On the protection of personal data in the Russian and European markets
Since July 1, the latest amendments to the Russian legislation on personal data came into force. They dictate new rules for the processing and storage of personal information of users. Recent changes are on a par with a series of additional requirements for data operators. This article talks about new realities and optimal solutions for working with personal information in Russia and Europe.
/ photo by Thomas Leuthard CC
The International Institute for the Protection of Personal Data is relatively young in the legal sense. The general provisions on privacy were formed by the 80s of the last century. They are based on the principles of the 1948 Universal Declaration of Human Rights. The basic provisions for the processing of personal data were published in 1981 in the form of a Council of Europe Convention. The ratification of this treaty by Russia took place in 2005.
')
Since the adoption of the Convention in its original form, a number of participating countries have taken measures to tighten local data processing rules. This was mainly due to the emergence of new technologies that created new challenges for confidentiality. Another reason is the growth of cyber fraud with the use of personal data. Otherwise, this type of crime is called “identity theft”. Long before the era of big data, it was used to obtain drugs and money in banks on forged documents.
With the growth in the amount of personal information transmitted online, identity theft has gained popularity as the main tool of cybercriminals. According to a study by Javelin Strategy & Research, the total damage from online fraud using personal data in 2016 was a record in history. It amounted to $ 16 billion compared with $ 15 billion a year earlier.
In 2013, the UK Fraud Prevention Service (CIFAS) reported a more than 50 percent increase in the number of cases of unlawful use of information by individuals. At the same time, the European Parliament tightened the law on the protection of personal data. This became the basis for the development of the General Data Protection Regulation (GDPR) proposed a year earlier.
GDPR emerged in the context of a rapidly growing digital economy. It became obvious that the data acquired a special value. On the issue of the mobility of personal information, the physical boundaries between states have ceased to be an obstacle, and the various directives in each of the European countries only gave rise to contradictions and difficulties. In 2012, the European Commission realized the need for a comprehensive reform of the 1995 EU Data Protection Directive.
Technological advances and globalization have fundamentally changed the way data is collected, used and stored. In 2014, the European Parliament showed strong support for the GDPR - 621 votes in favor and 10 against during the plenary session. On January 28, 2016, 47 countries of the Council of Europe, as well as European institutions, agencies and departments, celebrated the 10th annual European Data Protection Day, and four months later they finally approved the regulation. It should enter into force on May 25, 2018.
European lawmakers aim to create a single legal framework that will apply to all EU member states. GDPR aims at minimizing data collected and processed, as well as respecting the principle of confidentiality in the design of systems. The regulations are designed to increase legal certainty, reduce administrative burden and the cost of compliance with the rules for organizations operating data. In practice, the regulation tightens business conditions for all companies that deal with personal data of EU citizens.
The wording of the basic concept in the question - “identifying information” - was amended. According to the GDPR, if a person can theoretically be identified in some way, the data is personal. In other words, European companies that store and process data will now have to carefully monitor their actions - it is possible to identify a person not only on the basis of obvious information, such as your full name.
/ photo Blue Coat Photos CC
The GDPR also tightens sanctions for violators. Fines can reach up to 4% of the company's annual turnover or an amount of 20 million euros.
In accordance with the GDPR, personal data processors will have to comply with a number of specific obligations, including maintaining records, applying appropriate security standards, appointing data protection officers, complying with international data transfer rules, and cooperating with national supervisors. Handlers will be directly responsible for compliance with these rules. The developer of antivirus software ESET concludes that the new requirements are likely to increase the cost of data processing services.
The GDPR has other burdensome aspects: the need to notify representatives of the regulator (National Data Protection Authority) about cases of vulnerability within 72 hours, the need to encrypt data and zoning their distribution, respect for the natural person’s right to forget, and the right to request data.
In order to prepare for all changes, companies and government agencies working with personal data of European citizens have less than a year left. The German research company Bitkom Research found that as of June 2017, 20% of the two hundred IT companies had not started preparing for the implementation of the requirements of the regulation, and only one of the three enterprises had started the first preparatory steps.
In the meantime, large companies have already taken strategic steps. A coalition of cloud computing leaders was formed, serving millions of European customers. She was named CISPE (cloud infrastructure service providers in Europe). Such companies as IBM, Alibaba Cloud, Amazon Web Services, Microsoft Cloud joined the coalition. Together they meet the flow of enterprises, in a hurry, transferring their IT infrastructure to the clouds.
Independent preparation for all requirements of the GDPR is very costly. According to the study of the information company Veritas Technologies, on average, companies predict costs of more than $ 1.4 million. The cost increase and the associated migration primarily concerns data processing. Now for businesses whose activities include the collection of personal data, it is important to find a reliable cloud provider, make sure that the cloud hosting provider can provide the necessary level of security, maintain incident logs and comply with other requirements of the GDPR.
In Russia, at the moment , the IT infrastructure of enterprises is also migrating to the clouds. As in European countries, the driving forces are legislative processes, and more specifically FZ-152 “On the protection of personal data”. The law prescribes the storage and processing of data of Russians in the country. All companies registered in Russia, foreign companies with representative offices and branches in Russia, other foreign companies whose activities are related to Russia and apply to the personal data of Russian citizens are subject to the new requirements of the law.
In the Russian interpretation, personal information is any information that allows you to identify a person, including an email address containing the name and company name, bank card number, mobile phone number. The loudest precedent since the entry into force of the law “On Personal Data” was a lawsuit against the American social network LinkedIn, which ended with the blocking of a resource on the territory of the Russian Federation in 2016.
/ photo Wikimedia Commons CC
As for the relationship of the GDPR to the transfer of personal data of EU citizens outside the European Economic Area, it is possible , but on the basis of a decision of the commission. Factors such as the rule of law and the protection of human rights and fundamental freedoms, access to data transmitted by state bodies and other legal aspects are taken into account.
21 EU countries currently have laws requiring companies to store certain types (primarily personal) of data at the local level. The core CISPE code is inherently aimed at storing European data within Europe, but the outflow of IT companies in Europe to the clouds is still related to the requirements for data processors. In Russia, the same trend originates in the handling of personal data in the country. At the same time, they can be processed abroad, but they should be stored and collected within the country. Responsibility for meeting this requirement lies with the data operators.
Foreign enterprises, which used data of Russian users in their work, resort to replacing the physical infrastructure with virtual storages in order to fulfill the requirements of the legislation. According to experts, as of 2016, the “cloud” market in Russia for two years has multiplied and reached 88 billion rubles.
Experts offer several options for implementing work with personal data of Russian users for foreign companies. The first is to transfer the database to a physical or virtual server in Russia. Another method involves the initial entry of information into a database located outside Russia. At the same time, a copy of the database should be available on the territory of the Russian Federation, and real-time synchronization is set up between the servers. The requirements of the law are met by the primary collection and storage of data on a server in Russia with possible synchronization with headquarters abroad.
Another option is a personal data hosting service. This service is also offered by the IT-GRAD cloud solutions provider. The solution provides general security measures for storing information and meeting additional requirements dictated by law. The supplier guarantees compliance with all by-laws and provides already certified equipment that is consistent with the provisions of the Federal Law.
At the same time, the “hosting of PDN” service can be useful not only to foreign companies, but also to various representatives of Russian business, ranging from small companies that host online stores or marketing research systems in the provider’s cloud and to large corporations that during processing and storage of personal Data should not only comply with the requirements of legislation, but also to ensure an adequate level of reliability.
Companies using cloud hosting services receive a number of benefits. This is secure hosting using certified hardware from hardware manufacturers (NetApp, Cisco, IBM, etc.), as well as the use of a software and hardware encryption system. This simplifies the procedure of bringing the infrastructure in compliance with the requirement of 152-FZ, which, in turn, reduces legal risks.
PS A few more materials on the topic from the First Corporate IaaS blog:
/ photo by Thomas Leuthard CC
Personal data in European practice
The International Institute for the Protection of Personal Data is relatively young in the legal sense. The general provisions on privacy were formed by the 80s of the last century. They are based on the principles of the 1948 Universal Declaration of Human Rights. The basic provisions for the processing of personal data were published in 1981 in the form of a Council of Europe Convention. The ratification of this treaty by Russia took place in 2005.
')
Since the adoption of the Convention in its original form, a number of participating countries have taken measures to tighten local data processing rules. This was mainly due to the emergence of new technologies that created new challenges for confidentiality. Another reason is the growth of cyber fraud with the use of personal data. Otherwise, this type of crime is called “identity theft”. Long before the era of big data, it was used to obtain drugs and money in banks on forged documents.
With the growth in the amount of personal information transmitted online, identity theft has gained popularity as the main tool of cybercriminals. According to a study by Javelin Strategy & Research, the total damage from online fraud using personal data in 2016 was a record in history. It amounted to $ 16 billion compared with $ 15 billion a year earlier.
In 2013, the UK Fraud Prevention Service (CIFAS) reported a more than 50 percent increase in the number of cases of unlawful use of information by individuals. At the same time, the European Parliament tightened the law on the protection of personal data. This became the basis for the development of the General Data Protection Regulation (GDPR) proposed a year earlier.
GDPR emerged in the context of a rapidly growing digital economy. It became obvious that the data acquired a special value. On the issue of the mobility of personal information, the physical boundaries between states have ceased to be an obstacle, and the various directives in each of the European countries only gave rise to contradictions and difficulties. In 2012, the European Commission realized the need for a comprehensive reform of the 1995 EU Data Protection Directive.
Technological advances and globalization have fundamentally changed the way data is collected, used and stored. In 2014, the European Parliament showed strong support for the GDPR - 621 votes in favor and 10 against during the plenary session. On January 28, 2016, 47 countries of the Council of Europe, as well as European institutions, agencies and departments, celebrated the 10th annual European Data Protection Day, and four months later they finally approved the regulation. It should enter into force on May 25, 2018.
European lawmakers aim to create a single legal framework that will apply to all EU member states. GDPR aims at minimizing data collected and processed, as well as respecting the principle of confidentiality in the design of systems. The regulations are designed to increase legal certainty, reduce administrative burden and the cost of compliance with the rules for organizations operating data. In practice, the regulation tightens business conditions for all companies that deal with personal data of EU citizens.
The wording of the basic concept in the question - “identifying information” - was amended. According to the GDPR, if a person can theoretically be identified in some way, the data is personal. In other words, European companies that store and process data will now have to carefully monitor their actions - it is possible to identify a person not only on the basis of obvious information, such as your full name.
/ photo Blue Coat Photos CCThe GDPR also tightens sanctions for violators. Fines can reach up to 4% of the company's annual turnover or an amount of 20 million euros.
In accordance with the GDPR, personal data processors will have to comply with a number of specific obligations, including maintaining records, applying appropriate security standards, appointing data protection officers, complying with international data transfer rules, and cooperating with national supervisors. Handlers will be directly responsible for compliance with these rules. The developer of antivirus software ESET concludes that the new requirements are likely to increase the cost of data processing services.
The GDPR has other burdensome aspects: the need to notify representatives of the regulator (National Data Protection Authority) about cases of vulnerability within 72 hours, the need to encrypt data and zoning their distribution, respect for the natural person’s right to forget, and the right to request data.
In order to prepare for all changes, companies and government agencies working with personal data of European citizens have less than a year left. The German research company Bitkom Research found that as of June 2017, 20% of the two hundred IT companies had not started preparing for the implementation of the requirements of the regulation, and only one of the three enterprises had started the first preparatory steps.
In the meantime, large companies have already taken strategic steps. A coalition of cloud computing leaders was formed, serving millions of European customers. She was named CISPE (cloud infrastructure service providers in Europe). Such companies as IBM, Alibaba Cloud, Amazon Web Services, Microsoft Cloud joined the coalition. Together they meet the flow of enterprises, in a hurry, transferring their IT infrastructure to the clouds.
Independent preparation for all requirements of the GDPR is very costly. According to the study of the information company Veritas Technologies, on average, companies predict costs of more than $ 1.4 million. The cost increase and the associated migration primarily concerns data processing. Now for businesses whose activities include the collection of personal data, it is important to find a reliable cloud provider, make sure that the cloud hosting provider can provide the necessary level of security, maintain incident logs and comply with other requirements of the GDPR.
Personal data in Russia
In Russia, at the moment , the IT infrastructure of enterprises is also migrating to the clouds. As in European countries, the driving forces are legislative processes, and more specifically FZ-152 “On the protection of personal data”. The law prescribes the storage and processing of data of Russians in the country. All companies registered in Russia, foreign companies with representative offices and branches in Russia, other foreign companies whose activities are related to Russia and apply to the personal data of Russian citizens are subject to the new requirements of the law.
In the Russian interpretation, personal information is any information that allows you to identify a person, including an email address containing the name and company name, bank card number, mobile phone number. The loudest precedent since the entry into force of the law “On Personal Data” was a lawsuit against the American social network LinkedIn, which ended with the blocking of a resource on the territory of the Russian Federation in 2016.
/ photo Wikimedia Commons CCAs for the relationship of the GDPR to the transfer of personal data of EU citizens outside the European Economic Area, it is possible , but on the basis of a decision of the commission. Factors such as the rule of law and the protection of human rights and fundamental freedoms, access to data transmitted by state bodies and other legal aspects are taken into account.
21 EU countries currently have laws requiring companies to store certain types (primarily personal) of data at the local level. The core CISPE code is inherently aimed at storing European data within Europe, but the outflow of IT companies in Europe to the clouds is still related to the requirements for data processors. In Russia, the same trend originates in the handling of personal data in the country. At the same time, they can be processed abroad, but they should be stored and collected within the country. Responsibility for meeting this requirement lies with the data operators.
Foreign enterprises, which used data of Russian users in their work, resort to replacing the physical infrastructure with virtual storages in order to fulfill the requirements of the legislation. According to experts, as of 2016, the “cloud” market in Russia for two years has multiplied and reached 88 billion rubles.
Experts offer several options for implementing work with personal data of Russian users for foreign companies. The first is to transfer the database to a physical or virtual server in Russia. Another method involves the initial entry of information into a database located outside Russia. At the same time, a copy of the database should be available on the territory of the Russian Federation, and real-time synchronization is set up between the servers. The requirements of the law are met by the primary collection and storage of data on a server in Russia with possible synchronization with headquarters abroad.
Another option is a personal data hosting service. This service is also offered by the IT-GRAD cloud solutions provider. The solution provides general security measures for storing information and meeting additional requirements dictated by law. The supplier guarantees compliance with all by-laws and provides already certified equipment that is consistent with the provisions of the Federal Law.
At the same time, the “hosting of PDN” service can be useful not only to foreign companies, but also to various representatives of Russian business, ranging from small companies that host online stores or marketing research systems in the provider’s cloud and to large corporations that during processing and storage of personal Data should not only comply with the requirements of legislation, but also to ensure an adequate level of reliability.
Companies using cloud hosting services receive a number of benefits. This is secure hosting using certified hardware from hardware manufacturers (NetApp, Cisco, IBM, etc.), as well as the use of a software and hardware encryption system. This simplifies the procedure of bringing the infrastructure in compliance with the requirement of 152-FZ, which, in turn, reduces legal risks.
PS A few more materials on the topic from the First Corporate IaaS blog:
Source: https://habr.com/ru/post/332396/
All Articles