Brazilian Pension Funds Authority strengthens LGPD compliance with incident reporting procedures and a planned privacy governance programme

The Brazilian Pension Funds Authority (PREVIC) set out measures to improve transparency and the secure processing of personal data under Brazil’s General Data Protection Law (LGPD), building on an ordinance that brings together strategic areas of the authority to develop, coordinate and implement LGPD-related standards and procedures. Work completed in 2025 includes an internal model for handling and reporting personal-data security incidents, with criteria and impact assessments to support timely notification to Brazil’s National Data Protection Authority (ANPD) and affected data subjects. PREVIC also launched a dedicated portal page disclosing guidance and materials on its personal data processing, and issued internal tools such as a staff code of conduct and responsibilities, an education and awareness plan, and a monthly bulletin on LGPD actions and practical data-protection guidance. For 2026, the LGPD working group plans a detailed review of whether existing measures are sufficient, whether collected data are necessary, and whether the retention and processing of sensitive data comply with the LGPD, alongside continued staff training. The main intended delivery is a Personal Data Privacy Governance Program to demonstrate ongoing maturity through updated policies, implemented processes and risk-mitigation mechanisms, with data confidentiality also treated as an integrity obligation subject to administrative sanctions in case of leakage.