How to prepare for an IKN check based on personal data: a complete guide

About Us

Good day, Habr! We . Our main focus is information security (aka information security). In information security, we do almost everything: auditing, designing security systems, certification, compliance, pentests, we have our own SOC, we even work with state secrets. Since we are based in Vladivostok, initially we worked more in the Primorsky Territory and in the Far Eastern regions of the country, but recently the geography of our projects is increasingly pushing boundaries unimaginable to us at the time of our founding. In our first article, we would like to consider such an aspect of information security as compliance. And we’ll talk about what needs to be done to fully comply with Russian legislation on personal data.

What is a unified biometric system

In July 2021, CNews wrote that the Unified Biometric System (UBS) had been launched in Russia. Together with the login and password from the State Services, the EBS allows citizens to remotely receive financial services. User identification in the EBS occurs according to two parameters - voice and face, the simultaneous use of which allows you to identify a living person, and not an imitation of his biometric data in a digital channel.

The creation of the system was initiated by the Central Bank together with the Ministry of Digital Development, the developer and operator of the system is Rostelecom. The driver for its creation was the “Digital Economy” national program, the goal of which is also to increase the availability of digital services for citizens in remote regions and people with limited mobility.

What's new in the legislation?

Many articles have been written on the topic of personal data protection checks, many of them published before 2015. In order to somehow get into the realities, first of all it is necessary to analyze what has changed in recent years in the legislation.

242-FZ

First, let's remember the well-known 242-FZ.
In 2015, it caused a lot of noise due to the need to localize personal data of Russian citizens on the territory of the Russian Federation. Four years later, the only major casualty of this law is the social network Linkedin. But there was another side to 242-FZ, which was not so actively disseminated in the media.

242-FZ contained very important changes in the context of the inspections carried out by the RKN on personal data: the activities of Roskomnadzor in the field of protecting the rights of personal data subjects from September 1, 2015 are not covered by Federal Law No. 294-FZ “On the protection of the rights of legal entities and individual entrepreneurs in implementation of state control (supervision) and municipal control.”

What does it mean? For personal data operators, as you might guess, nothing good. Now, as practice has already shown, the number of scheduled inspections has greatly decreased and the number of unscheduled ones has increased proportionately. This is also evidenced by Roskomnadzor’s inspection plans, published at the end of 2015 (and in subsequent years) on the agency’s website. There are only one, two scheduled checks on personal data, and there are no more, unlike in previous years.

The main problem with unscheduled inspections is that you cannot find out about them with a good lead time and, as a result, you cannot prepare as best as possible. For example, previously, when an inspection plan was published, everyone could download it and find out whether the organization was included in it or not. And only those few organizations whose inspection date was listed as January-February could be caught by surprise. The rest had the opportunity to prepare normally, even if up to that point the organization had done nothing at all to protect personal data. Now it is better, of course, to be prepared for an inspection by Roskomnadzor on personal data at any time, that is, to always keep an up-to-date set of documentation on the protection of personal data ready.

13.11 Code of Administrative Offenses of the Russian Federation

Another important legislative change is the change to Article 13.11 of the Code of Administrative Offenses of the Russian Federation “Violation of the legislation of the Russian Federation in the field of personal data.”
These changes have completely transformed the punishment for violation of legislation in the field of personal data protection. Previously, Article 13.11 was not broken down into parts, and the maximum fine was 10 thousand rubles for legal entities. Now there are 7 parts (and expansion is planned), one of which (violation of the rules for processing special categories of personal data) provides for a maximum fine for legal entities - 75,000 rubles. In addition, if inspectors identify different violations, penalties under different parts of the Code of Administrative Offenses article can theoretically add up. Why "theoretically"? Previously, on the websites of regional departments of the RKN in the “News” section, news was constantly published that the regulator conditionally checked 3 organizations for compliance with the legislation on personal data, organization No. 1 was doing well, organization No. 2 was fined 3 thousand rubles, organization No. 3 was fined for 5 thousand rubles. It was possible to collect such news in a heap over the year and compile some statistics on fines. Now there is no such news. If anyone has data on fines for violation of 152-FZ after changes to 13.11 of the Code of Administrative Offenses of the Russian Federation, you can share such information in the comments. It is worth immediately noting here that the original text of the bill to amend Article 13.11 of the Code of Administrative Offenses of the Russian Federation initially included larger amounts of fines, for example, where in the end the maximum fine was set at 75,000 rubles, it was originally planned to punish as much as 300,000 rubles. Solid, but still far from the amounts for violating the GDPR. But, despite the fact that the amount of fines eventually decreased significantly, unfortunately, some sellers of personal data protection services are still trying to intimidate with the figure “300,000”. Be carefull.

So, we are convinced that the increased likelihood of an unscheduled inspection and the many times increased fines for violation of 152-FZ are a good incentive to be ready for an inspection at any time. Let's figure out what we need to do for this.

How to prepare for a regulator check

If the company has to undergo an audit

Depending on the type of inspection (scheduled, unscheduled), the timing of notifying the company about the upcoming inspection varies. In the case of a scheduled inspection, the company is notified no later than three working days before the start of the inspection; in the case of an unscheduled inspection, no less than twenty-four hours before the start of the inspection. In addition, scheduled inspections are formed on the eve of the planned period, agreed upon with the central office of Roskomnadzor and published on the websites of territorial divisions. Thus, the company can find out in advance whether it is on the inspection list for the next year, and, accordingly, better prepare for inspection activities.

Of course, it is not recommended to start dealing with issues of the legality of personal data processing on the eve of an inspection (after all, the personal data operator must do this constantly), but, as practice shows, in some companies, issues of personal data processing become relevant immediately before the regulator’s inspection. And there are still companies where such work starts from scratch.

Once it has become known about the upcoming inspection, first of all, it is necessary to decide how the company will prepare for it: independently or with the involvement of third-party consulting organizations for better implementation of preparatory activities (it is preferable to involve licensees of the FSTEC of Russia for technical protection in such work confidential information who have the appropriate competencies and significant experience in performing work regarding the processing and protection of personal data). In any case, the company must identify a responsible employee who will perform or supervise such work.

It is also necessary to take into account the time frame that the company has for preparation. In the case of an unscheduled inspection and short preparation time (the company is notified of the inspection at least twenty-four hours before the start of the inspection), the organization is unlikely to have time to complete the full range of work to bring its personal data processing processes and information systems into compliance with the requirements of the legislation of the Russian Federation. If work in the field of personal data processing was carried out earlier, then an unscheduled inspection will not bring any special problems: it will be necessary to provide existing organizational and administrative documents and demonstrate that the processes for processing personal data comply with legal requirements.

In the case of a scheduled inspection, as noted above, you can find out about it in advance from the plans formed by Roskomnadzor and calmly prepare for it, including completing all the work to bring personal data processing processes and information systems into compliance with established requirements.

What Roskomnadzor checks

In order to fully prepare for an inspection by Roskomnadzor, you need to understand what this regulator actually checks. In accordance with the Administrative Regulations, the scope of inspection includes the following:

• documents the nature of the information in which suggests or allows the inclusion of personal data;
• personal data information systems;
• activities related to the processing of personal data.

As a rule, on the eve of the inspection, Roskomnadzor sends an order to conduct an inspection, which, among other things, indicates the documents that the regulator requests during such an inspection. Below is an example of such a list of documents that may be requested by Roskomnadzor (the lists may differ depending on the territorial body of Roskomnadzor):

• documents confirming that employees directly involved in the processing of personal data are familiar with the provisions of the legislation on personal data, including requirements for the protection of personal data, documents defining the policy regarding the processing of personal data, local regulations on the processing of personal data and/or training specified employees;
• documents confirming the location of databases (information systems) of personal data;
• a copy of the document appointing an official or an authorized representative who is obliged to represent the interests of a legal entity or individual entrepreneur during an inspection;
• documents the nature of the information in which suggests or allows the inclusion of personal data;
• standard forms of documents and related documents (instructions for filling out, cards, registers, magazines) suggesting or allowing the content of personal data;
• documents confirming the destruction by the company of personal data of personal data subjects upon achievement of the purpose of processing;
• local acts of the operator regulating the procedure and conditions for the processing of personal data;
• documents confirming the company’s compliance with instructions to eliminate previously identified violations of the legislation of the Russian Federation in the field of personal data processing;
• written consent of personal data subjects to the processing of their personal data;
• documents confirming compliance with the requirements of the legislation of the Russian Federation when processing special categories and biometric personal data.

Main activities in preparation for the inspection

Bringing the processes of processing personal data and information systems into compliance with the requirements of the legislation of the Russian Federation includes the following main activities:

1. Audit of personal data processing processes and information systems. It is necessary to conduct a complete audit of the processing of personal data and determine what, where, to what extent and on what basis is processed in the company.
2. Development of organizational and administrative documentation. It is necessary to develop organizational and administrative documents necessary and sufficient to comply with established requirements. In addition, it is necessary to appoint various responsible employees in the field of processing personal data. Separately, it is worth noting the preparation of a notification about the processing of personal data, which the company must submit to Roskomnadzor (the legislation also provides for cases when such notification is not required). This notice is also subject to verification in terms of its compliance with the real state of affairs in the company.
3. Creation of a personal data protection system. It is necessary to determine the existing personal data information systems, their level of security and current threats to information security. Based on such information, the company must determine organizational and technical measures for the protection of personal data, which form the basis of the personal data protection system.
4. Assessing the effectiveness of measures taken to protect personal data. Upon completion of the work, the company must evaluate the effectiveness of the measures taken to protect personal data. Performance assessment can be carried out by the company independently or with the involvement of legal entities and individual entrepreneurs on a contractual basis, licensed to carry out activities related to the technical protection of confidential information.
5. Work with personnel. It is necessary to familiarize your employees with organizational and administrative documents in the field of personal data processing, as well as provide information about the existing processes for processing personal data and provide training in answering questions from inspectors.

Above we have provided a brief description of the main activities that need to be completed on the eve of the inspection. Of course, each of the listed stages of work includes many other necessary activities that are not discussed in this article.

In the case where the company has already completed work regarding the processing and protection of personal data, we nevertheless recommend updating all completed activities according to the above plan.

Most common violations

Information about the most frequently identified violations in the field of personal data processing by Roskomnadzor will also help you prepare for the inspection. The list of such violations reflects what Roskomnadzor looks at and pays attention to.

Roskomnadzor provides information about the most common violations in the field of personal data processing at various conferences, in addition, this information is reflected in various reports that are publicly available.

Thus, information on the most common violations in 2021 is contained in the Roskomnadzor document “Review of law enforcement practice of control and supervisory activities in 2017,” which can be downloaded on the official website of the regulator.

According to the information provided in this document, in 2021 the regulator identified the following typical violations:

• providing the authorized body with a notification about the processing of personal data containing incomplete or unreliable information;
• violation of confidentiality requirements when processing personal data;
• processing of personal data in cases not provided for by the Federal Law “On Personal Data”.

Types of checks

Before we get into the actual steps to prepare for inspections, let's look at what types of inspections there are and how a typical inspection works.
In general, inspections can be divided into 2 types: documentary and on-site.

Documentary checks

A documentary check most often begins with the organization receiving a letter from the local RKN department with some requirement. If your organization, for example, did not submit a notification about its inclusion in the register of personal data operators, then you may be reminded that it would be a good idea to submit this notification after all. The law requires it. Or justify why your organization can process personal data without notification (152-FZ provides for a number of exceptions). If your organization did submit a notification, then you may be reminded that new fields appear in the register from time to time and they also need to be filled out. For example, you must indicate the location of the data center and whether it is leased or owned. And yes, the 1C database on the chief accountant’s computer, in the understanding of Roskomnadzor, is a data center. About filling out the notification
Practice shows that many personal data operators have questions about how to correctly fill out certain fields of the notification. We will talk a little about the notification of the personal data operator in this article, but the tutorial on how to fill it out already deserves a separate one. You may also be asked to send by mail copies of documents regulating the protection of personal data in the organization - orders, instructions, threat model, and that's all.

So, you received such a letter from Roskomnadzor, what should you do?

In fact, it’s easier to say what you absolutely should not do - ignore these letters. Unfortunately, in practice many people do just that. Someone forgets to answer, someone doesn’t know what to write in response and doesn’t answer, and someone hopes that they will forget about them and everything will go away on its own. No, they won’t forget, not in this case.

It may be common practice among some departments to write a letter to an organization “for show” and forget it, but not with the RKN. Therefore, it is advisable to respond within the time period specified in the letter, otherwise the organization will be punished under Article 19.7 of the Code of Administrative Offenses of the Russian Federation “Failure to submit or untimely submission of information to a state body.” You can go to the website of your regional department of Roskomnadzor (%region_number%.rkn.gov.ru) in the “News” section. In 2021, a good half of the news was devoted to bringing legal entities to justice under that very article of the Code of Administrative Offenses of the Russian Federation. Moreover, each news could feature up to 10-15 organizations. Now there is also such news, but less often, this is most likely due to the fact that the RKN itself has become less active in sending out “chain letters”.

The fine under 19.7 of the Code of Administrative Offenses of the Russian Federation is small - 3-5 thousand rubles, but you need to remember that after you pay the fine, the information requested in the initial letter will still have to be provided.

Screenshot of the website of the Roskomnadzor Office for the Primorsky Territory, 2016

If there is something unclear about the content of the letter sent to you, then at the end the executor of the letter and his contact information are usually indicated. You can always call and clarify what the regulator really wants from you.

There’s probably nothing to add about documentary checks; let’s move on to on-site checks.

On-site inspections

From the name itself it already becomes clear that inspectors will be on your territory at least two or three times. From our experience, we can say that the verification process looks something like this:

• inspectors come to the organization, meet the manager, hand him a notice of inspection, make an entry in the log of inspections of the legal entity by regulatory authorities (the absence of such a log, by the way, is already a violation);
• then representatives of the RKN ask to provide documentation that is available in the organization for the protection of personal data, then you drag this whole mountain of documents - orders, instructions, regulations, policies, threat model;
• Having briefly reviewed the contents of the documents, the inspectors either ask for a room where they will study them, or ask for copies of all documentation and retire to their offices to study the information you provided;
• in the process of familiarizing yourself with the documents, questions may arise regarding their content or wishes to make any changes to them;
• on one of the days of the inspection, representatives of the RKN will definitely go through the offices where personal data is processed, inspect the places where personal data is stored on paper - cabinets, safes, shelves (here they will probably hint to you about the need to purchase locked iron cabinets if personal data is stored in some other way ), can also view the information system;
• at the end, the inspectors make an entry in the same inspection log about the results of the inspection (whether comments were identified or not) and hand over a report on the results of the inspection.

Here, perhaps, it is worth talking about what you need to remember during an on-site inspection.
Firstly, in no case should you go into conflict with the inspectors and in any way interfere with the inspection (“losing” the key to the office with documents and similar tricks). Yes, inspectors can make mistakes too. A striking example of such a mistake associated with an excessive enthusiasm for bans on everything and everything happened in our Primorsky Territory in 2015-2016. No one has canceled the watchman syndrome, and during the inspection process completely illegal and unreasonable demands may be made. But this does not in any way cancel the simple rules of human communication. If you disagree with something, express it calmly, ask for a link to the legislation that explains the dubious requirement.

Secondly, it doesn’t matter what claims the inspectors will make during the inspection, the only important thing is what will be written in the report based on the results of the inspection. Let me give you a simple example: during one of the inspections, representatives of the RKN argued that it was necessary to separate the personal data information systems “Accounting” and “Human Resources” and accordingly describe them separately in documents. The requirement is completely unsupported by law, and the very definition of ISPDn from 152-FZ does not prohibit combining information systems and describing them the way we ourselves want. In a medical institution, we can combine a documented system with medical data with the same personnel records, and say that we have one ISPD. True, in this case, you need to remember that HR accountants will probably have to be protected at a higher level of personal data security, which will be determined for the part of the medical information system. But separating accounting from personnel and separately producing mountains of orders, instructions and threat models for each system, even from the point of view of common sense, is not at all correct. So, the main thing in this story is that in the act following the inspection it was written “no violations of the law were identified.” And this cancels out all the verbal unlawful comments of the inspectors.

Thirdly, it is imperative to instruct all your employees involved in the processing of any personal data on what can and cannot be done and said during the inspection. For example, you can process personal data in accordance with instructions and rules, but you cannot scatter copies of employee passports on your desktop.

Features of preparation for testing

To successfully pass the audit, it is recommended to hire an employee who will be responsible for the accuracy of all documents related to the information area. This need is due to the fact that for preparation it is necessary to check the accuracy of a huge amount of documentation. It’s easier to take care of this issue in advance. However, the option of hiring an employee is only relevant for large enterprises.

Small companies can use the services of a third-party expert. Let's consider the plan for preparing for the inspection:

1. Establishing the presence of a notification about working with PD sent to Roskomnadzor. This notification must be sent before you begin working with the data.
2. Checking the compliance of activities with information recorded in the unified register.
3. Appointment of a person responsible for working with PD.
4. Drawing up a company policy regarding the processing of personal data.
5. Preparing employees for the control event. During this process, employees become familiar with the documents relating to data processing and rules of conduct are established.
6. Checking the correct storage of documents and limited access to them.
7. Checking the security system: availability of locks and safes.

You can use special online services to prepare papers.

Notification to the personal data operator

Based on the results of inspections, the first place in the ranking of reasons why orders are issued for violation of the law is taken by the indication of incomplete or untrue information in the notification of the personal data operator on the personal data portal or the absence of such notification. This means the first thing we need to do is find out whether our case of processing personal data falls under cases in which the operator may not submit a notification to Roskomnadzor. Such exceptions are listed in Section 2 of Article 22 of Federal Law No. 152-FZ “On Personal Data”. We will not list all the points, since there are some very exotic ones, but here are the most applicable of them for most organizations:

• notification may not be submitted if personal data is processed only in accordance with labor laws;
• a notification may not be submitted if you are processing personal data of clients who are a party to an agreement with you, and their personal data is not transferred to third parties without the appropriate consent of the subject;
• personal data is processed only in a non-automated mode (that is, without the use of computer technology).

It is worth noting that there are pitfalls here too. For example, now many organizations, especially government ones, are implementing salary projects to transfer hard-earned rubles to employees directly to bank cards. This is very convenient for both employers and employees, and it is also beneficial for the bank. But when implementing such a project, no matter how you look at it, you have to transfer the data of your employees to the bank. And such transfer of personal data to third parties is no longer regulated by labor legislation, which means that the first exception from the list above does not work, therefore, you need to submit a notification about the processing of personal data to Roskomnadzor.

How to check for a notification in the registry and what to do next

Next, regardless of what result we received at the previous stage, we need to check whether there is an entry about your organization in the register of personal data operators.
Here you can easily find an entry in the register by name or TIN of the organization. Your next steps should look something like this.

If an organization falls under exceptions and there is no notification, great, that’s how it should be! We don't do anything.

If an organization falls under exceptions, but the notification is in the register. Well, perhaps someone several years ago, for example, at the direction of a now-retired executive, sent this notice. But this can be fixed. There is a procedure for excluding organizations from the register of PD operators. To do this, you just need to write a letter to the territorial department of Roskomnadzor indicating the notification number and describing the reasons why your organization is not required to be in the register of personal data operators. Then, in the same letter, we ask you to remove the corresponding entry from the registry. We wait 30 days. Let's check. If the entry remains in the register, we call Roskomnadzor and check whether your letter has been received and processed.

If an organization does not fall under the exceptions, but there is no notification in the register, we urgently go to fill out the notification! Why urgent? Yes, because according to the law, the notification must be filled out before the processing of personal data begins, if such processing does not fall under the same exceptions from Article 22 of Law No. 152-FZ “On Personal Data”. One of the following articles is planned on how to correctly and competently fill out a notification from scratch or upgrade an existing one.

Well, the last option: the organization does not fall under the exceptions, but there is a notification in the register. I would like to write here, as in the first case, that nothing needs to be done, but no. It’s not for nothing that I said above that in addition to the lack of notification as such, one of the common reasons for orders based on the results of an inspection and issuing a fine under Article 13.11 of the Code of Administrative Offenses of the Russian Federation is the discrepancy between the data in the notification and what is actually happening. For example, not all categories of personal data processed are indicated or measures to ensure the security of personal data are not indicated. There can be many reasons for this discrepancy, but here are the two main ones:

• the notification was filled out a long time ago and many of the conditions for processing personal data have indeed changed in the organization since then;
• the notification was filled out for show without proper analysis of the situation and collection of information.

For such cases, the personal data portal provides a form for making changes to the existing notice.
After filling out the form for making changes (or the initial notification), you must print the resulting document, sign it, put a stamp (if any) and send it by analog letter to the territorial department of Roskomnadzor. Only on the basis of a paper letter will an entry be made in the register or changes will be made to an existing entry.

Subjects of Roskomnadzor inspections

The basic function of this federal service is to inspect the work of personal data operators. This refers to personal information of both the client audience and company personnel.

The following may be subject to Roskomnadzor inspection:

• government agencies;
• individual entrepreneurs;
• private companies and firms.

They may be of interest to inspectors if they collect and process any information about visitors and clients. Even if an individual entrepreneur has only two employees under his command, sooner or later he will be subject to a systemic audit.

At an enterprise, personal data refers to information transmitted to management for the full performance of any job functions: not only physical address and the notorious passport data, but also marital status, university, length of service, and so on. On the Internet, personal data refers to information uploaded to the site to receive services.

So, the subject of Roskomnadzor’s inspection is:

• Documentation containing personal information.
• Conditions for storing documents. It does not matter whether the administration chose an electronic or paper format. Both forms are subject to verification.
• Computers. This is where processing systems are most often stored.
• Local orders that would reflect the company’s policy: 1) on the method of storage and 2) on options for processing personal information.
• Official website of the company.

Almost every online resource has a form for entering personal data. But you can fall under administrative sanctions if the site does not contain information about how the company plans to work with the collected information in the future.

There is no unified federal list of documents subject to verification. However, the administration should have been ready to provide a package of documents at any time.

It includes:

1. Constituent documents (TIN, Unified State Register of Legal Entities, Charter);
2. An extract from the register of operators, from which it would be clear the company’s intention to perform this or that work with data (this is the first thing Roskomnadzor checks).
3. A complete list of information necessary for the company to function (for sales, provision of services, etc.).
4. List of officials who have access to data.
5. Local order on access of officials to data.
6. Instructions for officials whose responsibility is to receive and process data. This includes measures that these individuals must take to ensure confidentiality.
7. Local act on the liability of officials who allowed disclosure or leakage of data. A ban on access to data must be stated.
8. Local act on trade secrets and personal data collected and stored in computer systems.
9. Local act on anonymization of personal data.
10. Local act of determining the level of data security.
11. Contents of personnel briefings on safety requirements (provided along with the briefing log).
12. Official forms of a uniform format that employees fill out when they provide personal data. These forms must reflect their consent to the processing of information.

Every enterprise has some kind of storage media. Increasingly, these media are electronic (flash cards or disks). Inspectors have the right to request paper logs or inspect the state of the security level of the local information system.

Documentation for verification

I wanted to leave this solemn moment for the end of the article.
But what is there, since we have already moved on to talking about the set of necessary documentation, here is a link to our set of templates. The archive contains 4 folders and a “Threat Models” template. Here we will only talk about documents from the “General” and “PDn” folders. “General” are documents that can be used, plus or minus, for any information systems, and “PDN” is a purely Roskomnadzor part. A full description of the documents in the archive can be found on our website. The article turned out to be quite lengthy, so we won’t go into what specific requirements this or that document (or section of the document) came from here. This is a topic for a separate article. Let's go over the general points.

Composition of documents

So, the first thing the specialist who has been tasked with preparing for the upcoming inspection is faced with is the question of what documents are needed.
The specialist turns to the legislation and... Finds practically nothing useful. Well, not really anything at all. Yes, probably, a specialist will come across a resolution of the Government of the Russian Federation dated February 21, 2012 No. 211 and say: “Well, you were wrong, here, there is a list of documents!” Yes, I have. Only a specialist will find a kind of trap here. If you acquire only documents from this list, the organization will receive an order based on the results of the audit, because the list does not cover even a small part of the legal requirements. Plus, the list contains such absurdities as, for example, the need to separately approve the list of ISPD. Why make a separate document for this, when you can list ISPD in the “Regulations on the processing and protection of ISPD” or in the “Information Security Policy” - it is not clear. And finally, Resolution No. 211 applies only to state and municipal bodies, therefore it is not applicable to the majority of personal data operators. And, by the way, there are no documents on Resolution 211 in our set, since most of the issues are already taken into account in other documents. Okay, let's see what else we have in the legislation.

The federal law “On Personal Data” directly speaks only of the need to develop a “Security Threat Model” (although “directly” is also not entirely correct; the law says that it is necessary to identify threats to the security of personal data) and the publication of a “Policy regarding the processing of personal data”. data."

We may also write in more detail about the process of developing the Threat Model in one of the following articles.

Everything else is described ambiguously, something like this:

The operator is obliged to take measures... Such measures may, in particular, include:
1) appointment by the operator, who is a legal entity, of a person responsible for organizing the processing of personal data;

2) publication by the operator, who is a legal entity, of documents defining the operator’s policy regarding the processing of personal data, local acts on the processing of personal data, as well as local acts establishing procedures aimed at preventing and identifying violations of the legislation of the Russian Federation, eliminating the consequences of such violations ; ... 4) implementation of internal control and (or) audit of compliance of the processing of personal data with this Federal Law and the regulatory legal acts adopted in accordance with it, requirements for the protection of personal data, the operator’s policy regarding the processing of personal data, local acts of the operator;

And so on.
Since there is no direct instruction to issue this or that document, 152-FZ should be read and understood exactly this way: if it is written about the implementation of internal control, then to fulfill this requirement, documents must be developed that define the plan, the procedure for such control, as well as certain acts or journals , which reflect the control results. The inspectors will not be satisfied with the story that you have fulfilled the requirement to appoint someone responsible for organizing the processing of personal data simply by verbally assigning such responsibility to one of the employees. There must be a document! In this particular case, an order to appoint such a responsible person. If there is a person responsible, then he is entitled to instructions - what he is responsible for, and what rights and powers he has. Often such instructions are called “official”, which in our opinion in most cases is not entirely correct. After all, “responsible for organizing the processing of personal data” is, as a rule, not a separate position, but only an additional responsibility that is assigned to one or another employee.

In general, we need to thoroughly study the legislation on the protection of personal data, looking for hints on the need for various documents. In this case, you can write one “Provision on the processing and protection of personal data”, or you can write separately “Provision on the processing...” and “Provision on the protection...”. Here it’s just who you like best.

Contents of documents

Okay, the composition of the documents is clear, but what about the content? And this is even worse. There are rare recommendations from regulators, such as here, but these are rather exceptions. In general, here are some general recommendations:

• Descriptions of ISPD, protection systems, technological processes for processing PD and other individual things must be specific, reflecting the real picture of what is happening. If all this is described in too general and abstract phrases, you may receive a complaint from the inspector.
• Various lists (of personal data subjects, personal data themselves) must correspond to reality.
• Documents must be current. If a long-retired employee is appointed responsible for organizing the processing of personal data, then this is a guaranteed order.
• The logs must be at least minimally filled out. At least those journals for which it is impossible to justify their absolute purity. For example, there is a log of requests from PD subjects. In fact, it is not such a rare situation when no one has ever approached the operator with such requests. And there is a log of information security briefings. And now, if this journal is clean, there may be questions.
• The written consent of the subject to the processing of his personal data must comply with Article 9 of the Law “On Personal Data”. For example, many people forget to indicate in the consent the legal address of the operator to whom consent is given. It must also be remembered that consent must be conscious and specific. Previously, many people liked to add the phrase “I give my consent to the transfer of my personal data to third parties.” Now this practice is being suppressed; it is necessary to indicate which personal data will be transferred, to whom exactly and for what purpose.
• All employees involved in a particular document must be familiar with this document. For example, everyone authorized to process personal data must be familiar with the order approving the relevant list against signature.

At the end of this section, I would also like to ask you not to fall for the mailing lists of various scammers who offer “a certified set of documents for the protection of personal data.” Often such scammers try to impersonate a government organization and sometimes do it very believably. By paying them money, at best you will receive a set of blanks of worse quality than those presented here for free.

What does Roskomnadzor check regarding personal data?

What are they guided by?

The list of main documents containing the legal basis for verification is as follows:

• Federal Law 152-FZ “On Personal Data”,
• Decree of the Government of the Russian Federation of September 15, 2008 N 687 Moscow “On approval of the Regulations on the specifics of processing personal data carried out without the use of automation tools”;
• Decree of the Government of the Russian Federation of November 1, 2012 N 1119 Moscow “On approval of requirements for the protection of personal data during their processing in personal data information systems.”

What are they checking?

They check the conditions for processing personal data, focusing exclusively on the state of organizational measures to protect information. They do not delve into technical measures, although they will definitely look at all personal data information systems in the organization. There is no particular need to urgently set passwords on all computers on the eve of the test; no attention will be paid to this.

More specifically?

More specifically, it is worth noting that the specifics of inspections are different in different regions. We were convinced of this from the experience of communicating with various institutions, “colleagues in the shop” and directly representatives of the inspection agency. It is impossible to prescribe a single pill for all checks, but it is quite possible to formulate a number of recommendations.

So, the Roskomnadzor database should contain information about the operator of personal data, that is, about you. There are exceptions, but if you are being checked, it means that you are most likely listed in their database. The information must be current.

Your website must comply with legal requirements. That is, if you have sections “feedback”, “citizen appeal” or other similar forms on which you collect any data about individuals, then you are required to obtain consent from this person to process his personal data. Currently, there is debate about whether checking a checkbox is a legally significant action, however, the inspectors themselves are quite loyal to this. In addition, the law obliges the organization to post a “Policy regarding the processing of personal data” on the website. It is advisable to place it in a place where it can be found as easily as possible.

As for the list of documents on the protection of personal data for verification by Roskomnadzor, the following main groups of documents can be distinguished:

• On non-automated processing of personal data. They include a list of storage locations for paper personal data, persons who have access to them, and provisions on non-automated processing of personal data;
• On receiving requests from personal data subjects. Includes a provision on the procedure for receiving applications, a set of templates for applications and applications on this issue;
• For the work of the HR department. They include consent to the processing of personal data of employees and a log of familiarization of employees with the provisions for the protection of personal data in the organization;
• To establish the level of security for personal data information systems. They include acts establishing the level of security of personal data information systems and provisions on measures to ensure the adopted levels of security;
• On the appointment of a number of responsible employees for working with personal data. This includes the appointment of a person responsible for organizing the processing of personal data, a person responsible for ensuring a controlled area, a person responsible for information security, and a person responsible for ensuring the confidentiality of personal data in all departments;
• For protection against unauthorized access. They include provisions on the procedure for eliminating the consequences of unauthorized access, appointing someone responsible for the restoration of data modified or destroyed as a result of unauthorized access to it;
• According to the rules for the destruction of personal data. They include provisions on the destruction of personal data, the appointment of a commission for the destruction of personal data, acts of destruction of tangible media of personal data;
• On restricting access to personal data. Includes lists of employees authorized to process personal data, lists of employees admitted to offices and/or information systems of personal data, provisions on the delimitation of access rights, an access matrix, instructions to users and administrators;
• On working with personal data. The list is voluminous and, in general, contains many instructions, regulations and rules describing the storage and transfer of personal data within the organization.

Of course, we shouldn’t forget about the threat model. The inspectors from the RKN do not look at the document itself, but its presence is important to them. The threat model is the domain of FSTEC, but this is the topic of a completely different article.

What about fines?

There are fines. They are defined by Article 13.11 of the Administrative Code. Unlike the FSB inspection, Roskomnadzor prefers to impose a fine not on an individual, but on a legal entity. It is worth noting that the fines are cumulative. So the amount of punishment may well reach 150,000 rubles.

To avoid such fines, we recommend turning to professionals. At a minimum, for the purpose of conducting a survey of the state of your document system and receiving recommendations for their improvement. This, in any case, will help you better understand the state of affairs regarding the protection of personal data in your organization.

Conclusion

You can easily pass the check if the inspectors don’t have a grudge against you, and you have prepared for their arrival, i.e. collected the necessary documents, made and certified copies, and also trained employees so that they would not say unnecessary things. We will definitely write about how to properly prepare employees for upcoming regulatory inspections in future articles.

And by tradition, usefulness! We have prepared for you a set of documents that will be needed during an inspection by Roskomnadzor, or simply if you decide to put in order the organizational and permitting documentation for the protection of personal data at the enterprise.

You will receive the following document templates:

• Order on approval of the rules for considering requests from personal data subjects;
• Order on the procedure for destroying personal data.