Brazil: Adopted ANPD Security Incident Reporting Regulation (Resolution No. 15)

On 24 April 2024, the National Data Protection Authority (ANPD) of Brazil adopted the Security Incident Reporting Regulation (Resolution No. 15). The regulation sets forth a framework for handling security incidents that have the potential to pose significant risks or cause harm to data subjects. Among its provisions, the regulation outlines specific criteria for reporting such incidents, establishes protocols for communication both to the ANPD and affected data subjects, and delineates procedures for thorough investigation, communication, and record-keeping. In particular, the regulation specifies that data controllers are required to notify the ANPD within 3 working days of security incidents. The regulation comes into force on the day of its publication in the Official Journal of the Union.