Preparations for the inspection of Roskomnadzor: a harsh practice for the brave

For the past 13 years, the federal law “On Personal Data” No. 152- has been in effect in the Russian legal field.



It would seem that over these years, the PD companies-operators passed everything: both the awareness of the need to protect personal data, the acceptance that even the full name is PD, the inevitability of writing more than twenty organizational and administrative documents, and even a submissive agreement with the need to build complete security system along with paper security.

')

152-FZ not only increased the awareness of PD operators, the subjects themselves also began to realize that they were the owners of confidential information, and to demand its effective protection.



However, despite the daily experience with PD, the most pressing question before the test will always be: “What exactly is Roskomnadzor looking at?”





Fortunately, we already have an answer, which is based on the extensive practice of preparing for the ILV checks: it looks at all that concerns the organizational protection of PD.

Unfortunately, this means that this process is not easy and large-scale, but this has its advantages: such a project is always an excellent opportunity to make an inventory of information flows and systems, which will make business processes more transparent and provide an opportunity to optimize them. But this is after. This article will describe what to do when you find your company in terms of inspections.

Preparation for verification

By the way, you need to see the company in the plan as early as possible: to do this, right now you can go to the Roskomnadzor website and find the document “Plan of Activities of the Office of the Federal Service for Supervision in Communications, Information Technologies and Mass Communications in the Central Federal District in 2019”. If your legal address is located in another federal district (or at the time of reading the article, 2019 is already in the past), replace these parameters with the necessary ones. If you do not fall into the plan for the current year, then approximately in December you will already have a plan for the coming year.



Since the preparation for the verification includes the obligatory subsequent stage of the implementation of recommendations, the process should be started at least 6 months before the official start date - this will help you avoid time trouble and, as a result, active distraction of employees from their current tasks (from colleagues will be perceived positively) and the omission of important aspects in the necessary work (and this will no longer be approved by the verifier).



Get ready: you will find yourself between two fires, when you have to create temporary inconveniences for the common good, but the bitter pill is sometimes vital, the main thing is the willingness to take it all together. The work associated with the verification must necessarily take place in a friendly atmosphere of cooperation. Your task is not to punish someone, but to help the company conduct a self-assessment and eliminate violations and shortcomings.



To do this, first of all, you should convey to the management of the company the importance of the event, and ask for its active participation. There is a rule for gold that you need to speak with a business in the language of money that it understands. Well: fines for violations of the federal law of interest to us are specified in Articles 137, 140, 272, 274 of the Criminal Code of the Russian Federation and Articles 13.11, 13.12, 13.25, 19.5 of the Administrative Code of the Russian Federation, and are now issued by Roskomnadzor for each fact of the violation found. If your business is skeptical about losses of a few hundred or millions of rubles, then your trump card is a reference to reputational risks: offended employees and customers are fully accessible to the Internet, news sites are ready to grab any small leakage and blow it up to the scale of a sensation, while competitors will be happy to help them with this.



But your task is not to scare the company's management, but to provide him with a solution to the problem and enlist support. At this stage, it is necessary to assess your strengths and understand whether there are any employees on your staff who can be attracted to the project. It should be noted that these employees should be able to devote at least 80% of the working hours to the task - i.e. not to prepare the entire company for verification in parallel with personnel / accounting / legal activities, and devote almost all of your time to it. And here we come to an important condition for successful training - the presence in the staff of an individual employee responsible for processing and protecting personal data, which is part of the information security division. This is the most effective model for managing this process, and the economy here, in our opinion, is irrelevant.



There are two options for implementing this model: to hire an employee on staff or (or better at the same time) to invite an external organization specializing in the preparation and maintenance of Roskomnadzor inspections.



The main criteria for choosing such a company - a system integrator are the presence of similar completed projects in this area, the ability to present the service and tell in detail about the phasing of work and the results of each of them, the ability to justify the cost. It should be expected that quality work will never be indecently cheap and will last unexpectedly little.



A good integrator will surely offer you a full cycle of work: from the willingness to convince the company’s management of the need for a project to support during the audit and help prepare answers to regulations on eliminating violations after it.



Regardless of whether you will attract a third-party organization or not, the most that top management can help you - in addition to the budget - is the initiation of a corporate-wide newsletter about the start of work with the request to fully assist the person in charge. It is very important to focus on the fact that this is a self-assessment, and not an audit in order to identify and punish those responsible. Unfortunately, there have been cases of panic and resistance from employees, to the point of refusing to provide much-needed information about a particular process. Remember: a polite request from management and awareness of participation in a common cause for the good purpose of all employees work wonders.

The main stages of work

Now, when the green light is given, let's go through the necessary stages of work.

The most effective way to prepare for an inspection is to try to cover everything to the maximum: it’s not known in advance what specific processes the regulator will look at - everything depends on the time and human resources allocated by Roskomnadzor.



Before the start of the check, an official letter will come to the company with its deadlines and a plan. Conventionally, the process can be divided into two parts: inquiry and examination of documentation (talking about more than twenty organizational and administrative documents mentioned at the beginning) and face-to-face interviewing of direct executors: the examiner is completely uninteresting to sit in a meeting room and communicate with department heads. Almost always conversations take place in the workplace of employees. The reviewer has the right to ask for systems / folders / mail, and also to search for something on the working computer: he does not need to provide access to the company's network, however, he may well take screenshots of various processes.



They will definitely check the typical processes for all companies: pass-through mode (“who handles visitors’ visits and how? ”), Search for candidates for vacant posts ( how long do applicants’ resumes last? ”), Cadre production (“ why do you keep PD employees? ”), accounting (“ on what basis are PD transferred to the bank and insurance? ”), interaction with counterparties (“ are they given processing instructions? is the data transmission channel protected? is the protection of the information transmitted controlled? ”), storage and delivery of documents the archive ( "as if this is an archive in terms of legislation?").

If your main activity is the provision of services, then the field for verification is even more extensive: customer search, contracting, maintenance, termination of relations, advertising.



From atypical, you can view the company's website (“do you have a policy for processing and protecting PD? Message about cookies and counters?”), Mobile applications (“who have databases?”), Go to the front office as a secret customer, check the work call center, request a model of threats and even ask about the process of ordering business cards.



How to start training? We propose to act in the same way as the reviewer (an excellent rehearsal before the actual inspection), with the only difference that all the staff are ready to help you and will tell everything as it is, with all the flaws - this is why top management involvement and a preliminary explanation is so important the reasons for the sudden internal audit work.



To begin with, carefully study the organizational structure of the company (and, if available, the list of ISPDn), feel free to highlight typical PD processing processes, suppose where they may be in addition to these areas, schedule an interview. By experience: IT and information security units are best left for later, when you already have an idea about all PD processing processes. Find all the available documents in the company for the processing and protection of personal data.



Each interview should take from 30 to 60 minutes: during this time, you can gather all the necessary information without taking your interviewee for a long time from his work tasks. Interviews are a great chance to find out what your colleagues are missing so that the work is more comfortable: very often we hear requests to report the lack of shredders or lockers, as well as the lack of descriptions of mandatory procedures for collecting and protecting personal data - this will further help protect the budget to build or upgrade the protection system.



Be sure to make the minutes of the interview during communication and coordinate it with your interlocutor after. Reflect in it all the documents that may contain PDA or imply their receipt / dispatch, and were discussed during the conversation - in the future you need to request and analyze them.

Thus, at the end of the examination stage, you should have:

• Agreed Interview Records
• All available valid documents on the processing and protection of PD
• All documents that may include PD, receipt or transfer

Eventually

The most interesting thing remains: to draw up a survey report, where it is necessary to include all protocols, analytics of each document, analytics of each process. And as a result of your work - a list of violations found, recommendations for their elimination, indicating deadlines and responsible ones.



Everything: now you can breathe a sigh of relief and ... immediately proceed to the implementation of these recommendations.



Will the work done be the guarantor of the perfect test? You can promise that the process will pass without a single remark, no one can (in any case, no conscientious experienced specialist is accurate), but you can well influence the fact that there are as few such comments as possible and their elimination is minimally painful in the allotted (quite democratic now 3-6 months) terms.



After checking, be sure to think about the technical aspects of PD protection, support the implemented procedures and documents, conduct employee training, and next time you will definitely be a little easier.