OneTrust Certified Privacy Professional Practice Exam

Per the LGPD, how quickly must communication regarding a security incident be made to the national authority and data subject?

• A. Immediately
• B. Within 72 hours
• C. In a reasonable time period as defined by the national authority
• D. Within 30 days

The correct answer is: In a reasonable time period as defined by the national authority

Under the Lei Geral de Proteção de Dados (LGPD), when a security incident occurs, organizations are required to communicate relevant details to the national authority and affected data subjects. The correct timeframe for this communication is indeed based on the stipulation that it must occur "in a reasonable time period." The LGPD emphasizes that organizations should notify the national authority as soon as possible after becoming aware of the incident. The requirement allows for flexibility, permitting businesses to assess the situation and determine the most appropriate timeline for notification without being bound to a strict deadline. This flexibility intends to ensure that organizations can conduct an initial assessment of the incident, understand the implications, and then provide meaningful information to the authorities and individuals impacted. Understanding the other options helps clarify the difference between them and the correct choice. Immediate communication may not be feasible in every case, especially if the organization requires time to investigate the breach comprehensively. Similarly, while there is a reference in some regulations to notifying authorities within specific time frames such as 72 hours, the LGPD does not impose this rigid timeframe. Lastly, the 30-day notice period is also not a requirement under the LGPD, as it prioritizes timely and thoughtful communication rather than arbitrary deadlines.