The year 2024 was marked by notable developments in the data protection landscape in Brazil, particularly with the publication of three highly relevant regulations by the Brazilian Data Protection Authority (ANPD).
These documents provide clear and specific guidelines for requirements already established in Federal Law No. 14,709/18, the Brazilian General Data Protection Law (LGPD), strengthening the existing regulatory framework.
- Security Incident Communication Regulation: This regulation outlines the procedures and deadlines for controllers and processors to report security incidents that may compromise personal data, reinforcing transparency and accountability in crisis management.
- Regulation on the Role of the Data Protection Officer (DPO): It defines guidelines for the performance of the DPO, including their responsibilities, qualifications, and contact methods with data subjects and the ANPD, ensuring that this role is carried out effectively.
- Regulation on International Data Transfers: This regulation establishes the necessary criteria and safeguards for international data transfers to align with the LGPD’s directives and global protection standards, providing greater legal certainty for companies operating in international markets.
In addition to these regulations, the ANPD launched consultations and public hearings on impactful topics such as the processing of children’s and adolescents’ personal data and the use of artificial intelligence. These initiatives reflect the Authority’s concern with keeping up with technological advancements and addressing their respective challenges and impacts on privacy and data protection.
To close 2024, in December, the ANPD initiated a supervisory process targeting 20 large companies that failed to comply with obligations set out in Article 41 of the LGPD and Resolution CD/ANPD No. 18/2024. This oversight focused on the appointment of the Data Protection Officer and the public availability of their contact information — key legal requirements to ensure transparency and facilitate data subjects’ rights.
Not only did these companies fail to clearly designate the DPO in their privacy notices and policies, but they also did not provide effective communication channels for data subjects. In many cases, the available channels were found to be ineffective, hindering the exercise of rights such as access, rectification, and deletion of personal data.
This ANPD action highlights the importance of practical compliance with the LGPD, going beyond mere documentation adjustments to demand functional and accessible processes that effectively guarantee data subjects’ rights.
Perspectives for 2025/2026
The ANPD’s Regulatory Agenda for the 2025-2026 Biennium outlines the development of regulations and guidelines on 16 priority topics. Key areas of focus include:
- Processing of children’s and adolescents’ personal data.
- Sensitive personal data, with an emphasis on biometric data.
- Artificial intelligence.
- Processing of high-risk personal data.
- Anonymization and pseudonymization.
- Sensitive personal data in the healthcare sector.
- Legal bases, such as consent and credit protection.
In general, the Authority’s initiatives and priorities indicate a trend toward a more proactive stance in supervising and enforcing compliance with the rules, signaling to organizations the importance of effectively implementing LGPD requirements – particularly in light of the use and development of artificial intelligence systems.
In this context, it is essential to ensure the adequacy of internal processes, invest in employee training and awareness, and continuously review internal and external policies to mitigate risks and avoid penalties.
The Data Protection team at KLA is available to provide comprehensive support in implementing data governance programs in, ensuring regulatory compliance and legal security for your organization.
