On 15 June 2023, the National Data Protection Authority (ANPD) of Brazil closed its consultation on the draft Regulations for Reporting Security Incidents with Personal Data. The draft Regulations set out the standard reporting requirements for security incidents, as required by Art.48 of the General Data Protection Law (LGPD). The draft Regulations require controllers to notify both the ANPD and the affected parties of security incidents where there is significant risk or damage in relation to personal data. The draft Regulations provide definitions of relevant incidents and set out the standard form of an incident report. Generally, an incident report must be made to both the ANPD and the affected parties within three working days of a controller becoming aware of the relevant incident. Finally, the draft Regulations contain record-keeping obligations for controllers and set out the procedures for the relevant supervisory and enforcement actions by the ANPD regarding security incidents. The consultation was initially intended to close on 31 May. Instead, the deadline for response was extended until 15 June 2023.
Original source