The Regulation specifies that the communication of a data breach to the ANPD should be carried out by the controller within a period of three business days
In these Data Protection newsletter you will find:
- ANPD approves the Data Breach Communication Regulation
- ANPD opens consultation on Preliminary Study on High Risk and Large Scale
ANPD approves the Data Breach Communication Regulation
On April 26th, the National Data Protection Authority (ANPD) published Resolution No. 15/2024, which approves the Data Breach Communication Regulation (RCIS).
The Regulation, which was submitted for public consultation in May of last year, aims to establish procedures for Security Incident Communication that may pose a relevant risk or harm to data subjects, as provided for in Article 48 of the Brazilian Data Protection Law (LGPD).
In light of this, the RCIS establishes that the data controller must report to the ANPD when the incident significantly affect the interests and fundamental rights of data subjects and, cumulatively, involve at least one of the following points: (i) sensitive personal data; (ii) data of children, adolescents, or the elderly; (iii) financial data; (iv) authentication data in systems; (v) data protected by legal, judicial, or professional secrecy; or (vi) large-scale data.
The Regulation also specifies that, as a rule, the communication of a data breach to the ANPD should be carried out by the controller within a period of three business days from the moment it becomes aware of the incident.
According to the rule's guidelines, records of data breaches, even when not reported to the ANPD, must be retained for a period of at least five years.
KLA's Data Protection team is available to assist with any questions and in the procedures for communicating data breaches to the ANPD.
ANPD opens consultation on Preliminary Study on High Risk and Large Scale
On April 17th, the Brazilian Data Protection Authority (ANPD) opened a consultation on the Preliminary Study on High Risk and Large Scale.
In general, the Preliminary Study aims to clarify the concept of "high risk," a highly complex and relevant topic that has not yet been settled among academics and data protection professionals. The term was introduced in ANPD/CD Resolution No. 2/2022 – which deals with the regime applicable to small processing agents – but remained without a clear definition or parameters for its application.
Through the contributions, the ANPD seeks to consolidate a definitive guideline regarding the criteria for defining high risk for various situations, such as assessing the severity of infractions related to personal data processing and applying this approach to all categories of personal data processing agents.
To support the Study, ANPD provided a draft of the Guidelines, a Technical Manifestation and a preliminary version of the methodology used to calculate risk.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.