The above measures by the ANPD provide much needed guidance for companies dealing with Personal Data Security Incidents under the LGPD.

While a clearer position through regulation is awaited, we recommend maintaining a cautious approach in respect of such incidents and to report cases even where there is a doubt regarding the risk and damages involved. A misclassification of such risk may be considered as non-compliance under the law.

Finally, the authority’s call for a public consultation process is an important step towards producing clear regulatory standards in the area.