ANPD releases new form for Security Incident Reports
On December 23, 2022, the Brazilian National Data Protection Authority (“ANPD”) released a new sample form for security incident reports to be used after January 23, 2023.
The new form is more user-friendly than the current one, including explanations on the response boxes and a wider variety of checkboxes with answer possibilities. Thus, communication becomes easier for the data controller.
Despite the changes to the form, the communication procedure remains the same as before: it must be filed electronically through SUPER.BR, available on the website (link here), by the data protection officer or by the controller’s legal representative.
The ANPD classifies a security incident as any adverse event that jeopardizes personal data confidentiality, availability, or integrity. The incidents may originate from intentional or unintentional actions that cause disclosure, alteration, improper loss, or unauthorized access to personal data. However, the controller must communicate to the ANPD, and the data subject the occurrence of any security incident capable of generating risk or relevant damage to data subjects within a reasonable period, as established in Article 48 of the Brazilian General Data Protection Law (“LGPD”). In this regard, the report is a relevant measure for mitigating damages. The ANPD has not yet regulated the “reasonable time” definition. Still, the Authority recommends that the report be filed as soon as possible, within two business days of the fact awareness.
It is also important to emphasize that when assessing the risk of a security incident involving personal data, several factors must be considered, including (i.) the types and quantities of personal data involved; (ii.) the context of the data processing activity; (iii.) the categories and quantities of data subjects affected; (iv.) the potential material, moral and reputational damages incurred; (v.) the protection granted to the violated data; and (vi.) the damage mitigation measures adopted after the incident.
Access the new form here.
For more information, please contact our Data Protection area.