Russian Personal Data Law – Consequences of a breach
The law on personal data protection has been in force since 2006. It has already forced some businesses to pay fines, limit their activities, and even stop operating in Russia. The law applies to any company established in Russia as well as to foreign companies located outside the country but targeting Russian citizens (for example, online stores).
We will tell you how to comply with 152-FZ and what penalties are for not complying with the law.
How to protect personal data
If you collect personal data of employees or customers, you are the operator and bear responsibility for protecting it, even if third parties are engaged in the processing. For example, if the bank has collected a customer database and this data has fallen into the wrong hands, the bank is responsible for this.
The list of basic requirements:
Set up the server in a secure location not accessible to unauthorized persons and establish a prohibition on connecting to the server directly.
Ensure authentication so that only an authorized person could access the data.
Install antivirus, firewalls, and other software that protect against threats.
Use FSTEC-certified software to protect information.
There is also a specific set of requirements for each level of protection. They are specified in Government Decree 1119. Each operator must determine the level of protection of personal data, and to configure a protected IT infrastructure, according to the level.
If the data is poorly protected and someone accesses it due to the operator's fault, the operator will be fined:
An individual - for 700-2,000 ₽.
An official - for 4,000-10,000 ₽.
An individual entrepreneur - for 10,000-20,000 ₽.
A legal entity - for 25,000-50,000 ₽.
Prepare necessary documentation
Apart from preparing hardware and software, the responsibilities of the personal data operator include preparing documents. The list of these documents is quite long; here are some of the most important ones
Personal data processing Policy. Previously, it was drawn up in an arbitrary form, but in August 2017, Roskomnadzor developed Recommendations on drawing up a document defining the operator's policy in relation to personal data processing, in accordance with the Law No. 152-FZ. The operator is obliged to publish or otherwise provide unrestricted access to the document and to information on the personal data protection requirements being implemented.
- For individuals - from 700 to 1,000 ₽
For officials - from 3,000 to 6,000 ₽.
Individual entrepreneurs - from 5,000 to 10,000 ₽;
Legal entities - from 15,000 to 30,000 ₽.
Security threat model. The document describes the threats that could occur to the data storage and processing system. If there is no "Security Threat Model" - individuals will be fined 1,000 ₽, legal entities 50,000 ₽.
The order of appointment a person responsible for the security of personal data. This is usually an information security officer. He or she will be responsible for everything that happens to the data. The document is not required for individual entrepreneurs. In addition, prepare the Order for admission to processing. Include everyone who has access to personal data in the document.
Without these documents, it would be that you are disclosing personal data to a third party. This is a breach of the law and a criminal offense.
Register at Roskomnadzor
If you work with customer data, you need to register as a personal data operator at Roskomnadzor.
You can send a notification online. The document must contain:
- name (surname, first name, patronymic), address of the operator
- purpose of personal data processing
- categories of personal data
- categories of subjects whose personal data are processed;
- the reason for the processing of personal data
- list of actions with personal data
- general description of the methods of personal data processing
- description of measures to ensure the security of personal data
- Full name of the individual or legal entity, responsible for the organization of personal data processing, and their phone numbers, postal addresses, and e-mail addresses
- date of the beginning of personal data processing
- term or condition of termination of personal data processing
- Details on existence or absence of trans border transfer of personal data
- the location of the database containing the personal data
Periodically Roskomnadzor carries out inspections. During inspections, the supervisory authority follows the notification and compares it with the actual processes of personal data processing in the company. If the information does not correspond to the reality, e.g. the person responsible for the organization of personal data processing has changed after the notification had been submitted, the company may be fined for not sending a notification letter to Roskomnadzor