Under LGPD, personal data controllers must adopt measures to prevent harm to personal data owners. However, in the event of a security incident, data controllers must notify the ANPD and the personal data owners of the security incident’s occurrence.
To make the legal provision effective, the ANPD has made available a new Security Incident Reporting Form, which must be filed at the SUPER.br Access, preferably in PDF format.
The ANPD still needs to define the reasonable time for the notification, under Article 48, Paragraph 1 of the LGPD. However, a conservative stance suggests that the communication should be made within two (2) business days from the knowledge of the fact.
To access the ANPD instructions, click HERE.