ANPD approves the Data Breach Communication Regulation

On April 26th, the National Data Protection Authority (ANPD) published Resolution No. 15/2024, which approves the Data Breach Communication Regulation (RCIS).

The Regulation, which was submitted for public consultation in May of last year, aims to establish procedures for Security Incident Communication that may pose a relevant risk or harm to data subjects, as provided for in Article 48 of the Brazilian Data Protection Law (LGPD).

In light of this, the RCIS establishes that the data controller must report to the ANPD when the incident significantly affect the interests and fundamental rights of data subjects and, cumulatively, involve at least one of the following points: (i) sensitive personal data; (ii) data of children, adolescents, or the elderly; (iii) financial data; (iv) authentication data in systems; (v) data protected by legal, judicial, or professional secrecy; or (vi) large-scale data.

The Regulation also specifies that, as a rule, the communication of a data breach to the ANPD should be carried out by the controller within a period of three business days from the moment it becomes aware of the incident.

According to the rule's guidelines, records of data breaches, even when not reported to the ANPD, must be retained for a period of at least five years.

ANPD opens consultation on Preliminary Study on High Risk and Large Scale

On April 17th, the Brazilian Data Protection Authority (ANPD) opened a consultation on the Preliminary Study on High Risk and Large Scale.

In general, the Preliminary Study aims to clarify the concept of "high risk," a highly complex and relevant topic that has not yet been settled among academics and data protection professionals. The term was introduced in ANPD/CD Resolution No. 2/2022 – which deals with the regime applicable to small processing agents – but remained without a clear definition or parameters for its application.

Through the contributions, the ANPD seeks to consolidate a definitive guideline regarding the criteria for defining high risk for various situations, such as assessing the severity of infractions related to personal data processing and applying this approach to all categories of personal data processing agents.

To support the Study, ANPD provided a draft of the Guidelines, a Technical Manifestation and a preliminary version of the methodology used to calculate risk.

