Brazil's national data protection authority outlines strategy

The new body responsible for enforcing the country's data protection regulations has released the initial plan and priorities for the period between 2021 and 2023.

The Brazilian National Data Protection Authority (ANPD, in the Portuguese acronym) has released its strategy and goals for the next two years.

Published on Monday (1) the document outlines advances the ANPD intends to achieve, and its three strategic objectives: strengthening of the culture of personal data protection; establishing the regulatory environment for the protection of personal data; and improving the conditions for legal compliance.

As well the ANPD's strategic roadmap, the document lists which strategic actions will be taken to achieve the in the short, medium and long-term objectives to be achieved, the indicators to assess the goals, to be adopted over the period between 2021 and 2023.

"The planning process started since the creation of the ANPD in November 2020, and is a thermometer of what the team will do over the next few years", said the chief executive of the Authority, Waldemar Gonçalves.

Brazil's data protection regulations were introduced in September 2020, after nearly a month of uncertainty over the actual go-live date of the rules. The board members of the ANPD, the body responsible for enforcing the regulations, the National Data Protection Authority, were appointed in late October.

According to the ANPD's strategy document, the creation of a body's overall direction is a "complex and integrated exercise, which seeks to converge perceptions about what is important for an organization to achieve its vision, respecting its mission and values."

This initial exercise, the ANPD said, also represents the creation of a framework that provides for constant monitoring, and sets out the priorities and time horizon for the achievement of goals. This process is expected to generate feedback to the organization's management and create conditions for eventual adjustment of the plan.

On the first strategic objective, around fostering the data protection culture, strategic actions will include educational events and workshops around the theme, as well as guides and recommendations relating to the data protection subject, and dialog with actors inside and outside government to build strategic partnerships for the studies to be carried out.

When it comes to the construction of an effective regulatory environment for data protection, the strategy outlines the need to establish priorities in the regulatory agenda, the creation and approval of regulatory issues and the establishment of swift procedures and mechanisms for handling incidents and complaints relating to data protection.

Within its second strategic objective, the agency will, among other actions, implement a flow for the system for handling incidents and complaints relating to data protection. It will also establish requirements, deadlines, criteria and procedures relating to the communication of security incidents and the receipt of complaints from stakeholders.

The third strategic objective relates to actions such as securing an "adequate and sufficient" budget, as well as the physical and human resources needed to ensure the smooth functioning of the ANPD. These include an actual office, as well as IT resources needed for the functioning of the agency.