LGPD Breach Notification Protocol
The LGPD (Brazil's data protection law) sets out clear notification obligations in cases of security incidents that may pose a risk or cause harm to data subjects. Understanding when, how and whom to notify is essential for compliance and crisis management.
Legal Basis
Article 48 of the LGPD provides that the controller must report to the national authority (ANPD) and to the data subject the occurrence of a security incident that may pose a relevant risk or cause relevant harm to data subjects. This notification must be made within a reasonable time frame.
In addition, Article 52 establishes that processing agents who fail to adopt adequate security measures are subject to administrative penalties that may reach 2% of the company's revenue, capped at R$ 50 million per violation.
When Notification Is Mandatory
The obligation to notify arises when the incident may pose a "relevant risk or cause relevant harm" to data subjects. Criteria for assessment include:
Nature of the Data: Sensitive data (health, racial origin, religious belief, etc.) require greater attention than less sensitive data.
Volume of Data: Incidents involving a large number of data subjects generally require notification.
Potential for Harm: Assess whether the incident may result in financial or moral damages, discrimination, fraud or other harm to data subjects.
Protection Measures: Data encrypted with uncompromised keys may reduce or eliminate the need for notification.
Notification Time Frame
The LGPD requires notification within a "reasonable time frame", without specifying an exact number of days. International references suggest:
GDPR: 72 hours for notification to the authority, and "without undue delay" to data subjects where there is a high risk.
Brazilian Best Practices: It is recommended to notify the ANPD within 72 hours and data subjects as soon as possible, ideally in parallel with or shortly after notification to the authority.
Initial vs. Final Communication: When the investigation is not complete, an initial communication can be made with the available information and supplemented later.
Notification to the ANPD
Notification to the National Data Protection Authority must contain, pursuant to Article 48, §1:
I - Description of the nature of the affected personal data: Specify categories of data (CPF, email, financial data, sensitive data, etc.).
II - Information about the data subjects involved: Number of data subjects affected and their characteristics (customers, employees, minors, etc.).
III - Indication of the technical and security measures used: Security controls implemented (encryption, firewalls, backups, etc.).
IV - Risks related to the incident: Impact analysis, potential harm to data subjects.
V - Reasons for the delay, where applicable: Justification if notification was not made within an appropriate time frame.
VI - Measures adopted to reverse or mitigate the effects: Corrective actions, remediation, security improvements.
Notification to Data Subjects
The communication to data subjects must be clear, in accessible language, containing:
What happened: Description of the incident without excessive technical jargon.
Which data was affected: Categories of compromised personal data.
When it occurred: Period of the incident and date of discovery.
Possible consequences: Risks the data subject may face (fraud, phishing, etc.).
Measures adopted: Actions taken by the organization to remediate the incident and prevent recurrence.
Recommendations to the data subject: Practical guidance (password change, credit monitoring, alertness to fraud).
Contact channel: Focal point for inquiries from the data subject (email, phone, portal).
Notification Channels
To the ANPD: Through the official channel made available by the authority (website, online system, specific form).
To Data Subjects: Means appropriate to the context and urgency: individual email, website publication, in-app notice, registered letter for serious cases. SMS and push notifications may be used for urgent alerts.
Media: For large-scale incidents, consider public communication through the press for broad reach.
Waiver of Notification
Article 48, §3 allows a waiver of notification to the data subject when the ANPD verifies that technical protection measures were adopted that render the data unintelligible to unauthorized third parties.
Encryption: Data encrypted with strong algorithms and uncompromised keys may justify a waiver.
Pseudonymization: In some cases, robust pseudonymization techniques may reduce the risk to the data subject.
Risk Assessment: Even with encryption, if there is significant residual risk, notification may be necessary.
The Role of the DPO
The Data Protection Officer (DPO) plays a central role in the notification process:
Coordination: Coordinate the assessment of whether notification is needed, the preparation of content and delivery to the parties.
Interface with the ANPD: Act as the point of contact with the authority.
Guidance: Advise teams on legal requirements and best practices.
Documentation: Ensure adequate documentation of the entire notification process to demonstrate compliance.
Integration with Incident Response
The notification process must be integrated into the incident response plan:
Initial Assessment: During the containment phase, preliminarily assess whether the incident will require notification.
Timeline Tracking: Document the timestamp of discovery, containment and important milestones for calculating time frames.
Parallel Paths: Begin preparing notifications in parallel with the technical investigation to minimize delays.
Decision Points: Define checkpoints in the response process for a formal decision on notification.
Legal Aspects
Legal Counsel: Involve legal counsel from the outset to assess legal obligations and litigation risks.
Privilege: Consider attorney-client privilege in communications about the incident for protection in any future proceedings.
Class Actions: Notifications may trigger class actions. Careful language is essential.
Civil Liability: Failure to notify properly may aggravate civil liability for harm to data subjects.
External Communication
In addition to mandatory notifications, consider additional communications:
Partners and Suppliers: If shared data was affected, notify joint controllers and processors.
Investors: For public companies, assess disclosure obligations to shareholders and the market.
Insurers: Notify cyber insurers in accordance with the terms of the policy.
Sector Authorities: BACEN for financial institutions, ANS for health plans, etc.
Templates and Preparation
Preparing notification templates in advance speeds up the response and ensures appropriate content:
ANPD Template: A document pre-approved by legal counsel covering all requirements of Article 48, with variable fields to be filled in.
Data Subject Template: Versions for different types of incident (ransomware, phishing, unauthorized access) and audiences (B2C vs. B2B).
FAQ: A frequently asked questions document for customer support and the call center to answer data subjects' questions.
Press Release: For incidents that will draw media attention.
Documentation
Maintain complete documentation of the notification process:
Record of Processing: Record it in the register of processing operations pursuant to Article 37.
Decision Log: Document the reasoning for decisions about notification, including whether it was waived.
Evidence of Notification: Keep proof of delivery (email receipts, protocols, return receipts for letters).
Communication Tracking: A log of all communications with the ANPD, data subjects and other parties.
Post-Notification
After the initial notifications, maintain an ongoing dialogue:
Updates to the ANPD: Report on the progress of the investigation and additional measures as requested.
Support for Data Subjects: Keep a channel open for questions and offer adequate support (e.g., free credit monitoring).
Ongoing Transparency: Update public communications as new relevant information emerges.
Comparison with the GDPR
For organizations operating globally, it is important to understand the differences between the LGPD and the GDPR:
Time Frame: The GDPR specifies 72h; the LGPD mentions a "reasonable time frame".
Penalties: Both have significant fines, but the GDPR can reach 4% of global revenue vs. 2% under the LGPD.
Threshold: The GDPR requires notification if there is a "likely risk"; the LGPD if there is a "relevant risk or relevant harm".
Final Recommendations
A well-structured notification protocol is essential for LGPD compliance and crisis management. Organizations should have clear processes, prepared templates and trained teams to respond quickly when necessary. Proper notification not only fulfills a legal obligation, but also preserves customer trust and the organization's reputation. Advance preparation and integration with incident response are essential for effective execution under pressure.
