How to prepare for the ILV verification of personal data: a complete guide

About Us

Good day, Habr! We are the company "Information Center". Our main focus is information security (it’s also information security). In IB we deal with almost everything: auditing, designing protection systems, certification, compliance, pentest, we have our own SOC, we even work with a state secret. Since we are based in Vladivostok, we initially worked more in the Primorsky Territory and in the Far Eastern regions of the country, but recently the geography of our projects has been further expanding the unthinkable at the moment of the founding of the border.

In our first article, we would like to consider such an IS side as compliance (eng. Complience - compliance, compliance). And we will talk about what needs to be done to fully comply with Russian legislation on personal data.

What's new in the law?

On the subject of checks for the protection of personal data, many articles were written and many of them were published before 2015. In order to somehow enter the real realities, first of all it is necessary to analyze what has changed in recent years in the legislation.
')

242-FZ

First, let's recall the notorious 242-FZ. In 2015, he made a lot of noise due to the need to localize the personal data of Russian citizens on the territory of the Russian Federation. Four years later, the only major victims of this law is the social network LinkedIn.

But there was in 242-FZ and the other side, not so widely disseminated in the media.

In the 242-FZ, there were very important changes in the context of the ILV checks on personal data: the activities of Roskomnadzor in protecting the rights of personal data subjects from September 1, 2015 are not covered by federal law No. 294- “On protection of the rights of legal entities and individual entrepreneurs the implementation of state control (supervision) and municipal control ".

What does it mean? For operators of personal data, as you can guess, nothing good. Now, as practice has already shown, the number of scheduled inspections has greatly decreased and the number of unscheduled ones has increased in proportion. This is indicated by the plans of inspections of Roskomnadzor, published at the end of 2015 (and in subsequent years) on the department's website. Planned checks on personal data there - once, twice and miscalculated, unlike previous years.

The main problem of unscheduled inspections is that it is impossible to learn about them with a good temporary supply and, as a result, it is impossible to prepare as best we can. For example, earlier, when the inspection plan was published, everyone could download it and find out if the organization is in it or not. And by surprise, only those few organizations could be caught, the date of verification of which was January-February. The rest had the opportunity to prepare properly, even if until that moment nothing had been done at all in the organization for the protection of personal data. Now it is better, of course, to be ready to check Roskomnadzor for personal data at any time, that is, always keep up-to-date with a set of documentation on the protection of personal data.

13.11 Code of Administrative Offenses

Another important legislative change is the amendment of article 13.11 of the Code on Administrative Offenses of the Russian Federation “Violation of the Law of the Russian Federation in the Field of Personal Data” . These changes completely transformed the punishment for violation of the law in the field of personal data protection. Previously, article 13.11 was not divided into parts, and the maximum fine was provided in the amount of 10 thousand rubles for legal entities. Now there are 7 parts (and expansion is planned), one of which (violation of the rules for processing special categories of personal data) provides for a maximum fine for legal entities - 75,000 rubles. Moreover, if the inspectors identify various violations, the punishments in different parts of the article on the Administrative Code can theoretically take shape. Why "theoretically"? Previously, on the websites of the regional departments of the RKN, in the “News” section, news was constantly published that the regulator conditionally checked 3 organizations for the implementation of personal data legislation, organization No. 1 was fine, organization No. 2 was fined 3,000 rubles, organization No. 3 was fined 5 thousand rubles. It was possible to collect such news in a heap for a year and set up some statistics on fines. Now there is no such news. If someone has data on fines for violation of 152-FZ after the changes in the 13.11 of the Administrative Code of the RF, then you can share such information in the comments.

Here it is worth noting immediately that the original text of the draft law to amend article 13.11 of the Administrative Code of the Russian Federation initially involved more significant amounts of fines, for example, where the maximum fine was eventually set at 75,000 rubles, it was originally planned to punish as much as 300,000 rubles. Solid, but the amount for violation of the GDPR is still far away. But, despite the fact that the amount of fines in the end greatly decreased, unfortunately, some sellers of services for the protection of personal data are still trying to intimidate the figure "300 000". Be carefull.

So, we have seen that the increased likelihood of unscheduled inspections and multiply increased penalties for violating 152-FZ stimulate this to be well prepared to be checked at any time. Let's understand what we need to do for this.

Types of checks

Before we proceed to the immediate steps to prepare for the checks, let's see what types of checks are and how the typical check passes.

In general, checks can be divided into 2 types: documentary and on-site.

Documentary checks

A documentary check most often begins with the fact that a letter from the local administration of the RNN comes to the organization with some kind of requirement. If, for example, your organization did not file a notice about its entry in the register of personal data operators, then you may be reminded that it would be nice to submit this notice. The law requires it. Or justify why your organization can process personal data without notice (152-FZ provides for a number of exceptions). If your organization nevertheless submitted a notification, you may be reminded that from time to time new fields appear in the registry and must also be filled in. For example, you need to specify the location of the data center and whether it is leased or own. And yes, the 1C database on the chief accountant’s computer, as defined by Roskomnadzor, is a data center.


You may also be asked to send by mail copies of documents regulating the protection of personal data in the organization - orders, instructions, threat model and that's it.

So, you received such a letter from Roskomnadzor, what to do?

In fact, it’s easier here to say something that you absolutely shouldn’t do - ignore these letters. Unfortunately, in practice, many do just that. Someone forgets to answer, someone does not know what to write in response and does not respond, but someone hopes that they will be forgotten about them and everything will go down by itself on the brakes. No, do not forget, not in this case.

It may be common practice for some departments to write a letter to the organization for a tick and forget, but not for the RKN. Therefore, it is desirable to respond within the deadline set in the letter, otherwise the organization will be punished under Article 19.7 of the Code on Administrative Offenses of the Russian Federation “Non-submission or late submission of information to the state body”. You can go to the site of your regional office of Roskomnadzor (% of the _region% .rkn.gov.ru) in the "News" section. In 2016, a good half of the news was devoted to bringing legal entities to justice for the very article of the Administrative Code of the Russian Federation. And in each news could figure up to 10-15 organizations. Now there is also such news, but less, this is most likely due to the fact that the RKN itself has become less actively sending out “letters of happiness”.

A fine of 19.7 of the Administrative Code of the RF is small - 3-5 thousand rubles, but here you need to remember that after you pay the fine, you will still have to provide information requested in the initial letter.


If the content of the letter sent to you is incomprehensible, then at the end is usually indicated the executor of the letter and his contact information. You can always call and clarify what the regulator wants from you.

About documentary checks, perhaps, there is nothing to add, let's move on to field trips.

Field checks

From the very name it is already becoming clear that checking at least two or three times will be on your territory. In our experience, we can say that the verification process looks like this:

• inspectors come to the organization, get acquainted with the head, give him a notice of the inspection, make an entry in the journal of inspections of the legal entity by the regulatory authorities (the absence of such a journal, by the way, this is a violation);
• then the representatives of the RKN are asked to provide the documentation that is in the organization for the protection of personal data, then you drag all this mountain of documents - orders, instructions, policies, policies, threat model;
• fluently reviewing the list of documents, inspectors either ask to be given a room for them to study them, or they are asked to provide copies of all the documentation and are removed to their offices to study the information you provide;
• in the process of reviewing the documents, there may be questions about their content or wishes to make any changes to them;
• On one of the inspection days, the representatives of the RKN will surely walk through the cabinets where personal data are processed, inspect PD storage places on paper - cabinets, safes, shelves (here you will probably be hinted at the need to purchase lockable iron cabinets, if PDs are stored somehow ), can also see the information system;
• at the end, the inspectors make an entry in the same audit logbook about the results of the inspection (whether or not any comments have been identified) and submit an act on the results of the inspection.

Here, perhaps, it is worth telling that it is necessary to remember during carrying out exit check.

First, in no case do you need to go with checking for a conflict and in any way impede the conduct of checking (“losing” the key to the cabinet with documents and similar tricks). Yes, the reviewers may also be wrong. A vivid example of such an error associated with excessive enthusiasm for the prohibitions of everything and everything happened here in the Primorye Territory in 2015-2016. The watchman syndrome has not been canceled, and during the inspection process completely unlawful and unreasonable demands may be made. But this does not negate the simple rules of human communication. If you disagree with something, state it calmly, ask for a link to the legislation, which is the reason for the doubtful requirement.

Secondly, it doesn’t matter what claims the reviewers will make during the audit, it’s important only what will be written in the report on the results of the audit. Let me give you a simple example. At one of the checks, the representatives of the ILV stated that it was necessary to separate the personal data systems “Accounting” and “Personnel” and describe them separately in documents, respectively. The requirement is absolutely not supported by law, and the definition of the ISPD of 152-FZ does not prohibit the integration of information systems and describe them as we ourselves want. We can, in a medical institution, document the system with medical data with the same cadrellors, and say that this is one of our ISPDs. The truth is that in this case it must be remembered that it will probably be necessary to protect the cadrobugs by a higher level of personal data protection, which will be determined for the part of the information system with medicine. But here it is completely wrong to separate accounting from personnel and for each system separately to produce mountains of orders, instructions and threat models. So, the main thing in this story is that in the act on the results of the inspection it was written "no violations of the law were revealed." And it crosses out all the verbal illegitimate remarks of inspectors.

Thirdly, it is imperative to instruct all of its employees involved in the processing of any personal data what you can and cannot do and say during the check. For example, you can process PD in accordance with the instructions and rules, but you can not scatter copies of employees' passports on your desktop.

Notification of personal data operator

The first place in the rating of the reasons for issuing orders on violation of the law, according to the results of the checks, is the indication of incomplete or incorrect information in the notification of the operator of personal data on the personal data portal or the absence of such notification. And that means the first thing we need to do is find out if our case of processing personal data falls under cases in which the operator may not give notice to Roskomnadzor. Such exceptions are listed in Section 2 of Article 22 of Federal Law No. 152- “On Personal Data”. We will not list all the items, as there are very exotic ones, but here are the most applicable of them for most organizations:

• the notice can not be submitted if PD are processed only in accordance with the labor legislation;
• the notice can be not given if you process personal data of clients who are a party to the contract with you, and their personal data are not transferred to third parties without the relevant consent of the subject;
• personal data is processed only in non-automated mode (that is, without the use of computer technology).

It is worth noting that there are pitfalls here. For example, now many organizations, especially state ones, are implementing salary projects for transferring blood-earned rubles to employees directly to bank cards. It is very convenient for both employers and employees, and the bank is also profitable. But in the implementation of such a project, anyway, you have to transfer the data of your employees to the bank. And such transfer of personal data to third parties is no longer regulated by labor legislation, which means that the first exception from the list above does not work, therefore, you need to submit a notification about the processing of personal data to Roskomnadzor.

How to check for registry notifications and what to do next

Further, regardless of what result we obtained in the previous step, you need to check whether there is an entry about your organization in the register of personal data operators . Here you can easily find an entry in the registry by name or TIN of the organization.

Then your actions should look something like this.

If an organization is subject to exceptions and there are no notifications - great, it should be so! Do not do anything.

If the organization falls under the exception, but the notification is in the registry. Well, maybe someone a few years ago, for example, at the direction of a retired manager, sent this notice. But it can be fixed. There is a procedure for excluding organizations from the register of PD operators. To do this, simply write a letter to the territorial office of Roskomnadzor with the notification number and a description of the reasons why your organization is not required to be in the register of personal data operators. Then in the same letter, please delete the corresponding entry from the registry. We are waiting for 30 days. We are checking. If the record remains in the register, we call up the Roskomnadzor and clarify whether your letter has been received and processed.

If the organization does not fall under the exceptions, but there are no notifications in the registry - we urgently go to fill in the notification ! Why urgent? Yes, because according to the law, the notification must be completed before the processing of personal data begins, if such processing does not fall under all the same exceptions from Article 22 of Law No. 152- “On Personal Data”. One of the following articles is planned to correctly and correctly fill out a notification from scratch or to pump an existing one.

Well, the last option: the organization does not fall under the exceptions, but there is a notification in the registry. I would like to write here, as in the first case, that nothing needs to be done, but no. Not for nothing, I said above that in addition to the lack of notification as such, one of the frequent reasons for a prescription following an audit and writing out a fine under Article 13.11 of the Administrative Code of the Russian Federation is a discrepancy between the data in the notification of what is actually happening. For example, not all categories of personal data processed are indicated or measures to ensure the safety of personal data are not indicated. There may be many reasons for this discrepancy, but here are two main ones:

• the notification was filled out long ago and many conditions for the processing of personal data have indeed changed in the organization;
• the notification was filled in for a tick without properly analyzing the situation and collecting information.

For such cases, the personal data portal provides a form for making changes to an existing notice.

After filling out the form for making changes (or initial notification), you need to print the resulting document, sign, stamp (if any) and send by analog letter to the territorial office of Roskomnadzor. Only on the basis of a paper letter will an entry be made in the registry or changes will be made to an already existing entry.

Verification documentation

I wanted to leave this solemn moment at the end of the article. But what is already there, since we have already started talking about a set of necessary documentation, then here is a link to our set of templates . The archive has 4 folders and the “Threat Models” template. Here we will only talk about documents from the General and PD folders. “General” are documents that can be applied plus or minus for any information systems, and “PD” is a purely Roskomnadzor part. A full description of the documents in the archive can be viewed on our website .

The article turned out to be quite voluminous, so we will not discuss here from what specific requirements a particular document appeared (or a section of a document). This is a topic for a separate article. Let's go through the general moments.

Composition of documents

So, first of all, a specialist who was commissioned to prepare for the upcoming inspection raises the question of what documents are needed at all. The specialist refers to the legislation and ... He finds practically nothing useful. Well, not exactly nothing at all. Yes, probably, a specialist will stumble upon a resolution of the Government of the Russian Federation of 21.02.2012 No. 211 and say: “Well, you were wrong, here, there is a list of documents!”. Yes there is. Only an expert here is waiting for a kind of trap. If you acquire only documents from this list, the organization will receive a prescription based on the results of the audit, because the list does not cover even a small part of the requirements of the legislation. Plus in the list there are such absurdities as, for example, the need to separately approve the list of ISPDn. Why do this for a separate document, when you can list ISPDn in the "Regulations on the processing and protection of ISPDn" or in the "Information Security Policy" - it is not clear. Finally, Resolution No. 211 applies only to state and municipal bodies; therefore, it is not applicable to the majority of PD operators. And, by the way, in our set of documents on the resolution 211 is not, since most of the issues so taken into account in other documents.

Well, let's see what we have there in the legislation.

The federal law “On Personal Data” directly says only about the need to develop a “Security Threat Model” (although it’s also not quite rightly stated, the law says that it is necessary to identify threats to personal data security) and the publication “Policies for processing personal data.

We may also write more about the development of the Threat Model in a later article.

Everything else is described ambiguously, something like this:

The operator is obliged to take action ... Such measures may, in particular, include:

1) designation by the operator, being a legal entity, responsible for organizing the processing of personal data;

2) the publication by the operator, being a legal entity, of documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data, and local acts establishing procedures aimed at preventing and detecting violations of the legislation of the Russian Federation, eliminating the consequences of such violations ;
...
4) implementation of internal control and (or) audit of the compliance of personal data processing with this Federal Law and the regulatory legal acts adopted in accordance with it, personal data protection requirements, operator policy regarding personal data processing, operator local acts;

And so on. Since there is no direct instruction to issue one or another document, read and understand 152-FZ follows this way: if it is written about the implementation of internal control, then to fulfill this requirement, documents defining the plan, the procedure for such control, as well as certain acts or journals should be developed , which reflect the results of the control. The reviewers are not satisfied with the story that you have fulfilled the requirement of appointing a person responsible for organizing the processing of personal data simply by orally defining such responsibility to one of the employees. Must be a document! In this particular case - the order of the appointment of such a responsible.

If there is a person in charge, then he is entitled to the instruction - for what he is responsible, and what rights and powers he has. Often such an instruction is called “official”, which in our opinion is in most cases not quite correct. After all, “responsible for organizing the processing of personal data” is, as a rule, not a separate position, but only an additional duty, which is assigned to one or another employee.

In general, we need to thoroughly examine the legislation on the protection of personal data, looking for hints of the need for various documents. In this case, you can write one “Regulation on the processing and protection of personal data”, or you can make separately “Regulation on processing ...” and “Regulation on protection ...”. Here, as someone more like it.

Content of documents

Well, with the composition of the documents is clear, but what about the content? And this is even worse. There are rare recommendations of regulators, such as here , but these are rather exceptions. In general, here you can make general recommendations:

• Descriptions of ISPDN, protection systems, PD processing processes and other individual things should be specific, reflecting the real picture of what is happening. If all this is described by too general and abstract phrases, you can get a complaint from the verifier.
• Different lists (subjects of PD, PD) must correspond to reality.
• Documents must be current. If a long-term employee is appointed to be responsible for organizing the processing of personal data, then this is a guaranteed order.
• Logs must be at least minimally filled. At least those magazines for which it is impossible to justify their absolute purity. For example, there is a log of records of appeals of PD subjects. In fact, it is not such a rare situation when no one has ever addressed such requests to the operator. And there is an accounting journal for information security briefings. And now, if this magazine is clean - there may be questions.
• The written consent of the subject to the processing of his personal data must comply with Article 9 of the Law on Personal Data. For example, many people forget to indicate in the consent the legal address of the operator, which is given consent. You also need to remember that consent must be conscious and specific. Previously, many people liked to add the phrase “I give my consent to the transfer of my personal data to third parties”. Now this practice is stopped, it is necessary to specify which PDs will be transmitted, to whom, and for what purpose.
• All employees involved in a particular document should be familiar with this document. For example, all authorized for the processing of personal data must be signed against the order, approving the relevant list.

At the end of the section, I would also like to ask not to be sent to the mailings of various scammers who offer “a certified set of documents for the protection of personal data.” Often, such fraudsters try to impersonate a state organization, and sometimes they do it very likely. By paying them money, at best you get a set of discs with worse quality than those presented here for free.

Conclusion

Let's summarize what we need to do in order to prepare for the verification of the ILV on the implementation of personal data protection legislation and successfully pass it.

1. Analyze the need to submit a notice to the PD operator. Check the availability of the notification, check the correctness of the information in the notification. Make a change to the notification, if necessary.
2. Conduct a detailed inventory of processed personal data, personal data information systems, the legality of processing various personal data, technological processes of personal data processing, etc. We will need this information when developing documents.
3. Assign responsible.
4. Develop a set of documents for the protection of personal data. Documentation must be specified for a specific organization and / or a specific ISPD. Spending time developing documentation on the protection and processing of PD in information systems, do not forget about the regulation of manual PD processing.
5. Publish a policy regarding the processing of personal data on the site (although another type of organization of unhindered access to the document is allowed if you are not a state or municipal authority).
6. Familiarize all involved employees with the developed documentation.
7. Fill out magazines.
8. Instruct your employees that the examiners do not need to talk too much and that you do not need to scatter documents with PD throughout the office.
9. Behave correctly with the verifiers. Express your willingness to correct minor flaws in the verification process.

You may have noticed that there is practically nothing in the article about information security tools, features of technical protection of personal data, cryptographic tools. That's right, these issues are regulated by other bodies - FSTEC of Russia and the FSB of Russia.

And we have a training center! Upcoming courses will take place on May 20 and May 22 on FortiGate products. A complete list of training courses can be found here . Yes, we are in Vladivostok, but we have a lot of experience in organizing field courses.