And while some are calmly waiting to see what requirements the legislative process will ultimately turn into, others are starting to prepare and conduct an audit of their personal data handling practices, while still others are protecting as they have always protected. At the InfoWatch Academy event with experts from "Kuper" (SberMarket) and MIEM HSE University, we will share methodological developments in personal data protection.
We will analyze what is important to do now, starting with the preparation of regulatory support and up to the specific steps to be taken in building working and legally compliant procedures for personal data protection. We will announce a course on personal data protection developed by the InfoWatch Academy in collaboration with experts and speakers — relevant to everyone who needs to build compliance systems according to the new rules and successfully pass Roskomnadzor inspections.
- We will outline the key steps in building a personal data protection procedure in an organization. Where to start and what to pay attention to.
- We will review the list of internal regulatory legal acts when organizing personal data protection. What documents are needed, for what purpose, and what the regulator will request during an inspection.
- What to do if an incident occurs and how a personal data operator should interact with Roskomnadzor in this regard.
- We will highlight errors in organizing protection and interacting with the regulator.
Today's event is led by Valentina Mironova, head of the personal data protection methodology group at Kuper.
Valentina Mironova proposed discussing aspects of the legislation that currently exist and are in effect. These are aspects related to the key steps in building a personal data protection system. We know that we have Federal Law No. 152 on Personal Data, and there are a number of requirements for protecting the data we process.
We will focus on the practical application of current legislation.
The first step to legally comply with the requirements is to appoint a responsible person in accordance with the requirements of the law. This person is obliged to exercise internal control over compliance with the requirements of legislation in the field of personal data protection. And this specialist must regularly audit all existing data processing processes. They must inform the employees of the company in which they work of all provisions of legislation in the field of personal data protection and their processing. There is another point that the person responsible for organizing processing must do. This is receiving appeals and requests from personal data subjects, as well as authorized bodies.
It should not be forgotten that all three of these responsibilities must be regulated by the company's internal regulatory documents.
The next step that needs to be taken is to audit personal data processing processes. You need to understand what personal data is processed in the company, in which business processes this personal data is involved. We must describe these processes and understand possible inconsistencies with the requirements of the law that currently exist. If there are any inconsistencies, they will certainly need to be addressed. Do not forget that all processes in which personal data is processed must be accounted for and, accordingly, their accounting, maintenance, and updating must be carried out, which means that not only should we audit the process in the second step and forget about it, but the processes should be living, that is, we must constantly audit them for possible changes that have occurred.
The next step, and one of the key ones, is the development of a policy regarding the processing of personal data. We are obliged to determine the purposes of processing, the legal grounds, the rights and obligations of the company as a personal data operator. We also determine the rights and obligations of personal data subjects, list the personal data that we process within the company. We determine the categories of subjects whose personal data is processed. And most importantly, the procedure and conditions for processing the data that we have. That is, what we do with the data, how we process it, and so on. We determine the procedure for destroying this data, additions. That is, everything related to the articles of the federal law. We determine the procedure for responding to requests and the procedure for responding from authorized bodies. And of course, we do not forget about Article 18.1.19 of those requirements for security and measures that we are obliged to fulfill in relation to personal data. We do not forget that the policy on the processing of personal data is aimed at ensuring the legitimate rights and freedoms of personal data subjects.
It should not be forgotten that the development of a policy regarding the processing of personal data should be published in a generally accessible source, to which we must refer.
We must familiarize employees with the policy regarding processing. Another point is related to the development of other provisions. We know that in addition to the policy regarding the processing of personal data, there must be a provision regarding the processing and protection of personal data. The procedure for storing and using employees' personal data must be determined.
Some organizations have, in addition to automated processing, also non-automated processing of personal data, and, of course, the key document that regulates non-automated processing of personal data will be the provision regarding non-automated processing of personal data.
The next step, after we have identified the person responsible for working with personal data, we have developed our policy, we know everything, where, what is happening with us, we are obliged to submit notifications to Roskomnadzor.
Notifications to Roskomnadzor can be sent in two forms, in paper or electronic form. If we are talking about paper form, then on paper with the signature of the general director of the company, we send it to the address of the territorial body. If we are talking about electronic form, we go to the Roskomnadzor website, fill in all the necessary fields and send notifications to Roskomnadzor. It should not be forgotten that after we have sent a notification to Roskomnadzor, there are cases if you have any changes as operators in relation to the processing of personal data, and these changes relate to the notification to Roskomnadzor, we are obliged to make appropriate corrections to the notification. You can also find out about this on the Roskomnadzor website. There is also such a point that in order to check that you are a personal data operator and Roskomnadzor actually received your notification that you sent to it, you can use the register of operators and find your organization.
The next step is, of course, any actions with personal data, well, in addition to those exceptions that are present in Article No. 9 of the federal law, they must be carried out with consent to the processing of personal data. We receive consent from personal data subjects.
And here, it is probably worth paying attention to the fact that the personal data subject decides to provide his personal data and gives consent to their processing according to his will. This is very important. Consent to processing must be specific, substantive, informed, conscious and unambiguous. In addition to who gives consent, to whom consent is given, a list of personal data, we also specify the methods of processing, the purposes for which consent is given, and necessarily the terms.
Of course, it should not be forgotten that there are two forms of consent. This is a simple form of consent and a written form of consent. If we are talking about a strictly established form of consent, then the data that should be in this form is present in Article 9, paragraph 2.
There is consent in a simple form. When, roughly speaking, we go to some site, we set some checkmarks. But here it should not be forgotten that if we receive some consent, then we, as personal data operators, are obliged, if this is necessary in the future, at the request of, for example, an authorized body or at the request of the subject himself, to confirm the fact of receiving such consent, we must take this point into account. Here, the aspect that consent often changes is very important.
We are expanding our scope of activity, expanding the list of personal data. We must re-collect consents. Here I will draw attention to the fact that many systems must store previously obtained consents when collecting consent. This is also very important, because when contacting Roskomnadzor, often in the request, there are questions related to some period, that is, the request is formulated as follows. Confirm the fact that you received consent from such and such a subject for the period, and it remains to add a specific period. We must specifically get this consent from the system and demonstrate it to the authorized body, give an answer that you actually received consent during this period of time, and it was like that. Maybe at the moment it is already different, but at that period it was exactly like that.
It is impossible to process personal data without consent. Well, I mean in those cases when it is necessary. Of course, there are other cases in the law when there is no need to obtain consent.
Let's move on to the next step. Assessment of the possible harm that may be caused to personal data subjects. Very recently, order number 178 was received on the approval of requirements for assessing the harm that may be caused to a personal data object in case of violation of the requirements of the federal law. You are obliged to conduct an inspection and assess the damage. A corresponding document must be drawn up here, this is an act, and it is mandatory. After we have assessed the damage from non-compliance with the requirements of the 152nd federal law, we must move on to information systems for processing personal data.
Let me remind you that under the information system for processing personal data, we understand a set of tools: there must be a database that we process, there must be software tools, technical tools that carry out the processing of personal data. And it is from this paradigm that we proceed.
It is very important to conduct a survey of personal data information systems. We conducted an audit of processes, we know what data, where it runs, why it runs, who is the user of this data, in which systems it is stored, but what are these systems? Of course, the survey of personal data information systems is certainly important because all threats and vulnerability threats come from the fact that we have a system. And the first fundamental step towards the presentation of any personal data protection system is such a sequence. That is, we must know what we will protect. We must know the structure and composition of this information system, physical and logical connections, and other connections between the segments of the information system, between the TKS system itself, perhaps some other systems. That is, we must know, understand and describe the subtleties and nuances of the functioning of the information system.
We must understand the modes of personal data processing, who participates, what users there are, who belongs to privileged and non-privileged, we must calculate the corresponding matrix for each information system, perhaps some other characteristics of the system's functioning, and so on. What personal data is in them, what data centers are used, how to create them.
Objects of protection. And for the information system of personal data, we understand everything under the object of protection. This includes information that is contained in the information system of personal data, and technical means with which we process personal data, and software, and those information technologies that allow us to go into processing.
On February 5, 2021, the Federal Service for Technical and Export Control of Russia approved the "Methodology for Assessing Information Security Threats".
If we return to the document that I mentioned earlier, approved by the Federal Service for Technical and Export Control, it highlights the main ways to determine information security threats.
First of all, we remember that internal intruders are those intruders who are within the perimeter of your company, that is, inside the controlled zone, and external intruders are those who are trying to get to you from the outside. We must assess, conduct an analysis of the vulnerability of the information system, as well as possible ways to implement threats, and, of course, assess the consequences that may occur in case of violation of the properties of information security. I am talking about the three pillars that all "security guards" know. This is confidentiality, integrity and availability.
The threat assessment is carried out by an expert method and often a commission of experts is assembled and a threat assessment is carried out. It should not be forgotten that we have a threat data bank, the FSTEC of Russia. That is, all the tools that are currently used must be used in order to fully understand what threats are possible and what vulnerabilities are possible in the system. This will make it possible to create a more reliable information protection system than if we analyze a smaller number of sources.
Stages of threat assessment. The first stage is the determination of negative consequences that may occur from the implementation of threats. Next, we determine the possible objects of threat impact, and, in fact, assess the possibility of threat implementation and its relevance. As initial data, as I said earlier, use the BDU-stack of Russia in free access.
After we have built a model of threats and intruders, we have identified actual threats, identified those intruders that are relevant to our specific system. Of course, we have already completed part of the work on assessing security. We know what personal data is present in the system, whose personal data, in what quantity.
But why is this step done after building a threat model, it is very important for us to know what type of threats are present in the system. Let me remind you, we have types of threats. The first type of threats is those threats that are associated with unauthorized access in system software. The second type of threats is those threats that are associated with unauthorized access in application software. And the third type of threats, not related to unauthorized access in either system or application software.
The assessment of the security of personal data information systems is carried out on the basis of government decree No. 1119, which was issued in 2012. Here we distinguish the types of information systems, the types of threats, as well as the amount of information, those records about the personal data subject that we have. And in accordance with this, we distinguish 4 levels of security for each information system.
And accordingly, we draw up an act. Here is the type of threats, the category of personal data processing, the number of personal data subjects that are processed. After we have decided what we should protect ourselves from, that is, we have built a model of the threat of an intruder, we now need to understand how we will protect ourselves. To do this, we create a technical task, a project of a personal data protection system, abbreviated as the SZPDn system.
There are three documents that will allow you to create a competent, correct system for protecting personal data in relation to the legislation of the Russian Federation. We have order No. 17, which regulates the requirements for state information systems of personal data. There is order No. 21, which says what organizational and technical requirements must be met in relation to personal data information systems. There is a difference between orders 17 and 21. It is significant, so if we have a relationship with a state information system, there is a nuance here, which will be discussed later.
After we have developed technical specifications and a project of a personal data protection system, we need to purchase protection equipment, install it for configuration. It should not be forgotten that protection equipment must undergo an assessment procedure in accordance with the established procedure.
The same is said in order 21 and in order 17.
The next point is related to the assessment of the effectiveness of the applied protection equipment.
If we are talking about a regular information system, let's call it that - not a state information system, then the assessment of effectiveness can be carried out by the operator independently or with the involvement of persons on a contractual basis. If we attract some organization to conduct an assessment of the effectiveness of the applied protection equipment, then it is mandatory that the colleagues have a license in accordance with the legislation. And the assessment of effectiveness is carried out at least once every three years.
As for state information systems, the story is somewhat different there, for state information systems, the certification of objects is mandatory. After building a protection system, installing and configuring protection systems, they must undergo object certification.
We must constantly, in the process of creating a personal data protection system, draw up a number of VND (internal regulatory documents). And if we create a protection system, it does not mean that we have created a protection system and forgotten about it. There must be constant control and monitoring of what is functioning with us.