The Brazilian National Data Protection Authority’s Established Guidelines on Best Practice Regarding Data Breaches

Marcela Ejnisman
TozziniFreire Advogados, Sao Paolo
​​​​​​mwe@tozzinifreire.com.br

Carla do Couto Hellu Battilana
TozziniFreire Advogados, Sao Paolo
​​​​​​​ccouto@tozzinifreire.com.br

Initially, with a broad perspective, the Brazilian National Data Protection Authority (ANDP) clarifies that if the source of a data breach is known, the data subject may directly contact the data processing agent involved to confirm whether their personal data is among those that were allegedly exposed, and in which case the personal data in particular, which was affected. The ANPD also provides general informational security guidelines for data subjects to alleviate the individual impact of the breach, such as changing passwords and other access information related to the platforms affected by the breach. The Authority further mentions the benefits of adopting two-factor authentication protocols, that is, the use of two different methods to verify a user’s account, therefore mitigating the impact of data breaches which might jeopardise the safety of one of such factors. In this regard, the ANPD finally recommends that data subjects refrain from using unofficial platforms that allegedly verify whether their personal data was involved in major data breaches in order to avoid potential further exposure of the data to untrusted sources.

Shifting its focus from the data subjects’ individual actions when addressing data breaches, on 22 February 2021, the ANPD published a set of guidelines on how the data processing agents should proceed when faced with a data breach involving personal data under their control. Although this topic is currently under the Authority’s regulatory agenda to that extent that the receival of contributions on the matter from civil society has already taken place, the ANPD’s general recommendations already outline what is understood as a set of best practices that should be followed when addressing a data breach.

In the aforementioned recommendations, the ANPD defines the term ‘data breaches involving personal data’ pursuant to the provisions of Article 46 of the Brazilian Data Protection Law (LGPD), and further stipulates the need for the data processing agents to pursue an internal analysis of what is at stake when such a breach occurs. This analysis should not only take into account an overview of the category and volume of data subjects involved and what personal data was affected, but also an impact analysis of the specific and likely consequences of the breach.

In addition to this preliminary evaluation, the ANPD reiterates the need to notify the occurrence of the breach to those responsible for addressing such matters. This includes the data protection officer (DPO), the data controller (in the event of an incident’s occurrence at the processor’s base), the affected data subjects, and the ANPD itself. Regarding this final hypothesis, the Authority uses the LGPD’s Article 48 to explain that it is only necessary to notify the ANPD and the data subjects if a ‘relevant risk or damage to data subjects’ is verified. This parameter is still open and lacks ANPD regulation. Furthermore, some parameters are already established within the Authority’s guidelines, such as how to define the impact of the breach. Such evaluation requires an analysis of the existence of sensitive data, data subjects involved in vulnerable situations (such as children and teenagers), as well as the potential occurrence of material or moral damages to data subjects (such as discrimination, financial fraud or identity theft).

In this scenario, the data processing agents need to notify the Authority in the ANPD’s Electronic Protocol system within two working days of the date of knowledge of the incident. It will then be necessary to submit a set of specific information, as provided in the Authority’s form for communication of a personal data security incident available at https://www.gov.br/anpd/pt-br/assuntos/formulario-de-comunicacao-de-incidentes-de-seguranca-com-dados-pessoais_01-03-2021.docx.

As a result, it should be noted that the Authority’s Guidelines start to bring light to the uncertainties left by the LGPD concerning how to assess and address impacts of personal data breaches. Even though such provisions represent only a preliminary understanding of what might be the ANPD’s future regulatory strategy on the matter, the Guidelines are timely. As the market’s players continue to adapt their organisational structures to ensure a full conformity with the LGPD, the concerns regarding cybersecurity and data subjects’ protection should indeed be kept in mind throughout this process of creating a safer environment for processing personal data.