ANPD's regulation on security incidents

One of the most valued traits in privacy professionals is the ability to navigate uncertainty. With the increasing number of privacy laws being enacted globally and the rise of disruptive new technologies, it could be argued that managing the unknown is as crucial as technical expertise in this field.

At the same time, and paradoxically, privacy is one of the few professions with an undeniable certainty: at some point, no matter the industry or organization, every professional will have to handle a security incident.

Given this reality, it may be helpful for privacy professionals working for organizations subject to Brazil's General Data Protection Law to familiarize themselves with the Security Incident Communication Regulation issued earlier this year by Brazil's data protection authority, the Autoridade Nacional de Proteção de Dados.

The regulation was approved via resolution CD/ANPD n. 15 of 24 April 2024 and provides important definitions as well as clarity on topics such as criteria, timeline and methods for the notification of security incidents.

Definitions, criteria for mandatory incident notifications

Although Article 48 of the LGPD determined mandatory notification is necessary for security incidents that may result in relevant risk or harm to data subjects, the law didn't clarify what constitutes an incident or when those thresholds are met. Luckily, the regulation addresses both issues. 

It defines security incidents as any confirmed adverse event that compromises the confidentiality, integrity, availability and authenticity of personal data security — a straightforward definition that, maybe with the exception of authenticity, reproduces the most widely recognized pillars of information security. It also defines each of these attributes consistent with other laws, frameworks and common sense.