On February 22, 2021, the National Data Protection Authority (ANPD) issued new personal data breach reporting guidelines. The guidelines establish rules on (i) the measures that should be taken when a personal data breach has been identified, (ii) the information that needs to be communicated to the ANPD, (iii) the situations in which the data subject needs to be informed of an incident, and (iv) the appropriate time-frame and form of reporting a data breach to the ANPD.
The ANPD has also launched a public consultation process to improve future regulation on this matter. The public consultation will run until March 24, 2021, and all interested parties are invited to send their contributions to firstname.lastname@example.org.
The main principles set out in the guidelines are summarized below.
The guidelines recommend that controllers adopt a cautious stance, communicating with the ANPD even in cases where there is doubt regarding the relevance of the risks and damages caused by the data breach. The guideline also warns that any proven undervaluation of the risks may be considered an infringement of the General Law on Protection of Personal Data (LGPD).
The data breach communication must include the following information:
- Identification of the:
- Information regarding the data breach:
The LGPD stipulates that data subjects must be notified of a data breach whenever the breach may cause relevant risk or damage. According to the guidelines, objective criteria shall be established in future regulation, but some of the situations where the probability of causing relevant risk or damage to the data subject are when the incident:
The controller must also assess the volume of data involved, the number of data subjects affected, the good faith and intentions of third parties who had access to the data after the data breach, and the ease of identifying the data subjects by unauthorized third parties.
The LGPD establishes that security incidents must be reported within a “reasonable period” to be defined by the ANPD. The guide mentions that, while there is no official regulation regarding these deadlines, it is recommended that the controllers operate on a period of 2 working days from the date of the discovery of the data breach. This communication must be submitted using a form available on the ANPD website.
Our team is closely monitoring any measures regarding LGPD and assisting clients on this matter. For more information regarding this matter, please e-mail us at email@example.com.