On April 26, the Board of Directors of the National Data Protection Authority (ANPD) published Resolution CD/ANPD 15/24, which approves the Data Breach Reporting Regulation. The rule, already in force, complements article 48 of the Brazilian General Data Protection Act (LGPD), which provides for the obligation of the data controller to report cases of risk or relevant harm to the ANPD and the data subjects.

The regulation brings important novelties, such as the possibility of the controller having to give wide disclosure of the data breach, in addition to definitions on authentication data in systems, financial data and security incident. It also establishes the Incident Handling Report as the new document to be provided by the controller.

The ANPD advances in defining what is considered a relevant risk or harm. The criterion is fundamental to characterize the obligation to communicate to the ANPD and to the data subjects.

According to the ANPD, the data breach may entail a relevant risk or damage if there is the possibility of significantly affecting interests and fundamental rights and, at the same time, involving sensitive personal data, data of children, adolescents or the elderly, financial data, authentication data in systems, data protected by legal, judicial or professional secrecy or data on a large scale.

The regulation also defines large-scale data incidents as those that cover a large number of data subjects, also considering the volume of data involved, duration, frequency and geographical extent of the data subjects.

In order to meet all the requirements established by the new regulation, it is important, therefore, that companies have accurate and detailed risk assessments of incidents, capable of providing a holistic and secure view of the business.

In this way, they will be able to identify more assertively the situations that should or should not be communicated. The preparation of a Data Protection Impact Assessment, including a consistent Data Breach Impact Assessment, is essential. The report may even be required by the ANPD.

Secrecy is not the rule

The confidentiality that the data breach occurred is not the rule. It will be up to the controller to request, in a reasoned manner, confidentiality from the ANPD. In addition, the municipality will be able to give wide publicity of the data breach, including communication in the media and internet. It is possible, for example, that the data controller will be required to include the information that the incident occurred on its social media.

Deadlines, form, and content of the communication

The ANPD has set a deadline of three working days for the communication to be made to the municipality and the holders. For additional communications, the deadline is 20 working days. In the case of small agents, these deadlines are considered double. The three days start from the moment the data controller became aware that the incident compromised personal data.

The new regulation reinforces the need for companies to be prepared to provide all the necessary information to the ANPD and data subjects in the short term. To do this, it is important that they have a documented and structured plan.

For the ANPD, the data controller must be able to provide a list of 12 points, such as a description of the nature and category of the personal data affected; the number of affected beneficiaries (including children, adolescents and the elderly); the technical and security measures used before and after the incident; the risks involved; reasons for any delay; and the identification of operators, if applicable.

For data subjects, there will be at least seven points: a description of the nature and category of personal data affected; the technical and security measures used for the protection of the data, observing commercial and industrial secrets; the risks related to the data breach with identification of possible impacts to data subjects; the reasons for the delay, in the event that the communication has not been made within the period established in the caput of article 6 of the resolution; the measures that have been or will be adopted to reverse or mitigate the effects of the incident, where applicable; the date on which the data breach became known; and the contact for information – and, where applicable, the contact details of the person in charge.

In addition to content, companies should be prepared to use simple and easy-to-understand language. At this point, Legal Design and Visual Law techniques can be great allies.

If it is possible to identify the affected data subjects, the communication must be direct and individualized. The means normally used by the controller to contact the data subjects, such as telephone, e-mail and electronic messages, must be considered.

In addition to notifying the data subjects, the data controller will need, within three days (from the end of the first communication period), to submit to the ANPD a statement that it has complied with the communication determination and evidence of how this was done.

Data breach record and submission of documents

The ANPD expressly determines that the data controller must keep a record of all security incidents involving personal data for at least five years, regardless of whether they have been reported or not.

Thus, in addition to being prepared to act diligently, assertively, and quickly, companies will need to be ready to document the entire data breach and its stages of identification, response, remediation, and communication.

The record must contain at least:

  • a description of the nature and category of the personal data affected;
  • the technical and security measures used for the protection of the data, observing commercial and industrial secrets;
  • the risks related to the incident with identification of possible impacts to data subjects;
  • the reasons for the delay, in the event that the communication has not been made within the period established in the caput of article 6 of the resolution;
  • the measures that have been or will be adopted to reverse or mitigate the effects of the incident, where applicable;
  • the date on which the security incident became known; and
  • the contact for information – and, where applicable, the contact details of the person in charge.

At any time, the ANPD may require the data controller to submit a record of the affected data processing operations, the Data Protection Impact Assessment and the Incident Handling Report, which contain copies and relevant information to describe the incident and the measures taken.

The company's documented and assertive response in the event of incidents becomes even more fundamental. The controller must be prepared not only to carry out communications with the required content and form, but also be ready to account for its activities in relation to the event. It's important to show your preparation before, during, and after.

Own administrative process

Data breach reports now require its own administrative process (Security Incident Reporting Process), through which the ANPD will inspect the case and the measures adopted by the company.

In the event of non-compliance with the provisions of the new regulation, the controller may respond to administrative sanctioning proceedings.

The new regulation is in line with the way in which Machado Meyer's Digital and Personal Data Protection practice deals with situations of this nature. A holistic and strategic approach, connected with the firm's crisis management expertise and the technical work of the other practices. We remain available to answer any questions on the subject.