ANPD publishes clarifications on the Personal Data Protection Impact Report

The National Data Protection Authority (ANPD) has released some questions and answers about the Personal Data Protection Impact Report (RIPD), a document provided for in articles 5 and 38 of the LGPD. The publication brings the authority's position on the management of the RIPD, from the cases in which it must be prepared and its minimum requirements to the time when it will be necessary to submit it to the ANPD.

While the RIPD regulation process is still underway, as per the Regulatory Agenda for the 2023/2024 biennium, these questions and answers indicate the direction the regulation should take and what ANPD considers to be appropriate today.

The recommendation is that the RIPD be prepared when the personal data processing process falls under the specific situations already provided for in the LGPD, that is:

in processing operations carried out exclusively for the purposes of public security, national defense, State security or the investigation and prosecution of criminal offenses;
when the processing is based on the assumption of legitimate interest;
for agents of the Public Power, including the determination as to the publication of the RIPD, and
for controllers in general, regarding their processing operations that may generate high risk to the guarantee of the general principles of personal data protection of the LGPD, as well as to the civil liberties and fundamental rights of the data subject.

Regarding the latter situation, high-risk personal data processing processes are considered to be those that fall within the concept provided for in the LGPD Enforcement Regulation for small processing agents (ANPD Resolution No. 2/2022), in which there must be, at least:

(i) a general criterion: activity on a large scale or liable to significantly affect the interests and fundamental rights of the holders, and

(ii) a specific criterion: use of emerging or innovative technologies, existence of surveillance or control of publicly accessible areas, decision-making based solely on automated processing of personal data, or use of sensitive personal data or personal data of children, adolescents, or the elderly.

The preparation of the RIPD must take place at the beginning of a process in which there is processing of personal data as framed in the cases above, to allow the controller to evaluate possible risks. For processes that are already underway, an RIDP must be prepared as soon as it is identified that processing that may create a high risk to the guarantee of the general principles of protection of personal data, to civil liberties and to the fundamental rights of the data subjects in question.

Documentation of the RIPD according to these ANPD guidelines is of paramount importance for personal data controllers to increase the maturity level of a personal data privacy and protection governance program.

If you would like more information, please contact our team specializing in Privacy and Personal Data Protection.