ANPD approves its Security Incident Reporting Regulation

ANPD approves its Security Incident Reporting Regulation

At the end of April (26), the Brazilian National Data Protection Authority (ANPD) published its Resolution No. 15/2024, which approved the Security Incident Reporting Regulation (RCIS). The Regulation in question focuses on establishing the procedures for reporting security incidents that may entail a relevant risk or damage to data subjects, under the terms of art. 48 of the General Personal Data Protection Law (LGPD).

The objectives of the RCIS are: to protect the rights of data subjects; to adopt the necessary measures to mitigate or reverse the effects of the damage caused; to hold processing agents responsible and accountable; to promote the adoption of rules of good practice, governance, prevention and security measures; to encourage the promotion of a culture of personal data protection; to guarantee transparency in the actions of processing agents; and to provide subsidies for the ANPD’s regulatory, supervisory and sanctioning activities (art. 2).

Next, in Article 3, the law adopts important definitions, such as the definitions of authenticity, confidentiality, availability, security incident and affected personal data (Chapter II). The RCIS then deals with specifics relating to the criteria for reporting a security incident, and the reporting of security incidents to the ANPD and the data subject (Chapter III).

In Chapters IV and V of the RCIS, the focus is on disciplining the procedures for registering a security incident and the process for reporting a security incident, respectively. Here, it is important to mention art. 15, which notes that “in the course of the security incident reporting process, the ANPD may order the controller, with or without its prior manifestation, to immediately adopt the preventive measures necessary to safeguard the rights of the data subjects, in order to prevent, mitigate or reverse the effects of the incident and avoid the occurrence of serious and irreparable damage or damage that is difficult to repair”. Also, according to article 21, “the ANPD may initiate administrative sanctioning proceedings if the controller fails to adopt the measures to reverse or mitigate the effects of the security incident within the period and under the conditions determined by the Authority”.

Finally, Resolution No. 15/2024 amended item II of article 14 of the Regulation for the Application of Law No. 13,709/2018 (LGPD) for small processing agents (Resolution CD/ANPD No. 2/2022). According to the new approved text, small processing agents will be given double time “in the event of the communication, to the ANPD and the holder, of the occurrence of a security incident that may entail relevant risk or damage to the holders, under the terms of the Security Incident Communication Regulation”.

The document can be accessed via the link: Resolução nº15/2024

Note: For quick release, this English version is provided by automated translation without human review.