The Executive Branch approved the new regulation of the Personal Data Protection Law, which will take effect on March 30, 2025, replacing the previous version from 2013.
The regulation emphasizes the concept of impact assessments as a preventive mechanism applicable to anyone processing personal data. This involves diligently planning for risk scenarios and preemptively adopting appropriate security measures.
In terms of security, the updated regulation incorporates the latest ISO standards, notably NTP-ISO/IEC 27001 for information technologies.
It also mandates notifying affected individuals about the exposure level of their data in the event of a security breach and always reporting such incidents to the ANPD. Specifically for the financial sector, one key provision requires reporting any personal data security incident that exposes information to third parties and causes harm within 48 hours of becoming aware of it.
These provisions apply not only to banks but to all entities managing personal data.