Compliance with Federal Law 152-FZ On Personal Data Protection: Custom Design Solution

Audit of your operations with personal data and their transfer to a secure cloud platform:

Ensuring of personal data protection up to Level 2; 

Preparation of expert opinions and certificates of compliance with Federal Law 152-FZ; 

Provision of technical means of protection against information security threats. 

When is a custom solution suitable?

When processing large amounts of personal data of all categories, including special and biometric data;
In case of planned localization of IT infrastructures in compliance with the requirements of Federal Law 152-FZ and / or foreign laws on personal data protection;
When building proprietary economically sound secure information systems for storing and processing personal data.

Does this concern you? 

Learn more about seamless migration to a scalable secure cloud platform in Secure Cloud Federal Law 152-FZ Standard Solution. 

Reasons to work with us:

We have been working with data storage and processing for over 20 years, we have licenses from the FSTEC (Federal Service for Technical and Export Control of Russia) and the FSB (Federal Security Service);
We build readymade systems for processing personal data that are customized to suit particular business needs;
We carry out full implementation and provision of customized solutions to make sure your processes and information systems are in compliance with the requirements of Federal Law 152-FZ.

How we work on a turnkey basis

We conduct an audit of the information system for compliance with Federal Law 152-FZ;
We carry out a series of organizational works to protect personal data;
We introduce technical means of personal data protection.

Stages of work on custom solutions for compliance with Federal Law 152-FZ

We can perform a range of works for you or join the project at separate stages as consultants or developers.
Analysis of business processes and audit of the technical constituents. We investigate current business processes and existing information security tools, and provide improvements suggestions.
Formation of requirements for the protection system. We determine the objective needs and the required level of information security, determine the threats that are relevant for a specific system and assess the risks of their implementation, and prepare a specific technical assignment.
Development and implementation of protection systems. We prepare solutions for individual requirements with the possibility of further scaling along with regulations for working with personal data in accordance with the requirements of the law and information security standards.
Evaluation of effectiveness. We re-evaluate the solution, ensure support in obtaining certification for compliance with the standards of Federal Law 152-FZ and, provide expert opinions

FAQ

What does Federal Law 152-FZ define as personal data?
+
+

Any information about individuals, including names and contact details, gender, faith, as well as personal opinions on any topics. The law applies to both clients and employees. If you work with people, you are almost certainly subject to the law.

Who is the operator of personal data under Federal Law 152-FZ?
+
+

Any individual or legal entity that determines the purposes of collecting and processing personal data or performs any operations with such data, including collection, storage, analysis, use, transfer, and so on. 

Most often, organizations from the financial services, healthcare, education, hospitality, telecommunications, advertising, and retail industries are subject to checks on the fulfillment of requirements set in Federal Law 152-FZ. 

What are the requirements of Federal Law 152-FZ?
+
+

In order to comply with the law, the operator of personal data must develop internal regulations for working with personal data, implement technical protection measures, and localize data on the territory of the Russian Federation.  

The law imposes different requirements for the level of applicable security, depending on the type of personal data that the operator processes, and to the extent of processing. These levels are described in detail in Clause 8 of the Decree of the Government of the Russian Federation No. 1119 of November 1, 2012. 

Who verifies compliance with Federal Law 152-FZ?
+
+

The regulators responsible for ensuring compliance are Roskomnadzor (The Federal Service for Supervision of Communications, Information Technology and Mass Media)the FSB (Federal Security Service) and the FSTECRoskomnadzor is the authority most engaged in conducting checks. As a rule, the department is concerned about the compliance of the order and security of personal data processing with the requirements of the law. 

What liability is provided for violations of Federal Law 152-FZ?
+
+

Violations of Federal Law 152-FZ can entail all types of liability, including civil, disciplinary, administrative and criminal. 

  • Disciplinary liability under the Labor Code of the Russian Federation is provided for persons responsible for the processing of personal data, including compensation for direct damages. 

  • The Civil Code of the Russian Federation allows citizens to demand compensation from an organization if they suffered moral or property damages due to violations of the rules provided for operations with personal data. 

  • Depending on the substance of the offense, administrative liability is up to 100 thousand rubles for individuals for violation of the law on personal data, up to 800 thousand for officials, up to 20 thousand rubles for individual entrepreneurs, and up to 18 million rubles for organizations. 

  • Criminal liability for violation of the law on personal data can be qualified under a number of articles, which provide for punishment up to imprisonment for up to 4 years. 

  • Violation of the law on personal data may lead to the inclusion of the organization in the register of violators, whose websites are subsequently blocked by telecom operators at the request of Roskomnadzor. 

Does the use of cloud services relieve the operator of personal data from responsibility for compliance with the requirements of Federal Law 152-FZ?
+
+

No, it does not. By law, the operator can entrust the work with personal data to third-parties, such as data processors, but their liability is limited by the agreement with the operator. The operator determines the purposes and procedure for the processing of personal data, and therefore bears responsibility before the state and the owners of the personal data. 

How are the areas of responsibility between the operator and the processor delineated in the context of Federal Law 152-FZ?
+
+

When placing the processing of personal data in the cloud based on the Infrastructure as a Service (IaaS) model, the areas of responsibility of the operator and the processor can be clearly distinguished: 

  • The processor is responsible for hardware and software down to the hypervisor level; 

  • All superior levels, such as virtual machines, operating systems and applications installed on them are the operator’s area of ​​responsibility; 

  • By default, the operator is responsible for data protection, but can delegate tasks to the operator to ensure compliance with Security as a Service (SaaS) model. An example of such services can be antivirus protection, firewalling, VPN, etc. 

Cases

Client: Developer of a digital business card service and a cloud platform for equipment maintenance management.
+
+

Objective: Organize uninterrupted data processing in a secure cloud environment with service availability for users. 

Solution: Linxdatacenter organized operations with personal data in the IaaS (infrastructure as a service) format on its platform in St. Petersburg. The migration was carried out in stages with testing of network availability after each step of implementation. 

Client: Department of an IT company.
+
+

Objective: Transfer an application with personal data to a secure cloud environment within a time limited by the term of the contract between the client and the certifying organization. 

Solution: Linxdatacenter performed the work in cooperation with the client’s contractor after assigning areas of responsibility. Linxdatacenter also took on some of the responsibilities of the client related to data protection. The work was completed on time and compliance with the Law on Personal Data Protection was confirmed by a third party, an FSTEC licensee. 

Send an enquiry

Please confirm that you are not a robot