Considering the prolonged silence of the Brazilian authority since its creation and the enactment of the law on September 18, 2020, the publication of the Agenda gives us a first glimpse on ANPD’s levels of priority for each matter.
From January 2021 to July 2022:
– ANPD Internal Regulations and Bylaws;
– ANPD Strategic Planning;
– Resolution on Initiatives for Small and Medium Enterprises, as well as Individuals;
– Resolution on Administrative Fines;
– Resolution on Incident Reporting and Deadlines; and
– Resolution on Parameters for Impact Assessments (DPIAs).
From January 2022 to December 2023:
– Resolution on the Role of the DPO; and
– Resolution on International Data Transfers.
From January 2022 to July 2024:
– Resolution on Data Subject Rights.
From July 2022 to December 2024:
– Best Practices Guide on the Legal Basis for Data Processing.
A forecast of semi-annual reports to monitor the regulatory initiatives is foreseen in the Agenda, with an express provision allowing for readjustment of the established dates in the 2021 final report. In addition, the ANPD’s CEO may also change the goals and dates described above by a resolution of the Board of Directors. In that sense, although the Brazilian data protection community celebrated this news, the scenario is still uncertain and we will keep monitoring the next steps.
The authority was formally initiated in November 2020, and is currently in the process of establishing its directors, staff and basic constitution. It has already started in its function as information provider, and those eager to get basic information about the agency can access the newly established FAQ section on its website. It is worth mentioning that it is only in August 2021 that LGPD (the Brazilian Data Protection law) administrative penalties for non-compliance will start being issued by the ANPD.
Please get in touch with our Technology, Cyber security, and Data Protection Team if you would you would like to discuss any matter further.