The Brazilian Data Protection Authority (ANPD) has recently released in its website the form for communicating data breaches, as well as orientations on what to do when a personal data breach happens.
The document is meant to be a guide for both controllers and processors, while the matter is discussed through a public consultation process, as foreseen in ANPD’s Regulatory Agenda.
Such an agenda is a planning document that summarizes the regulatory actions that are considered a priority and will be subject to studies or resolutions, in the years 2021 and 2022.
Previously, the Authority adopted the same method to gather information and work on a differentiated regulatory environment for small businesses.
What should companies do in case of a data breach?
Accordingly to the ANPD, a data breach is “any adverse event, confirmed or under suspicion, related to a personal data security breach, such as unauthorized, accidental or unlawful access that results in destruction, loss, alteration, leakage or any form of improper or unlawful data processing, that may pose a risk to the rights and freedoms of the personal data subject”.
When facing a data breach, the ANPD recommends the following actions to be taken:
– Evaluate internally the nature, category and amount of data subjects affected by the data breach, as well as the type of personal data affected and probable and concrete consequences;
– Communicate the entity’s DPO;
– Communicate the Data Controller, in case the breach happened on the Processor’s end;
– Communicate the ANPD and data subjects, in case a relevant risk to the latter is considered possible to happen;
– Document the incident and the measures taken to analyze it.
In this guidance, the ANPD indicates that the communication should be made within 2 (two) days from the date the incident was acknowledged.
If it is not possible to provide complete information on the incident at the moment of communication, it is possible to submit supplementary communications, with new information obtained, or clarifications for any questions ANPD would arise.
Information on the public consultation process
Accordingly to the technical note published on February 22nd, the ANPD intends to build “clear boundaries that make it possible to distinguish security incidents that may bring relevant risks or damages and that may require additional measures from those whose threat, if any, can be disregarded.”
After collecting the public contributions, the ANPD will present the first draft of the regulation on the reporting of incidents, which will be submitted to a new round of public consultation and hearings.
9 de October de 2021
21 de June de 2021