Incident GuideArticle 48 and Resolution 15/2024

Brazil LGPD Incident Reporting

Build the incident workflow around Article 48 and the current ANPD reporting rule.

If the incident can create relevant risk or damage, the timing, content, and evidence trail now matter as much as the technical response.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

Article 48 requires the controller to notify ANPD and the affected data subjects when a security incident can create relevant risk or damage. The current ANPD incident communication flow uses a 3 business day deadline, allows preliminary communication when facts are still being established, and requires complement information within 20 business days.

Section 1

Start with the Article 48 threshold, not with panic notifications

Not every security event is reportable. The threshold is an incident involving personal data that can create relevant risk or damage to data subjects.

Your first decision record should therefore document the affected data, the likely consequences, whether confidentiality, integrity, or availability was compromised, and who approved the risk conclusion.

  • Separate confirmed personal data incidents from ordinary IT outages
  • Assess risk to rights and freedoms, not only business impact
  • Document the legal and technical rationale for notify or do not notify decisions
Recommended next step

Turn Brazil LGPD Incident Reporting into an operational assessment

Assessment Autopilot can take Brazil LGPD Incident Reporting from operationalizing response workflows and review cycles to a reusable workflow inside Sorena. Teams working on Brazil LGPD can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for Brazil LGPD Incident Reporting

Start from Brazil LGPD Incident Reporting and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through Brazil LGPD

Review your current process, evidence gaps, and next steps for Brazil LGPD Incident Reporting.

Explore next step
Section 2

Run the 3 business day communication clock with one case record

The ANPD incident form and the transfer regulation annexes both reflect the current 3 business day communication rule under Resolution CD ANPD No. 15 of 24 April 2024. Teams need one record that shows when the incident occurred, when the controller learned of it, when ANPD was notified, and when data subjects were notified.

Operator notice to the controller is a critical upstream dependency. If the operator is late or incomplete, preserve that evidence because it affects the controller timeline and vendor oversight record.

  • Timestamp occurrence, awareness, containment, ANPD notice, and data subject notice
  • Collect operator facts early and preserve vendor correspondence
  • Prepare a justification record if the 3 business day window cannot be met
Section 3

Use preliminary communication correctly

The ANPD form supports a preliminary communication when all facts are not yet available or data subject communication has not yet occurred. That is a controlled exception, not a substitute for closing the investigation later.

A preliminary communication must be followed by a complement submission in 20 business days, in the same process, with the missing facts and the final risk assessment.

  • Reserve preliminary communication for justified information gaps
  • Track the 20 business day complement deadline from the first communication date
  • Keep the preliminary and complementary filings tied to one case file
Section 4

Prepare the content ANPD and data subjects expect

The current ANPD form expects controller identity, DPO or representative information, operator data when relevant, risk evaluation, incident type, affected categories of data and data subjects, likely consequences, and mitigation actions.

Data subject communications should use clear language and explain what happened, what data was affected, the risks, the mitigation measures, and how to contact the controller for more information.

  • Keep a standard evidence pack with facts, risk analysis, communications, and remediation actions
  • Retain copies of the message actually sent to affected data subjects
  • Add post-incident control hardening and validation to the final case closure file
Primary sources

References and citations

Related guides

Explore more topics

ANPD Enforcement and Fines | Brazil LGPD Inspection, Procedure, and Sanctions
Grounded ANPD enforcement guide covering inspection procedure, sanctions progression, Article 52 factors, Resolution CD ANPD No.
Brazil LGPD Applicability Test | Article 3 Scope, Article 4 Exclusions, Roles
Grounded Brazil LGPD applicability test covering Article 3 territorial reach, Article 4 exclusions, controller versus operator allocation.
Brazil LGPD Checklist | Scope, Rights, Incidents, Transfers, Evidence
Audit-ready Brazil LGPD checklist covering scope, role allocation, lawful bases, rights timing, DPO disclosure, security, incident reporting.
Brazil LGPD Compliance Program Guide
Build a grounded Brazil LGPD compliance program around scope, lawful bases, rights, records, incident reporting, transfers, DPO, and ANPD-ready evidence.
Brazil LGPD Data Subject Rights | Articles 18 to 20 and 15 Day Access Rule
Grounded Brazil LGPD rights guide covering Articles 18 to 20, free requests, immediate simplified confirmation, full access declaration within 15 days.
Brazil LGPD Deadlines and Compliance Calendar
Brazil LGPD compliance calendar covering key legal and ANPD milestones plus recurring duties for rights, incidents, transfers, training.
Brazil LGPD DSAR Response Template | Immediate and 15 Day Response Logic
Use a Brazil LGPD DSAR response template aligned to Articles 18 and 19, immediate simplified response, full declaration within 15 days, denial rationale.
Brazil LGPD FAQ | Scope, Rights, Incidents, Transfers, Enforcement
Practical Brazil LGPD FAQ answering common scope, lawful basis, rights, incident, transfer, DPO, and enforcement questions using the law and ANPD guidance.
Brazil LGPD International Transfers | Articles 33 to 35 and ANPD Transfer Mechanisms
Grounded Brazil LGPD transfer guide covering Articles 33 to 35, adequacy, ANPD standard contractual clauses, specific clauses, binding corporate rules.
Brazil LGPD Lawful Bases | Article 7, Article 11, Legitimate Interest
Grounded Brazil LGPD lawful basis guide covering Article 7 and 11 bases, consent rules, ANPD legitimate interest guide, sensitive data.
Brazil LGPD Penalties and Fines | Article 52 and ANPD Dosimetry
Grounded Brazil LGPD penalties guide covering Article 52 sanctions, 2 percent fine cap, R$50 million limit per infraction, publicization, blocking, deletion.
Brazil LGPD Requirements | Articles, Controls, Evidence, and ANPD Guidance
Operational Brazil LGPD requirements map covering scope, lawful bases, transparency, rights, records, DPO, security, incidents, transfers.
Brazil LGPD Templates | DSAR, Incident, Basis, Transfer, Governance
Practical Brazil LGPD template library priorities covering DSAR responses, incident communications, lawful basis records, transfer assessments.
Brazil LGPD vs CCPA and CPRA | Structure, Rights, Enforcement, and Reuse
Grounded comparison of Brazil LGPD and CCPA or CPRA covering scope logic, legal basis model, rights timing, cross-border governance, and reusable controls.
Brazil LGPD vs GDPR | Similarities, Differences, and Control Reuse
Grounded comparison of Brazil LGPD and GDPR covering scope, lawful bases, rights timing, DPO rules, transfer mechanisms, incident reporting.