I. Introduction
Brazil has traditionally been one of the pioneers of data privacy-related regulations. Following the publication and adoption of the GDPR in the EU, it was one of the first countries to adopt a similarly comprehensive data privacy regulation within its jurisdiction.
Since then, it has adopted several supporting regulations to ensure Brazilian citizens’ data is afforded all possible degrees of protection. To that end, the National Data Protection Authority (ANPD) recently published and approved the Regulation on Security Incident Communications.
The regulation had been submitted for public consultation in May 2023, with the aim of establishing concrete procedures for security incident communication that may pose significant harm to data subjects, as provided for in Article 48 of the LGPD.
According to Article 48 of the General Data Protection Law (LGPD), controllers are required to notify the ANPD of a security incident, as well as the affected data subjects. However, it does not provide any guidance regarding the communication methods or deadlines.
To clarify the communication of security incidents, the ANPD published Resolution No. 15/2024 in the Federal Register on April 26, 2024. The regulation came into effect on the date of its publication.
Read on to learn more about the details of the new regulation and the obligations it places on data controllers.
II. Definitions of Key Terms
The regulations contain definitions for the following terms:
Any action that can be determined by the ANPD to be taken by the controller related to the security incident communication process, such as publishing on the controller’s website, social media networks, or other popular means of communication.
B. Authenticity
A property or quality that ensures that the information was produced, sent, modified, or destroyed by a specific person, equipment, system, body, or entity.
C. Security Incident Communication
An act by the controller that communicates to the ANPD as well as the data subjects the occurrence of a security incident that could result in significant risk or damage to the data subjects and their data.
D. Confidentiality
A property or quality that ensures that personal data is not available or disclosed to any unauthorized persons, companies, systems, bodies, or entities.
E. System Authentication Data
Any form of personal data that is used as a credential to provide access to a system or to confirm a user’s identification, such as login credentials, tokens, or passwords.
F. Affected Personal Data
Personal data whose confidentiality, integrity, availability, or authenticity has been compromised because of a security incident.
G. Data Protected by Legal or Judicial Secrecy
Personal data whose confidentiality is the result of a regulatory requirement or a court decision.
H. Data Protected by Professional Secrecy
Personal data whose confidentiality arises as a result of an exercise of a function, ministry, office, or profession where the disclosure of such information would cause harm to others.
I. Security Incident
Any confirmed adverse event in which the properties of confidentiality, integrity, availability, and authenticity of personal data security were violated.
J. Integrity
A property or quality that ensures that personal data has not been modified or destroyed in an unauthorized or accidental manner.
K. Security Measures
The technical and/or administrative measures adopted to protect personal data from any form of unauthorized access, as well as accidental situations that may lead to the destruction, loss, or alteration of any stored data assets.
L. Security Incident Investigation Procedure
The ANPD undertakes a procedure to investigate the occurrence of a security incident that the controller has not reported.
M. Security Incident Communication Procedure
Once the ANPD receives a report of a security incident communication, a procedure is established.
N. Incident Handling Report
A document provided by the controller that contains both physical and digital copies of relevant data and information to describe an incident and all the measures taken to reverse or mitigate its effects.
III. Obligations for Controllers Under This Regulation
Some of the obligations of controllers related to incident reporting per this Regulation include the following:
A. Safety Incident Reporting
Criteria for Security Incident Reporting
The controller must communicate to the ANPD and the data subject about the security incident and the potential security risks that may occur as a result of it.
The security incident may result in significant risk or damage to the data subject when such an incident significantly affects their interests and fundamental rights or involves at least one of the following types of data being compromised:
- Sensitive personal data;
- Data on children, adolescents, or elderly people;
- Financial data;
- Authentication data in systems;
- Data protected by legal, judicial, or professional secrecy;
- Large-scale data.
Security Incident Communication to ANPD
A controller must communicate a security incident to the ANPD within three working days unless a specific regulation provides a deadline.
The security incident communication will contain the following information:
- Description of the nature and category of personal data affected;
- Number of affected data subjects, and when applicable, the number of children, adolescents, or already affected;
- Technical and security measures taken to protect personal data, both before and after the incident;
- Risks related to the incident with identification of possible impacts on data subjects;
- Reasons for delay if communication was not carried out within the stipulated period;
- Measures taken to mitigate or reverse the effects of the incident on the data subjects;
- Date of occurrence of the incident and when the controller became aware of the incident;
- Data of the person in charge or an individual representing the controller;
- Identification of the controller;
- Operator identification;
- Description of the incident, including its primary causes;
- Total number of data subjects whose data was processed in the processing activities affected by the incident.
The aforementioned information must be provided in a well-founded manner in an electronic format provided by the ANPD within twenty working days from the date the security incident was initially communicated.
It is the responsibility of the controller to request the ANPD to keep any information confidential with proper indication of whose access must be restricted.
The ANPD can request additional information from the controller related to the security incident, including the record of processing activities of the personal data affected by the incident, the personal data protection impact report, as well as the incident processing report.
Security Incident Communication to the Data Subject
The controller must send any security incident communication to the data subject within three working days of becoming aware of the incident. Such a communication must contain the following:
- Description of the nature and categories of personal data affected;
- Technical and security measures taken to protect data as well as commercial and industrial secrets;
- Risks related to the incident with identification of possible impacts on data subjects;
- Reasons for delay if communication was not carried out within the stipulated period;
- Measures taken to mitigate or reverse the effects of the incident;
- Date when the controller becomes aware of the security incident;
- Contact details for obtaining information, as well as the contact details for the personnel in charge.
The aforementioned communication to the data subjects must meet the following criteria:
- Simple and easy-to-understand language is used;
- Affected data subjects must be addressed directly and individually if it is possible to identify them.
Direct and individual communication may be carried out via telephone, email, or any form of electronic message or letter. If such communication is not possible or feasible, the controller must communicate the occurrence of the security incident via other means of dissemination, such as on its website, apps, social media, or other channels where users may come into contact with it.
The controller must also add a declaration of the communication being made to the data subjects in its incident communication process, along with information on what means of communication were used within three working days.
B. Safety Incident Report
The controller must keep a record of the security incident, including incidents that were not communicated to the ANPD and the data subjects, for a minimum period of five years from the date of registration, unless additional obligations per other regulations require longer retention periods.
The incident record must contain the following:
- Date when the controller became aware of the security incident;
- A general description of the circumstances under which the security incident occurred;
- Nature and category of the affected personal data;
- Number of affected data subjects;
- Risk assessment and possible damages to the data subjects;
- Measures taken to correct and mitigate the effects of the incident, if applicable;
- Form and content of the communication if the incident has been reported to the ANPD and the data subjects;
- Reasons for the lack of communication, if applicable.
The custody periods for the aforementioned period will be the same as those established by the National Archives Council.
C. Safety Incident Reporting Process
General Provisions
The security incident communication process aims to monitor any and all acts related to the processing and response to the incident that may result in causing significant risk or damage to the data subject in order to protect their rights.
The ANPD can conduct audits and inspections with its processing agents at any time and determine its implementations, collect additional information, validate any received information, and make supporting decisions within the scope of the security incident communication process.
The security incident communication process begins:
- Ex officio, in the case of a security incident investigation; or
- Upon receipt of communication, per the security incident reporting procedure.
The security incident communication process must be analyzed in aggregate form with any measures adopted in a standardized manner per the prioritization criteria established in the Monitoring Cycle Report within the Regulation of the Inspection Process and the Administrative Sanctioning Process.
Furthermore, during the security incident communication process, the ANPD may order the controller to immediately adopt preventive measures necessary to protect the rights of data subjects to prevent, mitigate, or reverse the effects of the incident and avoid repetitions of such incidents.
Security Incident Investigation Procedure
The ANPD may investigate incidents that cause significant risk or damage to data subjects and were not communicated by the controller through the incident investigation procedure.
The ANPD can request information from the controller to determine the incident's occurrence and evaluate its occurrence per the relevant provisions of this Regulation.
Once the incident's occurrence has been verified, the ANPD can determine whether the controller fulfilled its communication obligations. If discrepancies exist, it may initiate administrative proceedings to determine the extent of non-compliance.
However, if the incident was appropriately reported, the provisions of the security incident reporting procedure will be followed.
Security Incident Reporting Procedure
The security incident reporting procedure will begin once the ANPD receives a communication from the controller related to the incident.
After assessing the severity of the incident, the ANPD may instruct the controller to adopt measures to protect the rights of data subjects, such as the following:
- Wide publicity of the incident in the media;
- Measures to reverse and mitigate the effects of the incident;
- The severity of the incident is based on the information received.
The aforementioned measures must be directly related to the incident.
The ANPD may publicize the incident in the media itself to safeguard the rights of the data subjects if the controller's communication is considered insufficient to reach an adequate number of data subjects affected by the incident.
The wide publicity of the incident can be made via both physical and digital media. The key consideration must be to reach the largest number of affected data subjects via the following permitted means:
- Printed written media;
- Broadcasting of sounds and images;
- Transmission of information via the Internet.
Extinction of the Security Incident Reporting Procedure
The security incident communication process will be declared extinct in the following circumstances:
- There is insufficient evidence of the occurrence of the incident unless new facts emerge;
- The ANPD does not believe the incident poses a significant risk or potential danger to data subjects;
- The incident does not involve personal data;
- Additional measures to mitigate and reverse the effects have already been taken;
- All communications to data subjects were sent per the LGPD and this regulation’s requirements.
IV. How Can Securiti Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.
Within the Data Command Center, organizations will have access to various modules and solutions tailored to ensure compliance with the requirements of this regulation as well as other data privacy-related laws in Brazil.
Request a demo today to learn more about how Securiti can help you comply with data privacy regulations in Brazil and other major jurisdictions globally.
