On February 22, 2021, the National Data Protection Authority (ANPD) issued new personal data breach reporting guidelines. The guidelines establish rules on (i) the measures that should be taken when a personal data breach has been identified, (ii) the information that needs to be communicated to the ANPD, (iii) the situations in which the data subject needs to be informed of an incident, and (iv) the appropriate time-frame and form of reporting a data breach to the ANPD.

The ANPD has also launched a public consultation process to improve future regulation on this matter. The public consultation will run until March 24, 2021, and all interested parties are invited to send their contributions to consultapublica@anpd.gov.br.

The main principles set out in the guidelines are summarized below.

‍

What measures should be taken when a personal data security breach has been identified?

• Assess the data breach internally – the nature, category, and quantity of data subjects affected, the category and quantity of personal data involved, and the concrete and probable consequences;

• Communicate to the Data Protection Officer;
• If you are the processor, communicate with the controller;
• In case of significant risk or potential damage to the data subjects, inform them and the ANPD; and
• Provide documentation of the internal assessment of the data breach, measures taken, and risk analysis to comply with the principle of accountability.

‍

What needs to be communicated to the ANPD?

The guidelines recommend that controllers adopt a cautious stance, communicating with the ANPD even in cases where there is doubt regarding the relevance of the risks and damages caused by the data breach. The guideline also warns that any proven undervaluation of the risks may be considered an infringement of the General Law on Protection of Personal Data (LGPD).

The data breach communication must include the following information:

‍

- Identification of the:

• Entity or person responsible for the data processing; and
• Data Protection Officer or another contact person.

‍

- Information regarding the data breach:

• Identification of the type of breach (complete or partial);
• The time and date of the detection;
• The time and date of the data breach and its duration;
• The circumstances of the data breach, such as loss, theft, unauthorized copy, among others;
• A description of the personal data affected, such as nature and content of the personal data, category and quantity of data and affected data subjects;

• A summary of the security incident, indicating the physical location and storage method;
• The possible consequences and adverse effects for affected data subjects;
• The preventive security, technical and administrative measures taken by the controller;
• A summary of the measures implemented to control possible damages;
• The possible problems of a cross-border nature; and
• Other information useful to those affected to help protect their data or prevent possible harm.

‍

In what situations should the data subject be advised of a data breach?

The LGPD stipulates that data subjects must be notified of a data breach whenever the breach may cause relevant risk or damage. According to the guidelines, objective criteria shall be established in future regulation, but some of the situations where the probability of causing relevant risk or damage to the data subject are when the incident:

• Involves sensitive data or vulnerable individuals, including children and adolescents; and
• Has the potential to cause material or moral damage, such as discrimination, violation of the right to image and reputation, financial fraud, and identity theft.

The controller must also assess the volume of data involved, the number of data subjects affected, the good faith and intentions of third parties who had access to the data after the data breach, and the ease of identifying the data subjects by unauthorized third parties.

‍

What is the deadline, and how should an incident be communicated to the ANPD?

The LGPD establishes that security incidents must be reported within a “reasonable period” to be defined by the ANPD. The guide mentions that, while there is no official regulation regarding these deadlines, it is recommended that the controllers operate on a period of 2 working days from the date of the discovery of the data breach. This communication must be submitted using a form available on the ANPD website.

Our team is closely monitoring any measures regarding LGPD and assisting clients on this matter. For more information regarding this matter, please e-mail us at dataprivacy@lickslegal.com.

‍