Roskomnadzor checks: practical aspects
My regards.
In the wake of recent changes in the legislation on personal data (first of all, we are talking about the introduction of mandatory “localization of personal data”, as well as an increase in the amount of administrative responsibility), the media space has once again been filled with stories that painstakingly describe the coming (ILV). An ILV check can, indeed, be a rather entertaining quest, however, the complexities of relevant activities are often greatly exaggerated. On the other hand, the content of inspections changes over time, which requires constant monitoring of the current practice of their conduct.
In 2017, I had the pleasure of participating in the ILV checks in several regions (including Moscow and St. Petersburg). In this regard, I would like to share a few practical considerations that can help members of the community in their activities. For many, this information will not become new, however, it may be useful to someone.
(1) You should not expect inspectors to send you a specific list of documents that are required to be submitted for inspection. "Copies of documents confirming the application of legal, organizational and technical measures to ensure the safety of PD" - a quote from the real list of documents requested by the RKN during one of the checks. The level of specifics, as you can see, is impressive.
')
(2) It should be borne in mind that the outcome of the consideration of a particular issue depends a lot on how confidently and thoroughly the operator defends his point of view. Practice shows that on many issues the inspectors do not have an unambiguous reasoned position.
Particularly interesting discussions may arise on the question of how much information can be considered as personal data (PDN), as well as what person should be considered processing PD on the instructions of the operator. Fortunately, the ornate formulations used by the RKN itself in its scientific and practical commentary leave quite a substantial amount of room for maneuver.
(3) The positions of different officials regarding the interpretation of the same terms used in the law differ significantly. Thus, one inspector may consider file storage on a network drive an information system of personal data (SPD), while the other will not agree with this point of view. Accordingly, success in defending a particular point of view in one region does not guarantee you a similar result in another.
By and large, this circumstance is only one of the consequences of the lack of a centralized position on the RKN on a number of fundamental issues. Consequently, the experience of passing checks in the past should not be overestimated.
(4) It is not a secret to anyone that the RKN does not verify that the operators comply with the technical requirements of the regulations. In most cases, verification is limited to the study of organizational and legal documents, inspection of storage locations of documents with PD and, sometimes, direct research of information systems.
At the same time, a certain level of immersion of inspectors in technical issues may still occur. In particular, some departments request from operators copies of the threat models developed by them with respect to SPD. Since the modeling of PD security threats is explicitly mentioned in the Federal Law “On Personal Data”, this turn is not unexpected.
(5) The success of passing the inspection by 10% depends on the preliminary preparation for the event (development of documents, employee training), and 90% of what you undertake immediately before meeting with the inspectors.
You can develop the most wonderful documents in the world, but if, at the time of the check, the secretary will have an unknown questionnaire with fields for entering PD (its existence will necessarily be the same discovery as the RKN), then the probability of success decreases dramatically . Therefore, if you are responsible for passing the test, do not rely on the consciousness of colleagues and be sure to personally conduct an audit in the field.
(6) Get ready to write help. There are a lot of references (about cross-border transmission, some ISPDn, video surveillance, protection mode and much more). Regardless of how detailed the company's internal documents describe the procedure for processing PD, the inspectors will ask you to state the majority of your answers to their questions in writing. If internal documents (for example, threat models) do not contain information flow diagrams, they may also be asked to draw. Consider this when planning your time.
The relevant documents, which will have to be prepared directly during the inspection, will have a direct impact on its results, and therefore it is better to entrust their preparation to the person who is most competent in the processing and protection of PD (depending on the case, this can be lawyers, information security specialists or consultants involved).
(7) As already noted above, some of the information will be obtained by the RKN during the direct survey of ISPD and premises. This, in turn, means that someone will have to show these systems and premises. The explanations of the persons concerned may also affect the outcome of the event, so you should (a) close all the demonstrations to the most competent person, or (b) conduct rehearsals (stress tests) with the staff who will be involved in the demonstration. Special influence should be given to employees who like to answer questions in an excessively expanded manner, going into details about which they were not asked. Well, you understand me.
(8) You should not expect that the act of verification will be given to you on the last day of it. In practice, there may be precedents for drawing up an inspection report for a period longer than a month after its completion.
Good luck to all.
In the wake of recent changes in the legislation on personal data (first of all, we are talking about the introduction of mandatory “localization of personal data”, as well as an increase in the amount of administrative responsibility), the media space has once again been filled with stories that painstakingly describe the coming (ILV). An ILV check can, indeed, be a rather entertaining quest, however, the complexities of relevant activities are often greatly exaggerated. On the other hand, the content of inspections changes over time, which requires constant monitoring of the current practice of their conduct.
In 2017, I had the pleasure of participating in the ILV checks in several regions (including Moscow and St. Petersburg). In this regard, I would like to share a few practical considerations that can help members of the community in their activities. For many, this information will not become new, however, it may be useful to someone.
(1) You should not expect inspectors to send you a specific list of documents that are required to be submitted for inspection. "Copies of documents confirming the application of legal, organizational and technical measures to ensure the safety of PD" - a quote from the real list of documents requested by the RKN during one of the checks. The level of specifics, as you can see, is impressive.
')
(2) It should be borne in mind that the outcome of the consideration of a particular issue depends a lot on how confidently and thoroughly the operator defends his point of view. Practice shows that on many issues the inspectors do not have an unambiguous reasoned position.
Particularly interesting discussions may arise on the question of how much information can be considered as personal data (PDN), as well as what person should be considered processing PD on the instructions of the operator. Fortunately, the ornate formulations used by the RKN itself in its scientific and practical commentary leave quite a substantial amount of room for maneuver.
(3) The positions of different officials regarding the interpretation of the same terms used in the law differ significantly. Thus, one inspector may consider file storage on a network drive an information system of personal data (SPD), while the other will not agree with this point of view. Accordingly, success in defending a particular point of view in one region does not guarantee you a similar result in another.
By and large, this circumstance is only one of the consequences of the lack of a centralized position on the RKN on a number of fundamental issues. Consequently, the experience of passing checks in the past should not be overestimated.
(4) It is not a secret to anyone that the RKN does not verify that the operators comply with the technical requirements of the regulations. In most cases, verification is limited to the study of organizational and legal documents, inspection of storage locations of documents with PD and, sometimes, direct research of information systems.
At the same time, a certain level of immersion of inspectors in technical issues may still occur. In particular, some departments request from operators copies of the threat models developed by them with respect to SPD. Since the modeling of PD security threats is explicitly mentioned in the Federal Law “On Personal Data”, this turn is not unexpected.
(5) The success of passing the inspection by 10% depends on the preliminary preparation for the event (development of documents, employee training), and 90% of what you undertake immediately before meeting with the inspectors.
You can develop the most wonderful documents in the world, but if, at the time of the check, the secretary will have an unknown questionnaire with fields for entering PD (its existence will necessarily be the same discovery as the RKN), then the probability of success decreases dramatically . Therefore, if you are responsible for passing the test, do not rely on the consciousness of colleagues and be sure to personally conduct an audit in the field.
(6) Get ready to write help. There are a lot of references (about cross-border transmission, some ISPDn, video surveillance, protection mode and much more). Regardless of how detailed the company's internal documents describe the procedure for processing PD, the inspectors will ask you to state the majority of your answers to their questions in writing. If internal documents (for example, threat models) do not contain information flow diagrams, they may also be asked to draw. Consider this when planning your time.
The relevant documents, which will have to be prepared directly during the inspection, will have a direct impact on its results, and therefore it is better to entrust their preparation to the person who is most competent in the processing and protection of PD (depending on the case, this can be lawyers, information security specialists or consultants involved).
(7) As already noted above, some of the information will be obtained by the RKN during the direct survey of ISPD and premises. This, in turn, means that someone will have to show these systems and premises. The explanations of the persons concerned may also affect the outcome of the event, so you should (a) close all the demonstrations to the most competent person, or (b) conduct rehearsals (stress tests) with the staff who will be involved in the demonstration. Special influence should be given to employees who like to answer questions in an excessively expanded manner, going into details about which they were not asked. Well, you understand me.
(8) You should not expect that the act of verification will be given to you on the last day of it. In practice, there may be precedents for drawing up an inspection report for a period longer than a month after its completion.
Good luck to all.
Source: https://habr.com/ru/post/340278/
All Articles