untitled design

Three years of LGPD: more than 600 cases have already been registered with the National Data Protection Agency

The General Data Protection Law (LGPD) celebrates, this Monday (18), three years of validity in Brazil and stipulates guidelines that companies must comply with when handling personal data, in addition to specifying penalties for non-compliance. During this period, the National Data Protection Authority (ANPD) documented 636 security incidents.

The Authority is responsible for monitoring and sanctions in the event of data processing carried out in breach of legislation.

According to the ANPD, the most frequent incidents involve data hijacking, exploitation of vulnerabilities, unauthorized access to information systems and theft of credentials. Many of these cases result from security deficiencies that expose personal data, contributing to an increase in scams.

The majority usually happen via social networks and instant messaging applications, where information is obtained to carry out financial fraud.

Since January/2023 it has been possible to quantify the types of security incidents reported to the ANPD. Are they:

  • Data hijacking (ramsonware) with information transfer: 40 reports
  • Data hijacking (ramsonware) without information transfer: 34 reports
  • Exploitation of vulnerability in information systems: 24 announcements
  • Unauthorized access to information systems: 19 announcements
  • Credential theft: 9 reports

To date, the ANPD has 13 treatment agents with ongoing inspection processes. Of this number, 6 processes were initiated in 2021, 5 processes in 2022, and 2 processes in 2023.

The sanctions that may be applied for non-compliance with the LGPD range from a warning to a fine, which can reach a maximum value of R$50,000,000.00 (fifty million reais) per infraction. The reasons are:

  • Lack of proof of appointment of those in charge, failure to send an Impact Report (RIPD) and lack of communication of a security incident to the ANPD and the holders;
  • Lack of communication of security incidents to the ANPD and holders;
  • Lack of incident communication to holders, lack of proof that the systems used meet security requirements, lack of proof of record keeping of personal data processing operations, failure to present RIPD;
  • Lack of communication to security incident holders; lack of security measures.

Conditions imposed by LGPD

The LGPD requires that companies wishing to process personal data may only do so in the following circumstances:

  • Consent;
  • Legitimate Interest;
  • Execution of Contracts;
  • Judicial or Administrative Process;
  • Legal or Regulatory Obligation;
  • Life Protection;
  • Health Protection;
  • Carrying out studies by a research body;
  • Credit Protection.

In addition to these rules, the legislation imposes 10 other principles on data handling. Are they:

  • Goal;
  • Adequacy;
  • Need;
  • Free access;
  • Data quality;
  • Transparency;
  • Security;
  • Prevention;
  • Non-discrimination;
  • Responsibility and accountability.

Union is the only one that can supervise LGPD

Over time, the LGPD underwent some changes such as Constitutional Amendment No. 115/2022, responsible for including the protection of personal data in the list of fundamental rights and guarantees and for establishing the exclusive competence of the Union to legislate on protection and processing of personal data.

With this determination, in addition to no rule being able to suppress or limit the right to data protection, the Union became the only entity competent to legislate and monitor the application of the LGPD, thus guaranteeing the uniformity of application throughout the national territory .

It is worth noting that, in July this year, the ANPD applied the first sanction for non-compliance with LGPD standards to a small company in the private sector.

The firm specializing in digital law, Kasznar Leonardos, highlights the importance of disclosing this data to clarify compliance with the General Data Protection Law (LGPD). In the second quarter of this year, 160 security incidents were reported, while in 2022 this number reached 287, and in 2021, 160.

Lawyer Felipe Monteiro, partner at the firm, says that “In the second quarter of this year alone, 160 security incidents were recorded, while in the entire year 2022 the number was 287 and 160 in 2021. This number demonstrates a growing concern among processing agents to comply with the LGPD’s determinations and cooperate with the ANPD’s actions to monitor security incidents”.

See also: Supposed extraterrestrial bodies are displayed in Mexico’s Congress

Source: CNN Brasil

You may also like

Most popular