Artifact GuideBrazilIncident Workflow

Brazil LGPD Incident Workflow

Incident Workflow decisions under the Brazil LGPD should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed.

Use this section to define scope, owner, evidence inputs, and the review outcome before execution.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

This page explains how to handle a Brazil LGPD security incident from the first alert to the final communication and recordkeeping step. It is designed to help product, legal, privacy, security, and compliance teams decide when an incident must be escalated, when ANPD and affected data subjects must be informed, and what information the response record should capture.

Section 1

How should a Brazil LGPD incident workflow run?

Start by confirming whether the event is a security incident involving personal data and whether it may create risk or relevant harm to data subjects, as described in article 48 of the LGPD. If the event does not involve personal data or does not present that risk, document the assessment and close the workflow with the supporting evidence.

If the event is in scope, gather the facts needed for the ANPD communication: the nature of the affected data, the data subjects involved, the technical and security measures already in place, the risks linked to the incident, the reason for any delay, and the measures taken or planned to reduce the harm. The ANPD form also asks who discovered the incident, when it occurred, when the controller became aware of it, when it was reported to ANPD, and when data subjects were informed.

For incidents that still lack enough information, use a preliminary communication only as a temporary step and follow up with a complete or complementary communication when the facts are confirmed. The workflow should also record the internal owner, the DPO or privacy lead, the operator if one was involved, and any communication made to other authorities or to the affected data subjects.

Detect the event and confirm whether it involves personal data and a relevant risk or harm.
Classify the incident and document the facts, sources, and time line.
Escalate to the controller owner and the DPO or privacy lead.
Prepare the ANPD communication with the incident facts, risks, and mitigation steps.
Notify affected data subjects when the incident meets the article 48 threshold and record how they were informed.
Keep the full trail: evidence, dates, decisions, owners, and any follow-up actions.

Sources for this answer

ANPD Comunicação de Incidente de Segurança

ANPD incident guidance explains how Article 48 LGPD and Resolution 15/2024 apply to controller communications to ANPD and affected data subjects.

ANPD Guia Orientativo sobre Segurança da Informação para Agentes de Tratamento de Pequeno Porte

ANPD security guidance supports practical incident-prevention and response controls for small processing agents under the LGPD.

Lei Geral de Proteção de Dados Pessoais (Lei nº 13.709/2018), artigo 48

LGPD Article 48 is the primary legal basis for communicating security incidents to ANPD and affected data subjects.

Section 2

What fields should a Brazil LGPD incident-workflow template capture?

A useful template captures role, purpose, lawful basis, data subject, category, transfer or incident trigger, owner, evidence, and ANPD/DPO escalation note.

Source URL and source quote.
Entity, product, service, system, data category, and user group.
Decision result, control action, owner, reviewer, due date, and escalation reason.
Evidence attachment, approval note, exception note, and review cadence.

Sources for this answer

ANPD Guia Orientativo sobre Segurança da Informação para Agentes de Tratamento de Pequeno Porte

ANPD security guidance supports practical incident-prevention and response controls for small processing agents under the LGPD.

Lei Geral de Proteção de Dados Pessoais (Lei nº 13.709/2018), artigo 48

LGPD Article 48 is the primary legal basis for communicating security incidents to ANPD and affected data subjects.

RESOLUÇÃO CD/ANPD Nº 4, DE 24 DE FEVEREIRO DE 2023

Template field support for Incident Workflow.

Section 3

How should teams review and improve the Brazil LGPD incident workflow?

Review the workflow after ANPD guidance, new vendors, new purposes, cross-border changes, incidents, complaints, or changes to data-subject channels.

Track recurring exception categories and update intake questions.
Remove fields that never affect the decision.
Add fields when reviews show missing source evidence or unclear ownership.
Confirm the published page and operating record use the same visible, source-linked guidance.

Sources for this answer

ANPD Comunicação de Incidente de Segurança

ANPD incident guidance explains how Article 48 LGPD and Resolution 15/2024 apply to controller communications to ANPD and affected data subjects.

ANPD Guia Orientativo sobre Segurança da Informação para Agentes de Tratamento de Pequeno Porte

ANPD security guidance supports practical incident-prevention and response controls for small processing agents under the LGPD.

Lei Geral de Proteção de Dados Pessoais (Lei nº 13.709/2018), artigo 48

LGPD Article 48 is the primary legal basis for communicating security incidents to ANPD and affected data subjects.

Resolução CD/ANPD nº 1, de 28 de outubro de 2021

ANPD procedural rules support keeping incident records, communications, and authority interactions traceable during review.

Recommended next step