The law “On Personal Data” and the practice of its application in Russian reality. Part 2

Based on the previous article and comments to it, we are writing a sequel, which we believe will cover as much as possible the topic of organizing personal data protection and licensing when you provide various types of services.

Immediately to the specifics.
Let you - the owner of any business, the scale is not important - from a small accounting office to a large corporation. Maintaining your infrastructure for you is expensive or unacceptable for any reason and you want to transfer functionality for storing and processing data to a third party.
When solving this problem, you should ask a number of questions:
')

• Do you have the right to transfer the processing to a third party, and what conditions are imposed on you and your data processing partners? Who is responsible for personal data when it is transferred to a third party partner?
• Do you need any licenses? What reports on them will you need to pass? What is a personal data operator?
• Will you deal with confidential information, what conditions do you and your partner have to fulfill? What licenses are needed?

The answer to the question of responsibility for the data is at the same time the simplest and fundamental one.

Yes, you can transfer the processing of personal data to a third party , but should take into account that if the processing and storage of data is transferred to a third party, it must have the knowledge, experience, appropriate capacity and, depending on the type of information transmitted, have certain licenses. However, the responsibility for storing and processing data in any case remains with the original company, that is, with you. Therefore, it is necessary to approach the choice of a partner in this matter quite carefully. Depending on the type of activity and the information collected, your company and your partner must have certain licenses.
As a result, we are guided by the principle that if your company needs a specific license to work with information, then your partner must also have it when transferring data processing.

What licenses do you need?

It depends on your type of activity and the information collected. If your business involves only collecting customer information, and the services do not include the provision of communication (for example, you are a beauty salon, collect customer data on the site to organize the work by appointment), you do not need any license (except licenses for possibly medical services in the salon). It's all pretty simple.
And if you, one way or another, provide communication services on your equipment (you are an Internet provider, host of sites, etc.), then according to the Law on Communication, providing communication services using your equipment requires a Roscomnadzor license to provide telematic services communication, as well as communication services without transmitting voice information. This license implies that the operating company has its own certified communications center through which all service activities are carried out.
The algorithm for obtaining this license is to submit applications of the established sample, payment of state duty. Within a month after submitting the application, you will either receive a license or a motivated refusal.
The license obliges the operator to submit annual and quarterly reports on services rendered.
I note that this applies to your company if you provide communication services on your behalf. If you resell the communication services from your partner (say, you specify in the contract with the client that the connection is provided by another telecom operator), formally you can work without a license.

Most likely you will ask the question: “And who governs the well-known point:“ I agree to the processing of personal data ”?

This item regulates the 152nd Federal Law “On Personal Data”. From the point of view of the law, data collection can be carried out both by state bodies and legal entities and even individuals. That is, it applies to all - to the beauty salon from the example above, and to the mobile operator from the big three. What they have in common is that they must be guided by the following principles when collecting and processing data:

• Unconditional consent of the client to the data processing (a tick in the warning about the collection of data or a signature in the additional agreement, contract),
• Transparent and understandable purpose of data collection (for example, you collect customer data to be able to contact them if necessary). The transfer of data to advertising agencies without the explicit consent of the client is already a violation of these principles,
• The presence of measures taken to protect data from unauthorized access (database protection, limited access for employees, internal regulations and measures of influence and liability),
• Exclusion from the collection of data on religious, race, health status, intimate life, information that is confidential or related to state secrets,
• The presence of physical capabilities at the request of the client to stop processing and delete the data collected about him.

As you can see, the law in this regard is quite loyal to the business and understands that in fact everyone is involved in data collection, even the hairdresser’s where you leave your contact number. The law in this case does not create obstacles, but only regulates the principles of targeted data processing in order to prevent the client’s phone from falling into the hands of advertisers.

If you work with passports (for example, with scans), collect other documents that are not on the one hand confidential information, but on the other hand are clearly redundant when registering, for example, in an online store, you should think about to register as an operator of personal data. You can become a telecom operator in the notification procedure. This will answer the question: “Who is the operator of personal data?”

Thus, to start your business, in most cases, there will be enough internal policy for the processing of personal data, and if you provide communication services, then the licenses of Roskomnaadzor will be quite enough. However, it should be remembered that both the data processing partner and you, despite the fact that you do not process the data on your side, must fulfill the above principles and have a license.

Now imagine that you are planning to work with confidential information (CI).

For example, you will cooperate with legal entities that collect and store confidential information, maybe with government agencies, or are such.

In this situation, you must have the appropriate qualifications, resources, experience and license to work with CI.

The Federal Service for Export and Technical Control (FSTEC) and the Federal Security Service (FSB) regulate work with confidential information.

As a rule, a license for the technical protection of confidential information (TZKI) is sufficient (if you do not develop protection tools yourself). It is issued by the FSTEC.

What does a license mean and how to get it?
To be able to apply for this license, you must meet the following requirements:

• Technical means, information systems, premises where information is processed (including meeting rooms) should be equipped with means to protect against information leaks on technical channels,
• Access to information should be under constant control, precluding any unauthorized entry to it,
• The operator’s staff must have at least two employees who have a diploma confirming their right to work with confidential information.
• All objects (employees, computers, software, premises) that are involved in the processing of confidential information must be certified.

In addition to these requirements, the organization must have a set of regulatory documents (for official use only). It is also required to verify the ownership (lease) of the premises, which will be certified to work with confidential information.
The deadline for obtaining a license from the moment all documents are submitted for an already certified room can be up to six months.

All these items take a lot of time and money, but without this you can’t get the right to work with confidential information.

If we talk about the room and the staff, then there are more or less questions.
Interest and potential difficulties are caused by the protection of information systems and, in general, of all software that is located in a secure room under the control of certified employees.

As is known from the previous article , most of the operating systems that are in demand in the market from the Windows family are certified. For example, what we offer our clients on virtual servers - Windows Server 2012 R2 Datacenter has a 3367 certificate. Also, many Linux operating systems are FSTEC-certified. With office applications, the same question does not arise. Full list of software here fstec.ru/component/attachments/download/489

It would seem that the issue with the software resolved. But not everything is so simple.

Imagine that you have a serious server, no matter whether it is rented or owned by you. You create dedicated virtual servers on it for your employees. That is, you use some kind of virtualization tool, which is often the case in accounting and in analytical departments of large companies.

Here you need to know that the availability of a certified OS on a physical server does not pull the automatic certification of all virtual servers, as they are created using the hypervisor and this is a weak link in data protection.

After examining the list of FSTEC, you will see that hypervisors are not included in the list of certified software, which means that you should take care of its protection. In this case, you will be helped by the installation of VGate protection for Hyper-V. However, this is not a cheap pleasure - Vgate will cost from 100,000 rubles per physical server.

This is not counting the cost of special software to protect servers, which the company is obliged to install when passing certification of technical means.
Thus, if you need a FSTEC license, you must be prepared for significant time and material costs.

At the same time, in the process of development of your enterprise, you will understand that it is possible and necessary to divide the internal vectors of the company’s development, customers according to the principle - there are enough internal policies and licenses of Roskomnadzor or the FSTEC license is required. Naturally, you have different classes of customers and pricing for them.

More details about the FSTEC license obtaining algorithm can be found in the very detailed guide bis-expert.ru/sites/default/files/miscellaneous/practic_licenc_fstec.pdf .

At the end of the article I want to remind you that the division of clients according to the principle “FSTEC is not FSTEC” should not “relax” you in relation to clients “without FSTEC”. From the moment you provided the communication service, you started collecting data - you are under the regulation of Roskomnadzor and the 152nd Federal Law. Therefore, the standard of responsibility when working with data should be equally high for all customers.