The instrument is provided for in Resolution CD/ANPD No. 1/2021 and provides important information for both companies and personal data subjects on the activities carried out in 2022. The main purpose of the Report is to evaluate, account for and plan the inspection activities of the ANPD's General Inspection Coordination. In this edition, there are details of the requests and reports of security incidents already received, comments on sanctioning processes and inspection procedures already initiated, as well as proposed actions for 2023.
We highlight some indicators that show how the LGPD is having an effect:
- 56% increase in security incident reports between 2021 and 2022, totaling 473 reports received by December 2022;
- 1,045 Applications were received (i.e., Complaints of Violation of the LGPD and Petitions from Data Subjects), of which 12% did not refer to the LGPD, and 10.6% did not meet the necessary admissibility requirements;
- The most common types of claim brought in these requests, based on the reports, were "exposure of personal data", followed by "difficulty in exercising the right to delete data", "data leakage" and "improper sharing of data";
- In the Holder Petitions, the sectors most present were digital platforms, followed by the financial sector and then telecommunications;
- 15 inspection procedures and 8 administrative sanction procedures were launched. Of the 15 inspection cases opened, 60% related to public bodies. As for the sanctioning proceedings, 7 of the 8 stemmed from possible infractions detected in security incident reporting processes, and the main issue in common between these processes was the failure to report security incidents to owners;
- Publication of technical notes aimed at educating society about the ANPD's views on certain issues.
With regard to the activities carried out in response to security incident reports, the report shows that priority was given to analyzing incidents with a proven risk and involving a high number of personal data subjects. In addition, less than 10% of the incidents already reported had their analysis completed by the DPAs.
It is important to note that, although the project to regulate the procedure for reporting security incidents is still in progress, it is obligatory to report them to the ANPD and to the owners - in cases where there is a relevant risk or damage to them.
The information provided in this report is important study material for organizations that process personal data, making it possible to understand important issues in the application of the LGPD to date. This demonstrates the importance of companies increasingly maintaining a robust - and mature - privacy and personal data protection governance program.