On April 26th, the Brazilian Data Protection Authority (ANPD) published the final and highly expected version of the Security Incident Reporting Regulation. The document provides important guidelines for communicating security incidents and addresses prior questions on the topic, providing necessary information, parameters, and concrete deadlines to ensure that data subjects and ANPD are informed in a timely and appropriate manner.
The Regulation provides for the changes regarding reporting, recording security incidents and subsequent measures. Previously the deadline for reporting was a "reasonable time" as set forth in the Brazilian General Data Protection Law (“LGPD”), and ANPD used to recommend a deadline of two business days. Now, the Regulation defines deadlines. In addition, there were no definitive parameters that should be consulted to assess the severity of an incident.
Finally, the Regulation innovates by introducing rules on the termination of the security incident reporting process and on the procedure for investigating security incidents, which, before, were not established.
The Regulation determines that the report of a security incident to ANPD must be carried out by the data controller within three business days unless specific legislation states a different deadline. The deadline initiates when the controller becomes aware that the incident has impacted personal data.
The communication must contain, among other things, a description of the nature and category of personal data affected; the number of data subjects affected, detailing, if applicable, the number of children, adolescents, or elderly people; the technical and security measures used to protect personal data, adopted before and after the incident; the risks related to the incident with identification of the possible impacts on the data subjects; the measures that have been or will be adopted to cancel out or mitigate the effects of the incident on the data subjects; the date of the incident; details on the data protection officer or whoever represents the controller; and the identification of the controller and the processor, if applicable.
For the communication of a security incident to the data subject, the Regulation requires that the controller communicates the incident within three business days as well. The communication should contain the same necessary information as mentioned above. The Regulation, however, emphasizes that the controller must use simple, straightforward language and contact each data subject directly and individually if it is possible to identify them.
In addition, the Regulation also stipulates that the controller must keep the registration of the security incident, including of those not reported to ANPD and data subjects, for at least five years from the date of registration, unless there are additional obligations that require the registration to be kept for a longer period.
As previously mentioned by other publications of ANPD, the controller is required to notify ANPD and data subjects in case of a security incident that may pose any kind of significant risk or damage to data subjects. In this case, the scenarios considered will be those in which the incident could significantly affect the data subjects’ interests and fundamental rights and, jointly, involve at least one of the following categories of data: sensitive personal data; data relating to children, adolescents or the elderly; financial data; system authentication data; data protected by legal, judicial or professional secrecy; or large-scale processed data.
Other circumstances considered are those in which the processing activity may affect the exercise of rights or the use of a service, as well as cause pecuniary damage or pain and suffering to data subjects, such as discrimination, violation of physical integrity, the right to image and reputation, financial fraud, or identity theft.
In conclusion, after assessing the severity of the security incident, ANPD may require the controller to adopt measures to safeguard the data subjects’ rights, such as publicizing the incident in the media and other measures to cancel out or mitigate the effects of the incident.
Our Cybersecurity & Data Privacy team is ready to advise companies on the new rules established in Brazilian personal data protection landscape.
