Personal data: how realistic is it to get tested by Roskomnadzor?

Of all the frequently asked questions on the topic of storage, processing and protection of personal data, the following is leading in terms of frequency of occurrence: “ Can someone adequately explain how this Federal Law applies to an ordinary company that has a local 1C installation and considers a salary? ". And it applies equally to all organizations that process personal data, regardless of their size (even the IE, which leads to 1C settlements with hired employees). Naturally, a small (and even medium) company in their right mind and sober memory will ask themselves the question: “Is the game worth the candle?”

Indeed, according to the list published annually by the regulator, the percentage of organizations checked by Roskomnadzor (ILV) is a drop in the ocean compared to the number that can be observed in Moscow itself, not to mention Russia as a whole. In connection with the openness of the question and the controversy of the answers, we propose to find out what is actually the probability of falling under the RNS check? To answer the question posed, we arm ourselves with a calculator and perform elementary calculations based on official statistics.
')
According to the latest report of Roskomnadzor, which dates back to 2013, 2,418 inspections were conducted in Russia, of which 617 were unscheduled. Using some simple calculations, we find that 75% of the checks were planned and 25% were unplanned. The following figures were observed:



What number of these 125 cases (5% of the total number of inspections in Russia) the court made decisions on bringing to administrative responsibility - the report of Roskomnadzor did not say. However, the total amount of fines collected from violators in the budget of the Russian Federation. In 2013, it amounted to 147 thousand 300 rubles. Thus, units were brought to administrative responsibility, and this is despite the fact that the number of PD operators in the Roskomnadzor registry is more than 300 thousand, and the total number of PD operators in Russia is several times, if not an order of magnitude more, than the number of operators in the register of RKN.

But even if we proceed from the approximate figures of the Roskomnadzor registry and the number of ILV checks, we get the following:

• The average value of annually performed ILV checks does not exceed 2500.
• The number of PD operators in the Roskomnadzor registry, though more than 300 thousand, will be rounded off to exactly 300 thousand.

We get an approximate percentage of hit by the PD operator under the Roskomnadzor check, which is 0.83%.



Considering that the total number of PDN operators in Russia is actually several times larger, we can safely reduce the percentage obtained by at least two times, resulting in a funny 0.4%.

What exact number of all inspections across Russia will be carried out in 2015 can be calculated as described above. According to the plans of the regulator, Roskomnadzor plans to check 1267 organizations this year, which is 534 less than in 2013. Focusing on the number of unscheduled inspections for 2013, we will make a rough cape in the form of 100 additional inspections, which, for example, will occur by a certain randomness, as a result of which we get 717 unscheduled departures. Summing it all up, we get 1984 checks. As a result, the percentage of hitting a particular Russian organization under an ILV check this year is a paltry 0.66%, and this is a very approximate, roughly rounded up. The actual percentage of hit will definitely be less.

And if you believe the rumors about the reduction of Roskomnadzor’s state by 20%, where the total number of all employees now amounts to no more than 3,000 people throughout Russia, it can be concluded: the number of inspection units has also decreased. So, check more organizations than we consider in the calculations, it is unlikely to succeed. And let us be afraid of September 2015 and the fact that the number of inspections in connection with the Federal Law-152 “The Law on Personal Data” will only increase, we all understand that human resources are not limitless, and the number of man-hours is of course . So we draw conclusions, gentlemen.

Behind the checks, or How does Roskomnadzor

To begin with, Roskomnadzor inspections are of several types: scheduled, unscheduled, documentary and on-site. In addition, each of them has its own characteristics.

• Scheduled checks . Roskomnadzor warns about scheduled inspections in advance. As a rule, a notice with a copy of the order of the upcoming event is sent by mail or fax at least three working days. To learn about the scheduled inspections of legal entities (their branches, representative offices, separate structural units) and individual entrepreneurs, please visit the official website of Roskomnadzor.
• Unscheduled checks . Most often carried out on complaints received from individuals. Roskomnadzor warns about unscheduled inspection in 24 hours.
• Documentary checks . Type of inspections for which Roskomnadzor requests a list of documents, copies of which must be submitted to the territorial body of Roskomnadzor.
• Exit check . When on-site inspection is carried out on-site inspections, when representatives of the ILF come to the organization (as a rule, several people). There is a check for compliance with the requirements of FZ-152.

And now a little more. Despite the fact that the published list of checked organizations is known in advance and this type of verification is called “scheduled”, there are “unscheduled” checks, that is, when the organization did not find itself in the list of FCN, but it still came to it. The reason for this may be a recently retired employee who wants to “hand over the company with giblets” and has a malicious slander from the whole Russian good soul, or a client who uses the services of an organization who has reported serious violations with personal data. These and other cases in practice are quite common, and since the complaint is the basis for an unscheduled inspection, Roskomnadzor will not leave it unanswered. Moreover, the statistics of complaints increases annually in two or even three times.

Note...

It is possible to become a “victim” of an unscheduled inspection in another way, for this organization it is enough not to respond to the written request of the RNC. Roskomnadzor does not forgive such cases: “Have you answered our official request? Not? Then we go to you!".

According to Federal Law No. 294-, a scheduled inspection of Roskomnadzor cannot be carried out more often than once every three years. If during the last three years the inspection bodies did not please you with visits, there is a certain percentage of the probability of being among the following.

How to check

If Roskomnadzor has all the necessary documents and information about the organization being inspected, the inspection may be of a documentary nature and be carried out without contacting the company itself. If during the audit additional questions arise, the regulator forms a written, motivated request and sends it to the organization. The response to such a request must be submitted in writing within ten working days. It should contain the most convincing motivated justification, covering all aspects of interest on the part of the inspection body. If at least one question remains open, the regulator goes to the organization and conducts an on-site inspection.

Upon completion of the inspection, Roskomnadzor draws up an act , and in the event of any violations, issues a prescription, which must be executed on time. Otherwise, the organization will have to re-check or initiate an administrative violation case. For clarity, we propose to consider a scenario that describes a typical routine check of the ILV.

Typical scenario of routine testing of RKN

So, you have found your organization in the “Inspection Plan”. From there, we learned the date of the “X” hour and the timing of the inspection. Prior to the scheduled “event,” you receive a notice from Roskomnadzor, along with a list of documents that need to be prepared and subsequently demonstrated to an ILF officer. What kind of paper you need to prepare depends on the situation. It can be both organizational and administrative documents, regulations, certificates, extracts, copies, and something else. Since the list is usually quite impressive, a special register is prepared, in which the VKN reviewer leaves his autograph in front of each document. With the help of this registry is tracking documents submitted for review.

If a calendar month is set aside for a check, this does not mean that Roskomnadzor employees will be in the organization being checked all the time allotted. Most likely, several meetings will be scheduled: two, three, and maybe a few more, but within the limits of common sense. For the first meeting, as a rule, the RKN officers bring in a paper version of the Notice of the scheduled field audit of the company , evaluate and determine the scale of events, set the date for the next meeting. Usually from this point on the process is considered officially launched.

The next visit is most often considered as the main one, where the RKN staff, according to the operator’s notification, check the changes made and, if necessary, leave their comments. Further questions may follow to the staff of the main departments. When it comes to the processing of personal data, the companies with which the PD exchange occurs are polled. These can be personnel agencies, banks, telecom operators and other organizations.

According to reviews of some organizations that fell under the planned inspection of Roskomnadzor, the regulator asked them for a list of ISPDn, threat model, a project to create personal data protection, certificates for information security tools and asked questions, including cross-border transmission of information via communication channels.

As practice shows, during the inspection a much larger number of documents may be requested compared to what was originally required. According to the results of the inspection, Roskomnadzor issues an act indicating the violations found, if any, a certificate of the results of the planned on-site inspection, as well as an order to eliminate the identified nonconformities within the prescribed period.

What you need to do to test successfully

Even if your organization did not make it to the coveted list of scheduled inspections and you are not in the least afraid of unplanned RKN events, it’s still worth being fully prepared. As you know, knowledge is power, and knowledge of their rights is even more so. First of all, we recommend that you familiarize yourself with the useful list of documents: the administrative regulations for inspections of the ILV , the Federal Law on the Protection of the Rights of Legal Entities and Individual Entrepreneurs during a state audit , clarification of the ILV on the processing of biometric PD .

And in order for the test to be successful, in case there are checking inspectors of the RNS on the threshold, the following recommendations will not be superfluous:

Recommendation 1 . It is necessary to initially understand whether your company falls under the article FZ-152, which describes cases where an organization has the right to process PD without sending a notice to Roskomnadzor. If this is your case, it is enough to prepare a certificate justifying the reasons for not informing the RKN. In other cases, it is necessary to prepare and send a “Notice of personal data processing”, since this is the first thing that the inspectors pay attention to.

A company that has not sent notice to the RKN is held accountable. If a notification has been submitted, the RKN, during the audit, focuses on it, comparing it with the existing processes for processing PD of the organization. In the event of a discrepancy between reality and errors, the organization will face penalties. Do not allow such situations. Remember that the notice submitted to Roskomnadzor is not a static document, it is constantly supplemented. Moreover, notifications about changes should be exactly as much as the changes themselves. Please note: if the notification was filed after the organization started PD processing activities, this is an excuse to fine the organization.

Recommendation 2 . Roskomnadzor does not check personal data information systems (ISPDN), these issues are dealt with by FSTEC and the Federal Security Service of Russia. The tasks of the RNR mainly include the verification of documents, therefore it is necessary to concentrate on the preparation of relevant documentation. Pay special attention to quality - it should be at a high enough level. We recommend that you follow the current legislation and keep all reports properly.

Recommendation 3 . If an upcoming check causes you to fear and feel you need additional help, contact the services of experienced consultants. They will support you in difficult times, especially since no one forbids doing this.

Recommendation 4 . Prepare personnel for the upcoming inspection. It can be trainings, meetings - anything. Your employees need to know what to say, how to talk, and what better not to talk about. Remember that each process must comply with the developed regulations, familiarize them with your colleagues.

Cribs not only in school

When preparing for a meeting with the auditors, it is rather difficult to keep all the nuances in mind. We offer to use a specially prepared cheat sheet, which describes the basic rules established by Roskomnadzor.

Deadline for your submission of documents required for documentary verification	10 working days from the day you receive a reasoned request
Deadline for documentary verification	10 working days
The quantitative composition of inspectors during the on-site inspection and their grounds for verification	At least two officials, including the official responsible for legal matters. A field audit is carried out only upon presentation of official IDs of inspectors and a copy of the relevant order of the head of the Roskomnadzor body
The term and procedure for notification of the beginning of the on-site inspection	Scheduled inspection - Not later than within three working days prior to the start of the inspection by sending a copy of the order for the inspection to be carried by postal mail with notification of receipt or other available means Unscheduled inspection - Not later than 24 hours before the start of its conduct in any way possible
Duration of the on-site inspection	20 working days (extension is possible for a period not exceeding 20 working days)
The procedure for appealing decisions based on the results of inspections	Appeals against actions of officials may be made in writing or orally during a personal reception. The complaint must be considered within 30 days, the term may be further extended for another 30 days

Summing up, we emphasize: you shouldn't be afraid of the checks of Roskomnadzor, you just need to be ready for them. Judging by the fact that the percentage of organizations hit by an ILV compared to the total number of companies throughout Russia is simply insignificant, it is unlikely that they will come to you tomorrow, especially if you are an individual entrepreneur or a small company. But even if you become the owner of the letter of happiness from the RKN, hitting the golden top ten favorites of Fortune, it’s definitely not worth it to panic. Knowledge of your rights, compliance with obligations, compliance with the requirements of current legislation and early preparation for possible verification will be the best cure for all ills.