Experts: enforcement of 152-FZ requirements is strengthened
- When: 28 November 2019
Users’ personal data is playing an increasingly important role in the creation of new business models for companies. The Russian Federation has implemented two laws, 152-FZ and 242-FZ, setting the requirements on personal data security and storage. Nowadays, most companies do not have enough expertise to independently fulfill the complex procedures regarding these security measures. Letting the whole range of measures being solved in a secure cloud of a third-party is one of the main solutions to overcome this problem.
This opinion was expressed by participants in seminars on the protection of personal data organized by Linxdatacenter for business representatives in Moscow and St. Petersburg in October 2019. The seminars were a continuation of the summer events "152-FZ: expectations and reality."
Users’ personal data is playing an increasingly important role in creating new business models, services and products that use data analytics, various types of personality recognition and identification, online transactions, etc. Along with this, the burden on the business to ensure the correct processing of this information in accordance with the legislation of the Russian Federation is increasing. If the requirements are not met, the regulator will fine the company.
However, Vadim Perevalov, senior lawyer at BakerMcKenzie, believes that fines for business are not the worst consequences of violations in the field of working with PD today. “An administrative fine is provided for the processing of personal data without the written consent of the person. The federal service for communication, information technology and mass media (Roskomnadzor) also issues an order for elimination within 6 months. However, the most unpleasant moment is the publication of information about the violation of the law in open sources. For large companies, getting to such sources and further to the media means reputational risks, which can turn out to be significantly more expensive compared to any fines and regulations”, the expert points out.
What is more, according to Vadim Perevalov, someone can be jot down by the regulator if a certain number of complaints are received against the company regarding violation of the law, if the policy on processing personal data is not published on the company’s website, relevant notifications on processing personal data are not submitted to the federal service for communication, information technology and mass media (Roskomnadzor).
Participants of the seminars came to the conclusion that in modern conditions the complex of activities on processing and protecting PD is an endless cycle. In most companies the configuration of information security systems and approved business processes lag behind the speed of development of cyber threats and require updating as they change business processes.
According to Boris Merkulov, Linxdatacenter cloud solutions and information security engineer, cloud development is becoming a risk factor. According to analysts, about 83% of corporate IT systems of large companies will soon migrate to cloud platforms, which already leads to the transformation of cyber-attacks in the direction of the combined type (the use of encryptors, 0-day botnets, etc.).
The main challenge for most companies today is phishing. On average, there are up to 200 phishing emails per day for every business in the world. Moreover, in connection with the spread of PD leaks, phishing becomes targeted and more effective.
Boris Merkulov also said: “In relation to Russia, we can say that the presence of 152-FZ and 242-FZ guarantees the implementation of the necessary minimum information security measures to protect personal data. However, regulators are too slow to respond to changes in cyber threats, issuing belated alerts and recommendations to combat the types of threats that have long been identified in practice. In this situation, the business should take on all the functions of independently exploring the threat landscape and taking adequate measures to prevent and eliminate them. Service providers need both to monitor the current state of the information security industry and provide infrastructure and legal compliance solutions for information security solutions for end customers”.
Olga Ermakova, senior legal adviser and compliance specialist at Linxdatacenter, considers that according to the requirements of Law 152-FZ, article 19 in the field of PD protection businesses are required to take three types of measures to ensure it - organizational, legal and technical. These measures must be necessary and sufficient to comply with the requirements of the law.
“Today, any organization can itself build a system for protecting personal data at its discretion. However, the complex nature of the task and a number of specific technical requirements make it most appropriate to transfer this area to the control of a competent contractor. This allows you to provide an additional look at the task “from the outside”, legal and technical expertise, confirmed by the necessary certificates in the field of information security”, says the expert.
An interesting example of an advanced solution for processing PD in the current context of regulatory requirements was presented by Daria Prokhorova, Head of Legal Support at Gazprom Neft Projects.
Against the background of the digital restructuring of all business processes in the company, it was decided to develop procedures for obtaining permission for the processing of personal data, alternative to writing form, which will be used when entering to the company's premises. Today the Scientific and Technical Center of Gazprom Neft works on a solution that allows the visitor to familiarize themselves with the agreement on the processing of personal data in electronic form and sign it without a pen and paper. The current norms of the Civil Code make it possible to confirm the authenticity of agreements without a signature, through appropriate actions, for example, by scanning a passport.
The system that Gazprom Neft Scientific and Technical Center are planningto create will recognize photos from the passport, take a visitor photo and compare them. Furthermore, it reads the passport details and automatically adds the informatin into the electronic database.
Such actions allow to obtain permission to the processing of biometric personal data in the form of an electronic document, and the need to work with paper is eliminated.
The federal service for communication, information technology and mass media (Roskomnadzor) responds differently to the idea of obtaining permission in electronic form using an electronic signature. As Daria Prokhorova summarizes: “You need to be prepared for the fact that law enforcement practice in this matter in Russia has not yet been sufficiently developed, and a different interpretation of the law by the regulator is possible and personal data operators. At the same time, we hope that the project will be carried out in unanimity with the authorized bodies.”
The experts concluded that the business does not yet have enough expertise to independently fulfill the requirements of 152-FZ. And what is even more important is that companies do not seek to acquire this knowledge due to the complexity of the procedures.In this situation, outsourcing remains one of the main vectors of the development of the PD protection sphere. This involves the whole range of information security tasks being solved in a secure cloud of a third-party service provider that has the necessary certificates from regulators, built-in security tools, and protection at the solution architecture level (for example, hybrid cloud account). Linxdatacenter specialists record the ever-growing demand for such a comprehensive service from customers who operate with personal data of consumers.