One of the most valued traits in privacy professionals is the ability to navigate uncertainty. With the increasing number of privacy laws being enacted globally and the rise of disruptive new technologies, it could be argued that managing the unknown is as crucial as technical expertise in this field.
At the same time, and paradoxically, privacy is one of the few professions with an undeniable certainty: at some point, no matter the industry or organization, every professional will have to handle a security incident.
Given this reality, it may be helpful for privacy professionals working for organizations subject to Brazil's General Data Protection Law to familiarize themselves with the Security Incident Communication Regulation issued earlier this year by Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados.
The regulation was approved via resolution CD/ANPD n. 15 of 24 April 2024 and provides important definitions as well as clarity on topics such as criteria, timeline and methods for the notification of security incidents.
Definitions, criteria for mandatory incident notifications
Although Article 48 of the LGPD determined mandatory notification is necessary for security incidents that may result in relevant risk or harm to data subjects, the law didn't clarify what constitutes an incident or when those thresholds are met. Luckily, the regulation addresses both issues.
It defines security incidents as any confirmed adverse event that compromises the confidentiality, integrity, availability and authenticity of personal data security — a straightforward definition that, maybe with the exception of authenticity, reproduces the most widely recognized pillars of information security. It also defines each of these attributes consistent with other laws, frameworks and common sense.
It then clarifies that a security incident may result in relevant risk or harm to data subjects when it meets two cumulative criteria. First, it must be capable of significantly affecting data subjects' interests and fundamental rights, a concept that includes situations that may prevent data subjects from exercising their rights or utilizing a service, or that may cause material or moral damage, such as discrimination, financial frauds and identity theft.
Second, it must involve at least one of the following elements: sensitive personal data; data of children or older persons; financial data; system authentication data; data protected by legal, judicial or professional privilege; or large-scale data.
Effectively, according to the ANPD's precedent in two recent first-instance decisions on sanctioning procedures, an incident does not need to cause actual harm to data subjects to trigger notification obligations. Potential relevant risk or harm, as now defined by the regulation, is sufficient to require notification.
Hence, whenever dealing with an incident, organizations subject to Brazil's LGPD must assess whether it constitutes an incident under the new definition and whether the potential risk and harm thresholds are met. If both criteria are met, notifications will be mandatory.
Who must notify
Article 48 of the LGPD states controllers are responsible for incident notification as applicable, and, as expected, the regulation did not innovate in this regard.
Who to notify
Some privacy laws, such as the EU General Data Protection Regulation — Articles 33 and 34 — set different criteria for notifying authorities and data subjects, typically establishing lower thresholds for authorities. Brazil's approach, however, is different.
Article 48 of the LGPD mandates that any incident that may result in relevant risk or harm to data subjects must be reported to both the authorities and the individuals affected, with no distinctions. This specific requirement remains a key aspect of the regulation.
ANPD notification
Controllers must notify the ANPD within three business days of becoming aware personal data was affected by an incident. Small-scale controllers, as defined by resolution CD/ANPD n. 2 of January 27th 2022, have six business days.
The notification must be submitted online via the ANPD's administrative proceedings system, which requires prior registration, by the controller's data protection officer or by an appointed representative — outside counsel, for example. It must also contain specific information, such as: description of the nature and category of affected personal data; number of affected data subjects, including the number of children, adolescents or older individuals; technical and security measures adopted before and after the incident; risks and potential impacts to data subjects; and total number of individuals whose data is processed as part of the activity impacted by the incident.
Controllers can supplement the information initially provided, along with proper justification, within 20 business days from the initial notification. Small-scale controllers have double the deadline.
In addition to the information provided by the controller, the ANPD may request, at any time, additional documentation such as relevant records of processing activities, data protection impact assessments, and an incident response report — a new type of document required by the regulation that must contain information about the incident and actions taken to revert or mitigate its effects.
Finally, the regulation stipulates that information provided in the incident notification will not be considered confidential by default. It is therefore up to the controller to request, along with proper justification, the confidentiality of information protected by the law.
Notification to data subjects
Controllers must notify individuals within three business days of becoming aware that personal data has been affected by an incident. Small-scale controllers have six business days.
The notification must contain information similar to the one provided to the ANPD, in addition to the controller's contact information, and, as applicable, the controller's data protection officer. Although not mandatory, including information on how individuals can revert or mitigate the impacts of the incident is considered a best practice that the ANPD may take into consideration when determining the applicable sanction.
As expected, the notification must be written in plain language that can be easily understood by individuals and, when affected individuals are identifiable, must be delivered directly to them individually. According to the regulation, this should be done via channels the controller usually leverages to contact individuals, including phone, email or mail.
If direct and individualized communication is not feasible or it is not possible to identify the affected individuals, controllers must make the specified information available for at least three months through easily accessible channels like websites, applications, social media and customer service centers within the same three business days, or six, as applicable.
Finally, within three business days from the deadline controllers must notify affected individuals, they must provide a declaration to the ANPD that the obligation has been fulfilled.
Other affirmative obligations for controllers
Controllers must keep a register of security incidents — even those not notified to the authority and individuals — for at least five years. The register must contain, among other information required by the regulation, the reasons for not notifying the authority.
Other ANPD powers
In addition to being proactively notified of incidents, the ANPD can initiate a procedure to evaluate whether there has been a security incident that was not communicated by the controller but that may result in relevant risk or harm to data subjects.
It can also mandate, depending on the severity of the incident, an incident's disclosure in both digital and printed media outlets, with the goal of safeguarding individuals' rights.
Recent developments and additional resources
The ANPD recently updated its webpage dedicated to oversight activities, which includes interesting data about security incidents, such as the number of incidents notified per year and per incident type. The authority's Security Incident Reporting page also includes general information on security incidents.
Guilherme Torres Peretti, AIGP, CIPP/E, CIPP/US, CIPM, CDPO/BR, FIP, is associate director, privacy and data protection, at Organon.
