5 Steps for Businesses to Get Ready for the Law on Personal Data 152-FZ
Personal data of citizens belong to the specially protected information. The legislation of the Russian Federation (the Federal law from 27.07.2006 № 152-FZ "On personal data") strictly defines requirements to protection of the personal data, features and rules of their processing without use of means of automation and in information systems.
Responsibility for collection, processing, storage and protection of personal data of employees, clients and other persons completely belongs to the company’s owner. Therefore, the order of working with PD should be established at any enterprise, as well as corresponding documents and actions on the organization of PD protection should be developed.
Nevertheless, any entrepreneur may have quite a reasonable question: "Does the Law No. 152-FZ apply to my company?" The answer is simple: the Law № 152-FZ applies to everyone who collects and processes personal data.
In this article, we provide step-by-step instructions to help you meet personal data protection and processing requirements.
Who regulates data protection law in Russia
The Federal Law № 152-FZ defines state organizations authorized to conduct control in the area of personal data protection. The law specifies three departments of the Russian Federation, which control the implementation by legal entities of what the law requires them to do in order to effectively protect PD of citizens. These are such state bodies as:
How to process PD
The law No. 152-FZ almost fully reflects the responsibilities of the operator. In addition to this law, other acts also contain requirements to the processing of personal data. For example, the Labor Code of the Russian Federation regulates processing of personal data of employees. If PD is processed without the use of technical means, the corresponding Decree of the Government of the Russian Federation N 687 is additionally applied.
There are many laws and sub-laws, but in reality the list of documents in the Order of Roskomnadzor № 247 from 13.12.2017, which contains a list of operators’ obligations, can help you. When carrying out an audit, Roskomnadzor checks whether the rules established by the documents on this list are being complied with.
Step 1. Make an inventory.
The first step is to figure out what information systems a company has and what specialists are working with them. The company's management and IT department should be involved in this matter. HR specialists, lawyers and sales managers should also be engaged in the process.
Most often companies process personal data of employees, clients, and contractors. The main thing to do at this is to understand precisely what personal data is processed, where it comes from and where it is transmitted. In other words, you need to outline the information flows related to the processing of personal data, both automated and manual.
Step 2. Identify protection levels for personal data.
Until March 2013, all those who worked with personal data were required to classify their ISPDn. This order is now cancelled. Thus, the classification of ISPDs according to their security is no longer valid.
However, there are levels of security of personal data. The level of protection of personal data is an indicator that reflects the requirements for providing protection. There are four of them – the higher the level, the more serious protection is required. Security levels are specified in Government Decree 1119.
Step 3. Threat model.
Identify the current threats to information systems and describe them in the threat model.
Threat model is a document that reflects the actual threats potentially affecting the work of a particular information system. Requirements for protection measures of personal data at their processing in information systems are contained in the Order of FSTEC of Russia № 21.
The result of the previous two steps should be a full list of requirements on protection of the personal data: level of protection, threats model; the requirements considering specifics of the information system processing the personal data.
Step 4. Implementing measures to protect personal data.
Once you defined the requirements, you must implement them. The protection of personal data involves the implementation of technical and organizational measures.
Technical measures: firewall, antivirus, security analysis, encryption.
Organizational measures: appointment a person responsible for personal data protection; development of internal documents regulating the processing of personal data (all employees must read the document against their signature). You should compile "Personal data processing policy" and "User Agreement".
There are various types of data subject’s consent. The document does not require a specific form, but include information required by Part 4 of Article 9 152-FZ. The requirements for the consent are covered in the article.
When developing a Policy on the processing of personal data, we recommend that you follow the guidance provided by Roskomnadzor.
Step 5. Notification of state authorities.
Operator should notify Roskomnadzor about personal data processing and provide them with the data gathered in the previous steps. You can do it via the website. Roskomnadzor keeps a special register of personal data operators and updates it for new information.
In some cases, there is no need to notify Roskomnadzor. For example, if you process only employees data, or if PD is only collected for the purpose of fulfilling a specific contract with a specific person and will not be used further.
Nowadays, the correct processing of personal data in the company is considered equal to such obligations as timely payment of taxes or respect for employee rights.
Failure to comply with these legal requirements may result in fines of up to 295,000 rubles.
In order to avoid financial losses from the payment of fines and compensation for moral damages to citizens or the suspension of business due to the blockage of a website and inspections by Roskomnadzor, companies must ensure from the outset that personal data is processed in accordance with the law.