⬆️ ⬇️

We pononet a bit: it became clearer what will happen to personal data after September 1, 2015



Fines for various violations are summarized.



242-FZ tells us that the operator is obliged to ensure the recording, storage, modification and retrieval of personal data of citizens of the Russian Federation (this is all that directly or indirectly relates to the PD subject. And the phone number, and even the level of security of its data can be attributed here according to 152 -FZ) using databases located on the territory of the Russian Federation. From September 1, 2015. For the use of the primary base outside the Russian Federation, a relatively small fine shines you and, what is worse, the blocking of resources within 3 business days from the date of the court decision. In this case, unlock access and "exit" from the registry will be possible only by a court decision.





Who is tolerated



There is no exact statistics on how much Russian personal data are stored outside the Russian Federation. Quite a lot of PDs are stored in the USA, Germany, England, France and other European countries, since the hosting providers industry is most developed there. It is logical that Russian regulators saw a number of risks in this. First of all, we are talking about the risks associated with the observance of the rights of the subjects of personal data, as well as the likelihood of loss of communication with external data processing centers due to the imposition of sanctions. So keep the new law.

')

242-FZ covers all foreign companies that have branches in our country, international services, travel companies - representatives of foreign companies, subsidiaries of foreign banks, etc. But the new requirements are not covered by legal relations that are governed by international agreements or conventions (airlines, journalistic activities and a number of other areas). The rest must move. The same eBay, Google, PayPal and many others have already declared their readiness to continue business in Russia. Perhaps the most difficult process is given to banks - there are no exceptions for them, and the architecture of the IT infrastructure is usually such that the transfer is rather difficult.



Here are foreign companies operating in our market. Please note that a domestic company may have a database outside the Russian Federation (for example, on Amazon), therefore, the actual percentage of those who need to switch is higher.







For large international companies, the usual architecture is “a wheel and knitting needles”, where the head office or data center (for example, in the United States) acts as the main information center. In the Russian Federation, such companies will have to raise another platform - either their regional data center, or to get up to someone else. Actually, many people come to us at CROC due to the presence of the already certified FSTEC and FSB solutions in the TIER-III TIA + UI (facility) data center.



What does a typical large system transfer look like?



This is quite a long and painful process:



Total more than 4 months. My experience of transfers - from 2 weeks for a relatively simple infrastructure to 3 months. The problem is usually not only that the database drags many more components of the infrastructure, but also that for many (for example, banks) business continuity is important. The customer’s systems are maintained at any stage of the “relocation”.



Carry most often need to:





On the side of the Russian Federation need:





That is why the procedure is rather complicated, and many do not build their own data center, but get up in the ones already intended for this. We have, for example, many are pleased with our secure cloud, where there is:



When transferring a database, we always separate the infrastructure of one customer from all others.



Information Security



New legislation requires:

1. Move PD to RF.

2. And while also protecting the data to a fairly good degree.







It should be noted that the legislative initiative is directly related to the program of import substitution in IT. Regulators encourage the maximum use of existing domestic technical resources, software and other developments. However, it is difficult to achieve complete import substitution in the IT field today.







For information security systems there are a couple of interesting features. We have quite a lot of good manufacturers that have passed national certification and are doing what falls under the definition of “domestic software”, that is, will receive priority for use in government agencies (there is a discussion of possible expansion to state-owned companies and state corporations).



Checks







Checks will be conducted, plus you will be monitored without direct interaction.



Conditions for carrying out unscheduled inspections:

1. Expiration of the term of execution of the prescription.

2. Appeals of citizens (requires coordination with the prosecution authorities).

3. Information from public authorities (OGV), local authorities (LSGB) and the media about violations of the law.

4. Orders of the President and the Government of the Russian Federation.

5. Violations of systematic observation.

6. Inconsistency of the information contained in the notification, the actual activity.

7. Failure to comply with the requirements of Roskomnadzor (RKN) to eliminate the violation.

8. Based on the requirements of the prosecutor's office.



Criteria for inclusion in the audit plan:

1. The three-year period since the end of the last scheduled inspection.

2. Information from the state bodies, local governments and the media about violations of the law and the results of systematic observation.

3. PD processing of a significant number of PD / biometrics / special PD categories.

4. Failure to submit information, including notifying nature, in accordance with Federal Law-152.



Total



• a black list of violators of the rights of PD subjects appeared;

• systematic observations of operators appeared;

• increased penalties for violations of PD processing;

• the ILV checks have become more frequent and the bases have expanded.



If you collect PD of Russian citizens in any amount, then this is what you need to do:





Links



Source: https://habr.com/ru/post/261943/



All Articles