The Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (abbreviated in Russian as “Roskomnadzor”) has published recommendations for companies – operators of personal data associated with the organization and implementation of activities for the processing of such data.
According to the information on the website, Roskomnadzor offers operators to carry out a number of actions that can improve the security of working with personal data (PD) and reduce the risk of their unauthorized dissemination. The scope of the recommendations is as follows:
1. Minimization of collected data.
It is recommended to collect and process only those PD that are necessary for the conduct of the organization's activities. By reducing their redundancy, their extent of security increases.
2. Separate storage of PD
It is recommended to provide separate data storage depending on their category: suppliers, clients, employees, etc.
3. Storing identifiers in separate databases
It is better to store data identifying a particular person (full name, phone number, address, e-mail, etc.), as well as information about interaction with him or her (provision of services, sale of goods, conclusion of a transaction, etc.) in separate, unrelated databases. To link databases, it is possible to use synthetic identifiers that will not allow to attribute information to a specific PD subject without additional algorithms.
4. Refusal to accumulate "spare" PD
It is not recommended to collect and accumulate PD if the probability of their use is extremely small or absent. In this case, it is recommended to destroy such data, since they may not correspond to the purpose of PD processing.
5. Use of technical means
To ensure an appropriate level of PD security, it is recommended to use corresponding technical and software tools belonging to the PD operator.
6. Timely notification about the incidents
It is recommended to inform the Roskomnadzor authorities in a timely manner about signs or an incident that has already occurred in the field of PD, which led to the illegal dissemination of PD.
7. Providing physical access control
To prevent data compromise within the company, it is necessary to take measures to physically control access to data.
8. Appointment of a responsible person for the protection of PD
It is recommended to appoint a person responsible for the protection of PD and give him or her the appropriate powers.
Taking into account the recommendations above, the company should conduct an appropriate data audit, adapt internal processes in accordance with the instructions of Roskomnadzor, inform and train responsible employees of new methods of working with PD.
Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of liability, see the table below.
According to the information on the website, Roskomnadzor offers operators to carry out a number of actions that can improve the security of working with personal data (PD) and reduce the risk of their unauthorized dissemination. The scope of the recommendations is as follows:
1. Minimization of collected data.
It is recommended to collect and process only those PD that are necessary for the conduct of the organization's activities. By reducing their redundancy, their extent of security increases.
2. Separate storage of PD
It is recommended to provide separate data storage depending on their category: suppliers, clients, employees, etc.
3. Storing identifiers in separate databases
It is better to store data identifying a particular person (full name, phone number, address, e-mail, etc.), as well as information about interaction with him or her (provision of services, sale of goods, conclusion of a transaction, etc.) in separate, unrelated databases. To link databases, it is possible to use synthetic identifiers that will not allow to attribute information to a specific PD subject without additional algorithms.
4. Refusal to accumulate "spare" PD
It is not recommended to collect and accumulate PD if the probability of their use is extremely small or absent. In this case, it is recommended to destroy such data, since they may not correspond to the purpose of PD processing.
5. Use of technical means
To ensure an appropriate level of PD security, it is recommended to use corresponding technical and software tools belonging to the PD operator.
6. Timely notification about the incidents
It is recommended to inform the Roskomnadzor authorities in a timely manner about signs or an incident that has already occurred in the field of PD, which led to the illegal dissemination of PD.
7. Providing physical access control
To prevent data compromise within the company, it is necessary to take measures to physically control access to data.
8. Appointment of a responsible person for the protection of PD
It is recommended to appoint a person responsible for the protection of PD and give him or her the appropriate powers.
Taking into account the recommendations above, the company should conduct an appropriate data audit, adapt internal processes in accordance with the instructions of Roskomnadzor, inform and train responsible employees of new methods of working with PD.
Please be reminded that for violation of the requirements of the legislation in the field of personal data, administrative liability is provided under article 13.11 of the Administrative Code of the Russian Federation. The scope of punishment depends on the type of offense committed. For more information about the scope of liability, see the table below.
In the matters of compliance with the legislation in the field of personal data, please contact Acsour experts.
