assessment of the likelihood of it materializing and the practical impacts for data subjects in such an event;
• Measures and safeguards should be set, including the measures adopted to mitigate each risk, the risk reassessment after the measure has been adopted, and an indication of any residual risks.

Until DPIAs are specifically regulated, data controllers may determine the best structures and formats for preparing their DPIAs, subject to the provisions of the LGPD.

According to the ANPD’s 2023-2024 regulatory agenda, regulating the DPIA is among the authority’s top priorities. The ANPD has reported that the DPIA regulation process is already underway, currently in the drafting stage.

For more information about the ANPD’s supervision and enforcement of sanctions, please contact Mattos Filho’s Data Protection & Cybersecurity practice area.