top of page

Personal Data Security Incidents:
Bad Luck or Lack of Preparation?

By Laurier Soares - Commercial Director

National Data Protection Authority (ANPD) started on February 22 to take subsidies on the notification of security incidents with personal data under the terms of art. 48 of the LGPD. Within this directive, the ANPD made available the incident reporting form, as well as the document with guidelines on how the company should proceed in the event of a leakage incident. In addition, the ANPD updated on its website on 03/31 the recommendation on the deadline for reporting security incidents as soon as possible, with a period of 2 working days being considered indicative.

The ANPD's agility in presenting such guidelines demonstrates the urgency with which the body is dealing with the issue, mainly due to the increase in incidents of personal data leakage that have occurred in Brazil.

In a recent survey carried out by the manufacturer IBM on information security in companies of different sizes and segments, Brazil is the country that presented the indicators with the longest average time to identify and contain a data leakage incident. This indicator directly reflects the maturity level of companies in terms of managing data protection policies and their control items, managing personal data processing and its risks, and having an effective incident management plan in place.

When analyzing the incident reporting form proposed by the ANPD, information is requested that highlights the clear need for companies to structure themselves in mapping and formalizing the processing of personal data that are carried out in their business areas, detailing the types of personal data processed, treatment agents involved, pointing out risks and mitigating controls, so that from this mapping, proceed with the opening and execution of action plans to manage these risks. Only in this way will the company be able to know its deficiencies and deal with them in a planned manner. No less important activity, companies must implement a formal incident management process, establishing workflows, deadlines, roles and responsibilities, a fundamental action so that the company can be prepared to meet the deadline recommended by the ANPD, in case of occurrence. of a personal data leakage incident.

It is always important to reinforce that the more evidence of controls and management the company presents in a case of a spillage incident, the lower the impact will be in the event of sanctions and punishments.

The MD2 Quality Manager solution effectively offers all the necessary mechanisms to support companies in mitigating risks with personal data incidents, through interfaces that guide users of the compliance program to formalize critical items about data processing and its risks. , as it makes it possible to create action plans with tasks, deadlines and those responsible so that the DPO and team can manage the actions in a coordinated and integrated manner, showing diligence. In addition, the solution offers mechanisms for formalizing policies and their compliance checklist items, so that the company can list and prioritize its action plans to correct deficiencies and invest in information security. As a major differential, the solution incorporates accelerating processes for incident management and non-compliance with personal data processing, which offer real guides with workflows, roles and responsibilities, so that the company can accelerate its preparation and adaptation processes in case of incident events.

Continuous Monitoring

In partnership with the manufacturer IBM, MD2 extended the capabilities of its solution by incorporating market-leading IBM information security tools for monitoring and detecting cyber threats and managing the risk of user behavior. These tools, working seamlessly with MD2 Quality Manager, offer extensive security incident prevention capabilities, including policy-driven process accelerators and monitoring rules and data protection control items, detection and preventive notifications of threats and unsafe behavior. users, so that the compliance team can be notified and act on risk management and continuous improvement.

bottom of page