We pononet a bit: it became clearer what will happen to personal data after September 1, 2015

Fines for various violations are summarized.



242-FZ tells us that the operator is obliged to ensure the recording, storage, modification and retrieval of personal data of citizens of the Russian Federation (this is all that directly or indirectly relates to the PD subject. And the phone number, and even the level of security of its data can be attributed here according to 152 -FZ) using databases located on the territory of the Russian Federation. From September 1, 2015. For the use of the primary base outside the Russian Federation, a relatively small fine shines you and, what is worse, the blocking of resources within 3 business days from the date of the court decision. In this case, unlock access and "exit" from the registry will be possible only by a court decision.

Who is tolerated

There is no exact statistics on how much Russian personal data are stored outside the Russian Federation. Quite a lot of PDs are stored in the USA, Germany, England, France and other European countries, since the hosting providers industry is most developed there. It is logical that Russian regulators saw a number of risks in this. First of all, we are talking about the risks associated with the observance of the rights of the subjects of personal data, as well as the likelihood of loss of communication with external data processing centers due to the imposition of sanctions. So keep the new law.

')

242-FZ covers all foreign companies that have branches in our country, international services, travel companies - representatives of foreign companies, subsidiaries of foreign banks, etc. But the new requirements are not covered by legal relations that are governed by international agreements or conventions (airlines, journalistic activities and a number of other areas). The rest must move. The same eBay, Google, PayPal and many others have already declared their readiness to continue business in Russia. Perhaps the most difficult process is given to banks - there are no exceptions for them, and the architecture of the IT infrastructure is usually such that the transfer is rather difficult.



Here are foreign companies operating in our market. Please note that a domestic company may have a database outside the Russian Federation (for example, on Amazon), therefore, the actual percentage of those who need to switch is higher.







For large international companies, the usual architecture is “a wheel and knitting needles”, where the head office or data center (for example, in the United States) acts as the main information center. In the Russian Federation, such companies will have to raise another platform - either their regional data center, or to get up to someone else. Actually, many people come to us at CROC due to the presence of the already certified FSTEC and FSB solutions in the TIER-III TIA + UI (facility) data center.

What does a typical large system transfer look like?

This is quite a long and painful process:

• Estimated required resources - 2 weeks;
• Supplier selection process - 2 weeks;
• System analysis - 1 week;
• Migration testing - 1 week;
• Waiting for equipment - 6–8 weeks;
• Data transfer - 2–4 weeks;
• Verification of transferred data - 1 week.

Total more than 4 months. My experience of transfers - from 2 weeks for a relatively simple infrastructure to 3 months. The problem is usually not only that the database drags many more components of the infrastructure, but also that for many (for example, banks) business continuity is important. The customer’s systems are maintained at any stage of the “relocation”.



Carry most often need to:

• Online services: online store; customer portal.
• Business applications: CRM; HRMS.
• Infrastructure applications: mail; corporate forum.

On the side of the Russian Federation need:

• data centers (or server-based, preferably 2, primary and backup, although in some cases lawyers claim that backup can be stored outside the Russian Federation; the law says that when collecting the data transferred to companies, it is necessary to ensure initial accumulation, storage and processing on the territory of Russia. Then it is already possible to transfer this data abroad);
• Computational resources - in fact, the servers themselves and storage;
• Infrastructure software is a new license for a site in the Russian Federation;
• Channels of connection;
• Engineering resources;
• Support + SLA;
• Development of mechanisms for migration, synchronization and data consolidation.

That is why the procedure is rather complicated, and many do not build their own data center, but get up in the ones already intended for this. We have, for example, many are pleased with our secure cloud, where there is:

• Certified FWTEC hypervisor VMWare;
• Firewall (FW) - FSTEC certification; cryptographic protection of communication channels (IPSec VPN) - FSB certification;
• Intrusion Prevention (IPS) - FSTEC certification;
• Deep web traffic filtering (WAF);
• Anti-virus protection of network traffic;
• And any other security tools that can work in a VMware virtual environment.

When transferring a database, we always separate the infrastructure of one customer from all others.

Information Security

New legislation requires:

1. Move PD to RF.

2. And while also protecting the data to a fairly good degree.







It should be noted that the legislative initiative is directly related to the program of import substitution in IT. Regulators encourage the maximum use of existing domestic technical resources, software and other developments. However, it is difficult to achieve complete import substitution in the IT field today.







For information security systems there are a couple of interesting features. We have quite a lot of good manufacturers that have passed national certification and are doing what falls under the definition of “domestic software”, that is, will receive priority for use in government agencies (there is a discussion of possible expansion to state-owned companies and state corporations).

Checks

Checks will be conducted, plus you will be monitored without direct interaction.



Conditions for carrying out unscheduled inspections:

1. Expiration of the term of execution of the prescription.

2. Appeals of citizens (requires coordination with the prosecution authorities).

3. Information from public authorities (OGV), local authorities (LSGB) and the media about violations of the law.

4. Orders of the President and the Government of the Russian Federation.

5. Violations of systematic observation.

6. Inconsistency of the information contained in the notification, the actual activity.

7. Failure to comply with the requirements of Roskomnadzor (RKN) to eliminate the violation.

8. Based on the requirements of the prosecutor's office.



Criteria for inclusion in the audit plan:

1. The three-year period since the end of the last scheduled inspection.

2. Information from the state bodies, local governments and the media about violations of the law and the results of systematic observation.

3. PD processing of a significant number of PD / biometrics / special PD categories.

4. Failure to submit information, including notifying nature, in accordance with Federal Law-152.

Total

• a black list of violators of the rights of PD subjects appeared;

• systematic observations of operators appeared;

• increased penalties for violations of PD processing;

• the ILV checks have become more frequent and the bases have expanded.



If you collect PD of Russian citizens in any amount, then this is what you need to do:

• Reorganize business processes, IT infrastructure;
• Save / change PD in the database on the territory of the Russian Federation;
• We provide the "correct" protection of this database (ISPDN);
• We transfer PD from this DB transboundary (if necessary);
• We don’t forget about collecting agreements if they are necessary (this is necessary in case of transfer of personal data to a country not included in the list of countries that provide adequate protection of the rights of PD subjects, or countries that are parties to the Council of Europe Convention on the Protection of Individuals with automated PD processing. In this case, you need to make sure that the organization does not fall under the exception of the new law and organize the collection of the subjects' consent for cross-border data transfer)
• We make changes to the notice on the Roskomnadzor website.

Links

• Here, in the last post , there is more detailed on the documents. In short, yes, it is necessary to transfer it in order not to remain blocked in the territory of the Russian Federation. From the moment of this post, the data has been slightly updated, plus our team made several more major shifts and a few dozen smaller ones - an understanding of a number of infrastructural features appeared.
• Page "about personal data"
• Workshop with details and video