Resolution CD/ANPD No. 15, issued on April 26, 2024, represents a significant step forward in the implementation of the General Data Protection Law (LGPD) in Brazil. The Security Incident Reporting Regulation establishes clear and detailed guidelines for dealing with situations in which data security is compromised, defining criteria for assessing the seriousness of incidents and establishing deadlines for reporting both to the ANPD and to data subjects, seeking to ensure transparency and accountability for organizations that handle personal information.
One of the Regulations main contributions is the definition of criteria for determining whether a security incident poses a relevant risk or harm to data subjects. This includes considerations of the type of data affected, such as sensitive personal data or information on children, adolescents, and the elderly, as well as the scale of the incident.
In addition, the document establishes clear procedures for reporting both to the ANPD and to data subjects, including detailed information to be provided and deadlines to be followed.
Another important aspect of the Regulation is the role of the ANPD in the incident reporting process. The authority can carry out audits and inspections to gather additional information and ensure that the appropriate corrective measures are taken by the affected organizations. In addition, the resolution provides for the possibility of waiving the reporting process in certain circumstances, such as when there is insufficient evidence of the incident or when all the necessary measures have been taken to mitigate its effects.
In short, the Security Incident Reporting Regulation represents an important step towards protecting the rights of data subjects and promoting a culture of information security in the country.
The Technology, Media, Telecommunications and Privacy and Personal Data Protection team at Azevedo Sette Lawyers remains at your disposal should you have any questions.”