How to handle security incidents/data breaches under the LGPD
In our previous articles, we have already drawn your attention to the Brazilian data protection legislation which is quite similar to the General Data Protection Regulation (GDPR). South America is one of the most promising jurisdictions to grow in the near future, as there is a huge population and, at the same time, the IT services market is not overcrowded. Thus, if you process data of Brazilians or consider this market as one of the regions you want to sell services to, you definitely must know about new rules regarding data processing that were prepared by the ANPD (Autoridade Nacional de Proteção de Dados): national data protection authority in Brazil.
The ANPD has updated the guidelines for a security incident notification under the LGPD. Also, the ANPD has shared a new form which should be used for sending security incident reports by a data controller. The supervisory authority highlights that the new form makes it easier for data controllers to fill it in and is better for analysing the security incident by the ANPD. The new form shall be used from January 1, 2023. You may read the press release and download the new form via the link.
What is a security incident under the LGPD?
Article 47 LGPD prescribes that “The controller shall report to the national authority and to the holder the occurrence of a safety incident that may lead to significant risk or damage to the holders.” So, any situation (data breach or leakage, fraudulent activity, unauthorised disclosure of personal data) that may lead to a risk for holders (data subjects) shall be treated as a security incident under LGPD. What does ANPD say about security incidents?
How should the form be sent?
The mentioned form must be filled only by the data controllers (not data processors), but data processors must inform data controllers about any security incidents occurring. Also, the company’s representative or the data protection officer may send this report on behalf of the data controller. Forms must be submitted via the website of the Single Electronic Process Network System within 2 working days after the company has become aware of the incident.
What does the form contain?
The new form contains the following chapters that shall be filled in by the data controller:
- Contact information, details about the company;
- Information regarding the data protection officer of the company;
- Information regarding the legal representative of the company;
- Type of communication (complete, preliminary, complementary);
- Incident risk assessment (whether the incident may entail relevant risk or harm to the holders);
- Information on the occurrence of the incident (in what way have the company become aware of the breach);
- Timeliness of the incident (when it occurred, when did the company become aware, when did the company communicate to the ANPD);
- Information on the communication to the holder regarding the security incident;
- Description of the incident (type of incident, brief summary of what happened, the root cause, measures taken to correct the incident);
- Impacts of the incident on the personal data (how the incident affects personal data, what categories of personal data were affected);
- Risks and consequences for the holders (number of holders affected, categories of holder affected, likely impact and consequences for the holder);
- Security measures for personal data protection (encryption of the data, backups, firewalls, etc).
How to inform the holders?
The communication should be made as soon as possible since the controller finds that the incident can cause relevant risk or damage to the holders. This allows the holders to mitigate adverse impacts arising from the incident. Communication must be made individually and directly to the holders whenever possible. It can be carried out by any means, such as e-mail, SMS, letter or other electronic messages. If, despite the occurrence of the incident being confirmed, it was not possible to individualise the affected holders, it may be necessary to communicate to all whose data is present in the violated database. Exceptionally and in a justified way, indirect communication can be made through publication in the media. The medium used should be able to reach as many holders as possible, and the disclosure should be given due emphasis.
The notice to holders must contain at least the following:
- Summary and date of occurrence of the incident;
- Description of personal data affected;
- Risks and other consequences to the holders;
- Measures taken by the controller and measures that the holders should take to mitigate the effects of the incident, if applicable; and
- Contact details of the controller’s DPO so holders can request additional information regarding the incident.
What does the ANPD do with the security incident report?
The severity of the incident will be considered in the prioritisation of the analysis of the communications received. If the controller has already communicated the occurrence of the incident to the holders and, after analysis, there were no infringements of the LGPD or the need to adopt additional measures, the process will be filed. If the communication to the holders has not been made or is considered inappropriate, its realisation or correction in its form or content may be determined. If necessary, the controller may be determined to adopt additional measures to mitigate the effects of the incident, such as its wide disclosure. Preventive measures and sanctions may be applied, among other situations, in cases where the controller:
- Fails to report the incident to the ANPD and the holders in a reasonable time;
- Fails to report the incident to the affected personal holders;
- Does not adopt security measures compatible with the risks of the data processing activities.
After this update, Brazilian data protection legislation becomes more transparent and understandable. Thus, the rules have exact boundaries and amounts of data to be filled, so it is harder to avoid violations for non-compliance. If you do not want your company to face financial sanctions, you need to consider implementing new security incident notification procedures into your processes. If you need any help with achieving compliance with LGPD (or other data protection laws), feel free to send us an email 🙂