The Brazilian National Data Protection Authority (ANPD) has submitted to a public consultation on its proposed regulations regarding communication of security incidents. The consultation goes on until May 31.
The new regulation aims to standardize the way security incidents involving personal data are communicated.
Controllers will need to notify the ANPD and data holder of any security incidents involving personal data that may pose a risk or relevant damage to the data holder. An incident may be considered to pose risk or damage when it has the potential to significantly affect the interests and fundamental rights of the holder and involves:
- Sensitive data
- Data on children, adolescents or the elderly
- Financial data
- Authentication data in systems; or,
- Large-scale data (the data covers a significant number of data holders, volume of data, or geographical extent of holders’ location).
Examples of incidents that would be considered to significantly affect the interests and fundamental rights of the holders may:
- Prevent or limit the exercise of rights or use of a service
- Cause material or moral damages to the holder, such as
- Violation of physical intergrity
- The right to image and reputation
- Financial fraud
- Misuse of identity.
Any incidents will need to be reported to the ANPD within three working days. They will need to detail a number of things including descriptions of the nature and category of data involved, the number of affected people and the risks related to the incident.
Similarly, when there is potential risk to the data holder they also need to be notified within three working days. The notification will need to contain a description of the nature and category of personal data affected, the risks or impact to the holder, the measures that were or will be adopted to reverse or mitigate the effects of the incident, the date the company became aware of the incident and finally, a contact for obtaining information and data from the person in charge.
Something or other
The ANPD may impose a daily fine for any unreported incidents to ensure compliance with these new regulations as part of the LGPD.
Following notification and investigation, the ANPD may order the controller to adopt measures to safeguard the rights of the holders. Additionally, if the ANPD determines that the communications from the controller are insufficient to reach a significant portion of the impacted holders they may decide to spread the news via the media. Any costs related to this will be covered by the controller.
Controllers will need to keep a record of all incidents involving personal data for a minimum of five years. This is regardless of whether they were communicated to the ANPD or not. The incident record will need to contain:
- Date the controller became aware of the incident
- General description of the circumstances
- Nature and category of the information involved
- Number of holders affected
- Risk assessment and possible damage to holders
- Measures to correct and mitigate
- Form and content of any communication
- If not communicated, the reasons for this.
Value Privacy’s experts are on hand to make sure that you and your company aren’t caught out by new or existing privacy laws.
You can find out more about the services we offer or just get in touch with us directly with any questions you have about how privacy laws impact you.