Any company that works with information about people is legally a _personal data controller._ Using a CRM system, sending commercial offers, and hiring employees automatically impose obligations to GDPR.Improper handling of confidential information leads to fines, lawsuits, and damages trust in the business. In 2023, a major data leak occurred at MTS Bank.
Roskomnadzor confirmed the compromise of personal data of _about one million people._ Full names, phone numbers, tax IDs, dates of birth, and some bank card numbers were leaked online. A breach of this scale created serious risks for customers, as the information could be used by attackers for phishing campaigns and fraud schemes.
Which data the law classifies as personal - Publicly available- full name, phone number, email, social media profile. - Biometric - photographs, fingerprints, CCTV footage, genetic information. - Special - information about health status, nationality, religious and political beliefs, and criminal records. - Other- any other information that the company classifies as personal in its internal policies. Important! The law recognizes any information as personal data, including technical identifiers (IP, cookies), if they can be used to identify a specific person.
This is confirmed by case law, including Roskomnadzor decisions.
Who controls personal data protection and how The state strictly monitors compliance with personal data legislation through a system of supervisory authorities: - Roskomnadzor: checks how the company obtains consent, publishes documents, and organizes data processing workflows. - FSTEC:sets requirements for technical information protection and checks compliance, especially for information systems. - FSB: participates in inspections when the issue concerns the use of cryptographic protection - encryption tools information and data security related to national security. - Prosecutor's Office: can initiate an inspection if it receives a complaint from a citizen about a violation of their rights.
Inspections are carried out _on schedule or unscheduled_ - after a customer complaint or an information leak. Inspectors request internal documents: the organization's privacy policy, orders assigning responsibility for processing personal data, information system classification documents, and the threat model. Example of a Mistake: the inspector will issue a fine for the absence of a log of personal data subject requests, because it shows that the business is not complying with the law's requirement to respond to citizen requests in a timely manner.
Which personal data protection documents a company must have To comply with the law, an organization must develop internal documents that Roskomnadzor checks for. - Personal Data Processing Policy - the main document that describes how the controller collects, stores, and uses data. - Order Assigning Responsibility for Personal Data Processing - without this document, it is impossible to hold a specific specialist accountable. - Consent to Process Personal Data- special forms for customers, employees, and partners that comply with legal requirements. - List of Personal Data Processed - the exact list of what information you store and process. - Personal data handling instructions for employees - rules that prevent accidental leaks caused by employees. - Log of personal data subject requests - contains requests from individuals to access, correct, or delete their data. - Classification act for systems that process personal data - sets the protection level of your databases. Example of a Mistake: a network of medical clinics did not update its consent forms for processing patient health data.
During an inspection, Roskomnadzor fined the company _RUB 75,000,_ because the old forms did not include all legal requirements. Fixing it took a month and required resigning documents with thousands of customers.
Discuss your challenge with an architect