In order to comply with the Brazilian Data Protection Authority’s (ANPD) regulatory schedule, which establishes that communication about data protection security incidents from the controller to the ANPD will be regulated by the end of the first semester of 2021, the ANPD published guidance on February 23, 2021.
Firstly, it is important to mention that this guidance is not mandatory, considering that this topic is in a public consultation process, therefore it is possible that ANPD will make future changes.
- What should be considered as a security incident?
Any unexpected event, confirmed or not, regarding the breach of personal data security which can cause risks to the data subject’s rights and freedom. This breach can be an unauthorized, accidental or illegal access that causes destruction, loss, change or leakage of data or any inappropriate and illegal way of processing data.
- When and what to communicate to data subjects?
Communication should occur whenever the security incident may cause a relevant risk or damage to the affected data subject. The criteria will be regulated, but it can be interpreted from the Brazilian General Data Protection Law (LGPD) that the probability of a risk or damage to data subject will be more relevant if sensitive data, a vulnerable data subject or the potential to cause material and moral damage are included.
Likewise, it is important to consider the volume of data affected, the number of people affected, the good faith and the intentions of third parties who accessed the data after the incident, and the ease of identification of data subjects by unauthorized third parties.
- What should controllers do?
- Assess the incident internally: determine the nature, category and quantity of data subjects affected; category and quantity of data affected; certain and probable consequences; and security, technical and administrative measures to be taken.
- Communicate with the data protection officer (DPO).
- Communicate with the controller, if you are the processor, according to the LGPD.
- Communicate with the ANPD and data subjects, in case of relevant risk to the data subject. The controller is responsible for notifying.
- Prepare a document that includes an evaluation about the incident, measures taken and risk analysis in order to comply with the accountability principle of LGPD.
- What to communicate to the ANPD?
ANPD has published a form to be filled out during the communication. This form asks for a lot of information, such as:
- Identification and contact of the person responsible for the processing or the DPO.
- Indication of whether the notification is partial or complete. If it is partial, indicate whether it is a preliminary communication or a complementary communication.
- Security incident information:
- Date and time of the detection and the incident;
- Circumstances of the incident (such as loss, robbery, leak, etc.)
- Description of the affected data, possible consequences and preventive security measures taken by the controller, with the same requirements as the internal incident assessment;
- Summary of the incident, including its physical location and forms of storage;
- Summary of measures implemented to control possible damage until the date of the communication;
- Possible problems with cross-border;
- Other useful information for the affected data subject to protect their data or prevent possible damages; and
- Justification if the communication is not made by the suggested deadline—two working days from the knowledge of the incident.
Moreover, it is recommended that the controllers report to the ANPD even if there is doubt about the relevance of the risks and damage in the case. The eventual and proven sub-assessment from the risks and damage by the controllers may constitute a violation of LGPD.