It should be emphasised, however, that these recommendations are not exhaustive, and implementing them does not mean that you create a fully-fledged system of data protection compliance which can efficiently counter leaks. Usually, compliance implies not only strictly formal abidance of the law, but also the fine-tuning of business processes, staff training, working with technical specialists, etc.
It should be especially noted that active work to devise a draft law on introducing turnover-based fines for personal data leaks is underway at the moment. It is suggested that the fine for the first breach be set in the range of RUB3 million to RUB15 million. For the repeated breach where the breach affected 1,000 or more data subjects the fine is suggested to be set in the range of 0.1% up to 3% of the revenue for the calendar year preceding the breach or for a part of the current year, but in any case, to an amount of no less than RUB15 million and no more than RUB500 million. In this connection, building a fully-fledged data protection compliance system has become of especially great significance.
At Denuo, we are currently working on the methodology of building such compliance mechanism which should help minimise the likelihood of data leaks. If you would like to receive the methodology and relevant materials, please contact the authors of this publication.
Roskomnadzor’s recommendations
- Cut the list of personal data which the operator intends to process and which are being processed, to a minimum. One should use only such data that is actually necessary for providing services, selling goods and for other operations of an organisation.
- Ensure that different categories of personal data (clients, employees, job applicants, etc), including those that are incompatible with each other in terms of the purposes of processing, are kept separately from one another.
- Keep the identifiers of a person (such as that person’s full name, email, telephone and address) and data on interaction with that person (such as the services provided to him/her, goods sold to him/her, correspondence with that person, a contract with him/her, etc) in different databases that are not connected with each other. To connect these databases, use synthetic identifiers that do not allow one to associate information in these databases with a particular data subject without using additional data and algorithms and keep them separately from the previous two databases.
- Stop the practice of accumulating personal data “just in case it is needed” and that of creating customer accounts if there is no need for this in the context of the organisation’s business operations. Destroy personal data in a timely manner after having achieved the purpose of data processing (for example, after having provided the services).
- Use hardware and software belonging to the operator to ensure the required level of data security. Assigning data processing to third parties does not relieve the operator of responsibility, but reduces the operator’s control over the security measures to be taken.
- Inform Roskomnadzor of indications and/or incidents that have resulted (or may have resulted) in the dissemination of personal data.
- Take measures to physically control access to data to avoid data compromises from the inside.
- Appoint a person to be in charge of personal data protection and grant that person the necessary powers.
