Companies should carry out an internal assessment on the nature, category and quantity of data subjects affected, the category and quantity of data affected, and concrete and probable consequences.
The internal assessment should be documented, including any measures taken and risk analysis, in order to comply with the principles of responsibility and accountability under the LGPD.
Notice of the incident must be given to:
(1) A supervisor at the office;
(2) The controller (if you are the operator, under the terms of the LGPD); and
(3) The ANPD and data subject (in the case of risk or material damage to the data subject).