In its first deliberative meeting of the year, ANPD, through Ordinance N. 11 of 2021, made public the agenda approved by its Board of Directors, which will be implemented during the next 2 years. The agenda includes the deadline for the beginning of the regulatory process for the main topics under the responsibility of ANPD.
Among the items that will be addressed, we can highlight ANPD’s Rules of Procedure, the data protection regime for small and medium-sized enterprises, the establishment of regulations for compliance and application of administrative sanctions, the information provided about the preparation of the Data Protection Impact Report and clarifications about the Data Protection Officer, as well as the tendency for international cooperation to share materials that are of common interest.
The Regulatory Projects in the calendar are organized in three distinct phases. The first phase is expected to start in the first 12 months, while the second phase in the first 18 months and, finally, the third phase, with an expected start in the 24 months of the calendar. Furthermore, it is important to clarify that, considering what Article 55-J, III of Brazilian Data Protection Act (LGPD) provides for, with a joint analysis of Ordinance N. 11 of 2021, it is clear that the items mentioned in the agenda will be considerable influencing factors in the elaboration of the guidelines of the National Policy for the Protection of Personal Data and Privacy by the ANPD, which measures not only the level of importance of regulatory uniformity, but also the need to comply with the established deadlines.
In line with the idea that the agenda could possibly be improved or reevaluated, ANPD’s General Coordination for Standardization will provide biannual reports to monitor the initiatives included in the agenda, which will enable practical changes in the last monitoring report of 2021 if necessary, upon the approval of the Board of Directors.
Regarding the themes addressed in the agenda to be adopted in the first phase, we highlight ANPD’s commitment to facilitate the adaptation of micro enterprises, small-sized companies and to business initiatives of an incremental or disruptive nature, the self-declared as startups or innovation companies, adopting a special regulatory regime in these cases, with the consequent creation of regulation, in accordance with article 55-J, XVIII of LGPD.
Similarly, the publication of the first ANPD Rules of Procedure also deserves attention. The item was effectively adopted by means of the Ordinance N. 1 of March 8, 2021, and will be relevant to identify significant characteristics considered by the entity and, as a consequence, the level of legal security existing in the relationship between the Authority and the subject companies.
Another relevant first phase theme is the creation of regulations for the application of administrative sanctions by ANPD. Hence, in up to 1 year, the methodologies that will guide the calculation of the standard amount of the sanctions, as well as the circumstances and conditions for their application, should be established.
Additionally, in cases where the processing of personal data represents a risk to the civil liberties and basic rights of the data subjects, the legal provision stipulates ANPD must issue regulations and procedures on impact assessments for the protection of this data, which, according to the agenda, will occur in the first 12 months of the plan. The Data Protection Impact Assessment (RIPD) is an instrument of responsibility of the data controller, through which the detailed description of the processes involved in the operation will be carried out, so that mapped risks are mitigated. And the impact reports have a strong relationship with corporate governance procedures of the data controller.
The schedule also refers to the regulation of the role of the Data Protection Officer (DPO), brought by Article 41 of LGPD. It provides that, in up to 1 year and a half, ANPD shall establish norms on the definition and authority of the DPO, including hypotheses of dispensation, according to the nature and the size of the entity or volume of the operations.
Moreover, another relevant subject that will be regulated in phase two is the international cooperation regarding data protection. Article 33 and following of LGPD deal with the possibility of the share of information being made between countries or international organizations that conform to the standard established by the ANPD, which would facilitate the full access of materials that may be of common interest.
To access ANPD’s Ordinance N. 11 of 2021, click here.
For more information about the Brazilian Data Protection Law, please contact us.