1. Structure and organization of works
for ensuring the compliance to the requirements
of Federal Law “On personal data” (152-FL):
what should operator of personal data do?
I-Teco company, Information security Department 2012 www.i-teco.ru
2. 2 www.i-teco.ru
What products and services do
What does personal data operator contractors offer in the field of
expect? personal data?
• Survey and the following report on the
• Compliance with Russian legislation on
presence of personal data and proposals
personal data
of concerning its protection
• Lack of claims from the regulators
• Required documents (25 template)
• Lack of claims from the PD subjects
with possible adaptation of them
• Capacity to do business and the
• Technical protection design
compliance with the requirements for
• Implementation of technical and
normal operation of company
organizational protection means
3. 3 www.i-teco.ru
At the moment the authorized agency for regulation in the field of personal
data (which is appointed in accordance to the article 23 of FL “On personal
data”) is the Federal Supervision Agency for Information Technologies and
Communications (Roscomnadzor).
This federal agency is responsible for ensuring the control and surveillance
concerning the compliance with the requirements of federal law “On personal
data” of personal data processing which is implemented by operators.
FSB and FSTEC are responsible for ensuring the compliance with 152-FL
requirements for technical protection.
4. 4 www.i-teco.ru
Scheduled inspection Inclusion in annual plan
Notifying PD operator no later than 3 working days before
Up to 20 working days an inspection (by registered mail or other means) Up to 20 working days Up to 50 hours for
company of small size
Documentation inspection Field inspection
Up to 15 hours for
company of very small size
Presentment of certificate of employment
and bringing to notice of PD operator the
Inspection of data in documents
order or decree concerning the
supplied by PD operator scheduling of inspection and description
of its purpose
In case of doubtful veracity of supplied
information inspectors request with attached
Making documentation available,
copy of order for inspection, authenticated by
stamp, of PD operator for additional providing access to territory, etc.
information
Sending to Roscomnadzor documents
specified in the request (as copies In exceptional cases, related to the need
without notarial certification) during the Inspection can be carried out only
for complex investigations, the duration by the executives which are
next 10 working days of field inspection could be extended till specified in the order for
20 working days (15 hours for the inspection
Exposure of discrepancies, non-conformities, companies of small and very small size)
violations — sending the request to PD
operator for supplying the written
explanations during next 10 working days
Signs of violation
5. 5 www.i-teco.ru
This stage • Correctly written by subject of PD agreement for PD processing
Resolution of legal issues and • Agreement for distributing PD to public access
frequently
compliance risks • Correctly composed notification of Roscomnadzor
forgotten! • Coordinated phrasing and terms in agreements with third parties and in
related to PD operator’s internal documentation
• Other legal issues related to PD processing
Survey • Recognition of automatic processing
• Recognition of non-automatic processing
of information systems • Classification of information systems with personal data
with personal data • Preparing projects assignments
• Approving the acts of classification of information system with
Development of organizational personal data , threats identification, development protection
and technical means design documentation
for PD security • Development and maintaining necessary organization
documentation
• Installation and configuration of protection software and
Implementation personal data appliances
protection system • Trial operation of information security system
• Verification of information systems with personal data (if
necessary)
6. 6 www.i-teco.ru
Objective of the works
The goal of the works is conforming to the law of the Russian Federation "On personal data",
including resolution of legal issues with data processing, creation of personal data information
systems and a protection system which includes applying a comprehensive set of
organizational and technical means to insure personal data protection while processing
personal data in information systems in accordance with the Russian law.
Scope of the works
Works are implemented in 4 stages:
1. Gathering and analysis of original data on current state of information security (IS) in personal data
information system, evaluation of compliance of IS in personal data information system to the regulatory
requirements of Russian federation On personal data, preparation of concept for building the personal data
protection system (PDPS) in personal data information system, development of technical enquiry for PDPS.
Resolution of legal issues concerning the processing and transfer of PD;
2. Development of technical design for creation of PDPS;
3. Implementation of necessary organizational and technical protection means in accordance with the
developed technical design of PDPS;
4. Verification of information system with personal data (if necessary).
7. 7 www.i-teco.ru
Analysis of used systems and standard data storages
Allocation of PD processing Analysis of gathered data
Legal prerequisites evaluation for personal data processing
Usually they are missing. It is necessary to obtain
the agreement in written form.
It’s also necessary to clarify all possible aspects
Resolution of issues of PD transfer
of PD obtaining without subject’s consent
Resolution of issues with open for public access and depersonalized PD
Compliance with legal requirements Resolution of issues related to PD distribution
8. 8 www.i-teco.ru
Generation of processed PD list
Defining the guidelines for PD processing
Approving the list by CEO
and the duration of its storage
Defining the limits for storage duration after cancellation
of agreement with employee/client
Defining based on legislative requirements
Period of limitation
(labor legislation, pensionary legislation)
Development of Statement of compliance PD security
during its processing in personal data information system
Exclusion of unauthorized access Development of procedure for granting access
(by the way accidental access) to PD defined by working requirements
9. 9 www.i-teco.ru
Implementation of PD system classification
Defining the type of information system
Defining processed categories of PD
(standard, specialized)
Development of internal regulatory documents concerning the confidential data
List of PD; PD security threat model; PD protection system description;
classification acts of information system Official letter for personal
with personal data data protection system usability
Development of system for controlling the PD processing security
Internal control system State control system
10. 10 www.i-teco.ru
Development of models
of threats for each
• Gathering and analyzing the personal data information system
information about information system
with personal data • Development of regulatory
•Development of project
• Development of recommendations documents set which regulate
assignments
for personal data information PD protection
• Development technical design
systems classification • Verification of protection
• Resolution of legal issues and working documentation
system of personal data
concerning PD processing and for protecting personal data
transfer of PD to third parties in information system
Development of acts System commissioning and
of classification validation of compliance
for personal data information to regulatory requirements
systems and notifications
to Roscomnadzor