Brazil's LGPD Incident Response Guidelines
What you need to know to prepare your organization for Brazil’s new privacy regulation
Brazil’s comprehensive privacy legislation, Lei Geral de Proteção de Dados Pessoais (LGPD), was passed into law in 2018 and went into effect in August 2020 (although enforcement was delayed to August 2021).
LGPD gives Brazilian citizens a variety of rights, including the right to access, correct, and delete the personal data businesses have collected about them. It also requires organizations to obtain consent and have a lawful basis for processing individuals’ personal data.
Automate LGPD obligations with the BreachRx platform
Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response
What Organizations Must Adhere to LGPD Guidelines?
LGPD applies to any organization that might process data on Brazilian citizens, no matter where the organization is actually located. It sets no minimum requirements for the size or scope of organizations subject to compliance, only granting exemptions to companies that collect data exclusively for journalistic, artistic, academic, public safety, or national defense purposes.
How does LGPD get enforced?
LGPD is enforced by a new, dedicated entity linked to the federal government known as the Brazilian National Data Protection Authority (ANPD). Brazilian citizens can also take civil action against violating companies.
Why comply with LGPD?
ANPD is dedicated solely to enforcing LGPD by investigating potential violations and issuing fines. These fines can be up to 2% of sales revenue or $50 million reais, regardless of company size.
What data protection does LGPD require?
LGPD puts the responsibility of protecting consumers’ data on organizations. It requires all companies to appoint a data protection officer (DPO) to lead security-related efforts, communicate with consumers, and liaise with the ANPD.
LGPD puts the responsibility of data protection on organizations by requiring they adopt “security, technical, and administrative measures to protect personal data” from unauthorized access, unlawful communication, and purposeful or accidental destruction, loss, and alteration.
What Incident Response is Required Under LGPD?
If a security incident occurs that might create risk or damage for consumers, LGPD details clear incident response guidelines that organizations must follow.
Organizations must notify the ANPD within a “reasonable timeframe” with all of the following information:
- Description of the personal data affected
- Information on the affected users
- Details on the technical and security measures used to protect the data (subject to commercial and industrial secrecy)
- Potential risks as a result of the incident
- Any measures that were or will be adopted to reverse or mitigate the effects of the damage
- *Reasons for a delay in reporting, only if the notice was not communicated immediately
The ANPD will evaluate the severity of the incident based on potential risk to consumers and may instruct the organization to issue a public disclosure to the media and/or adopt certain remediation measures based on that risk analysis.
The Role of Risk in Breach Notifications
LGPD has a subjective standard for breach notifications based on the risk of harm to consumers.
Along those lines, it’s recommended that organizations create a data protection impact assessment (DPIA) when dealing with data that can create heightened risk if exposed. In certain cases, the ANPD can ask an organization to produce a DPIA that describes how the organization processes any personal data that may put individuals’ civil liberties at risk.
What’s Considered High Risk Data?
Examples of data that can create a heightened risk if exposed, and therefore might require a DPIA, include data relating to:
What Are Examples of Privacy Incidents Under LGPD?
Numerous events ranging from cyber attacks to company errors can create a privacy incident under LGPD. For example, common events that qualify as an incident include:
A ransomware attack is when a third party uses malware to steal data and hold it captive in exchange for money. Regardless of whether or not the organization pays that ransom, this is still a serious privacy incident that exposes consumers’ personal data.
Any lost data records create a privacy incident since this data might be exposed to any number of people and there’s no way to track that exposure. Damage to physical data records can also qualify as a privacy incident if that is the only copy of the data.
Drive by Download Attack
A drive by download attack is when a malicious program gets installed on a computer without the user’s consent. This makes the device vulnerable to a cyberattack, like hijacking the computer or stealing data, that can compromise privacy.
Why Proactive Incident Response is Critical for LGPD
Brazil’s LGPD is now fully in effect, but a lot will change as the ANPD starts enforcing and interpreting the law. As a result, organizations need to review what the law outlines and stay up to date on how the ANPD translates the law into practice.
Staying up to date with all of this information also requires a proactive stance to incident and breach response, including actively following enforcement practices and guidances and then updating internal policies accordingly. Organizations should update their practices regularly based on effectiveness and changes to relevant laws and best practices. The best way for organizations to meet these requirements is to account for three critical phases of incident response, preparing, responding, and recovering.
This type of proactive preparation will help mitigate the financial and reputational fallout from any incidents and enable organizations to move into recovery mode as quickly as possible.
Supercharge your incident response strategy with the BreachRx platform
Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.