Personal data protection - how to be and what to do?
Many already know that on July 1 the provisions of the Law FZ-152 “On Personal Data” finally came into force. The federal law regulating the processing (use) of personal data has undergone significant changes that can seriously impair business for most companies.
According to the new requirements, companies in which personal information of an individual is processed or used on computers are required to maintain high security of this data using certified security tools.
Due to the fact that at the moment less than 5% of companies are ready to comply with these requirements, a lot of system integrators and information security specialists have appeared on the market, ready to help the company continue to work in normal mode for the N-th amount (from 10,000 rubles to unlim rubles).
')
On Habré flashed articles in which the authors called on system administrators and IT-managers to prepare for the "doomsday".
Well, the “Doomsday” has arrived, and I want to share the collected information on this topic. I hope this information will help many save dozens or even hundreds of thousands of rubles.
According to the description before the kata, the question arises: if it was known in advance that there would be changes, why did the companies not prepare? This is because the deadlines for the full entry into force of all the requirements of the law were repeatedly postponed and many thought that from July 1 everyone would postpone to 20, from 20 to 30, and so on. As a result, they did not transfer anything and 95% of the companies were in a pool.
Now, to get into the register of personal data operators, it is necessary to bring their information systems in line with the new requirements. It may take months to develop all the documentation, prepare the regulations and implement the chosen remedies.
The lack of willingness to pay big money to integrators and specialists made it necessary to search the network for information on how to independently achieve compliance with the regulatory requirements for the processing of personal data.
Information is already enough and it is not difficult to find it.
For example:
If we talk about a structured, step-by-step algorithm with clear recommendations, it is worth mentioning the site http://zpdn-day.ru . Information there, as I understand it, is provided free of charge. The site has instructions, document templates, plus the guys organize free webinars on issues related to the FZ-152 and the PSA.
A more complete list of links to resources on the topic can be found here .
However, it is clear that the theory can be very different from practice, so let's share the experience if someone already has one. In principle, any information will be interesting.
Well, a list of questions for discussion:
1) Has anyone already filled out a notification about the processing of PD on the Roskomnadzor website?
2) What is better to choose - only certified software, 50 to 50 or not to buy software with certificates at all?
3) What are the protections for lokalki with PDN? We recommend and share experiences.
4) Has anyone already come across checks? If so, how long does it take to troubleshoot?
Thanks in advance for the answers.
According to the new requirements, companies in which personal information of an individual is processed or used on computers are required to maintain high security of this data using certified security tools.
Due to the fact that at the moment less than 5% of companies are ready to comply with these requirements, a lot of system integrators and information security specialists have appeared on the market, ready to help the company continue to work in normal mode for the N-th amount (from 10,000 rubles to unlim rubles).
')
On Habré flashed articles in which the authors called on system administrators and IT-managers to prepare for the "doomsday".
Well, the “Doomsday” has arrived, and I want to share the collected information on this topic. I hope this information will help many save dozens or even hundreds of thousands of rubles.
According to the description before the kata, the question arises: if it was known in advance that there would be changes, why did the companies not prepare? This is because the deadlines for the full entry into force of all the requirements of the law were repeatedly postponed and many thought that from July 1 everyone would postpone to 20, from 20 to 30, and so on. As a result, they did not transfer anything and 95% of the companies were in a pool.
Now, to get into the register of personal data operators, it is necessary to bring their information systems in line with the new requirements. It may take months to develop all the documentation, prepare the regulations and implement the chosen remedies.
The lack of willingness to pay big money to integrators and specialists made it necessary to search the network for information on how to independently achieve compliance with the regulatory requirements for the processing of personal data.
Information is already enough and it is not difficult to find it.
For example:
- ispdn.ru is an open platform for discussing issues in the field of personal data protection, designing and using personal data information systems, which contains a list of all certified solutions, short reports on operator checks, a review of court practice, a lively forum and typical solutions for information protection in ISPDn.
- www.itsec.ru/forum.php is a forum of the Information Security journal, which is often visited by representatives of regulatory authorities.
- anvolkov.blogspot.com is a “Security for Understanding and Not-Very- Good ” blog, with an alternative look at the processes of “improving” legislation in the field of personal data.
- pd.rsoc.ru/inter-services/forum - the official personal data portal, which has almost everything from monitoring changes in legislation to reviewing court practice, only this “everything” is searched through time, and the systematization of the section “Questions of personal data operators” it is tied solely to the date the question appeared on the portal, regardless of whether the answer was semi-official, simply useful and completely pointless, in general it will not be weak to stray on this portal.
If we talk about a structured, step-by-step algorithm with clear recommendations, it is worth mentioning the site http://zpdn-day.ru . Information there, as I understand it, is provided free of charge. The site has instructions, document templates, plus the guys organize free webinars on issues related to the FZ-152 and the PSA.
A more complete list of links to resources on the topic can be found here .
However, it is clear that the theory can be very different from practice, so let's share the experience if someone already has one. In principle, any information will be interesting.
Well, a list of questions for discussion:
1) Has anyone already filled out a notification about the processing of PD on the Roskomnadzor website?
2) What is better to choose - only certified software, 50 to 50 or not to buy software with certificates at all?
3) What are the protections for lokalki with PDN? We recommend and share experiences.
4) Has anyone already come across checks? If so, how long does it take to troubleshoot?
Thanks in advance for the answers.
Source: https://habr.com/ru/post/123947/
All Articles