What should teams do about Incident Reporting To ANPD under the Brazil LGPD?
Teams should treat Incident Reporting To ANPD under the Brazil LGPD as a source-linked operating decision: confirm whether the issue affects controller/operator roles, lawful basis, data-subject rights, children data, international transfers, security incidents, DPO/encarregado duties, or ANPD enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger.
Under article 48 of the LGPD, the controller must notify the ANPD and the data subject about a security incident that may cause relevant risk or harm to the data subjects. The LGPD also says the communication must be made in a reasonable time, and ANPD rules define the detailed procedure.
The safest first step is to identify the controller/operator role, purpose, lawful basis, data category, data-subject right, transfer, or incident trigger before assigning the LGPD action.
- Write the Incident Reporting To ANPD decision in one sentence before drafting controls.
- Attach the external source URL and a short source quote to the evidence record.
- Route unclear cases to legal, privacy, security, or compliance review before launch.
ANPD's incident communication page supports the FAQ's reporting workflow by identifying controller responsibility, SEI filing, reportable incident criteria, and the three-business-day communication period.
The incident-communication regulation is the primary rule for when and how controllers communicate security incidents to ANPD and affected data subjects.
Direct support for the FAQ answer on Incident Reporting To ANPD.