Business is not ready to protect personal data
Posted: Sun Jan 26, 2025 6:42 am
On March 1, Federal Law 266-FZ, which introduces a number of changes to the legislation on the protection of personal data of Russian residents, comes into full force. In total, Federal Law 266-FZ contains about two dozen innovations, two of which - notification of regulators about the cross-border transfer of personal data and a ban on the transfer of real estate data from the state register to third parties - come into force on March 1, 2023.
Read also
Personal data of Russians brazil mobile number database will receive additional protection
The amendments will strengthen the protection of citizens' personal data. This includes passport data, information about real estate, flights, as well as data that allows identifying military personnel and law enforcement officers
"On March 1, 2023, RKN Order No. 178 comes into force, which contains a specific methodology for assessing the harm to the subject in the event of a leak of personal data, their disclosure and other violations in this area. Previously, this was not in the legislation. In addition, another important innovation was the requirement to control the destruction of personal data through a notification to Roskomnadzor with an unloading from the event log of the information system. Another part of the restrictions will affect companies working with cross-border data transfer. There are more requirements, but the interaction of the personal data operator with regulators has become transparent and understandable. We estimate that legislative measures in terms of personal data protection in the next year or two will form a clear practice of application. This will allow us to assess how balanced the measures taken are and whether additional changes to the laws are needed. This is all the more important in light of the previously announced turnover fines for personal data leaks," Olga, GR Director of SearchInform, comments on the innovations that come into force today. Minaeva.
The trigger for the changes was a wave of incidents related to high-profile and large-scale data leaks. According to the Kaspersky Lab report "On significant data leaks in Russia", 168 cases of publication of significant databases of Russian companies were recorded in 2022. In total, more than 2 billion records were published. "If the leaks are distributed evenly throughout the year, it turns out that almost every other day the attackers published announcements about confidential user information that was made publicly available," the report says.
At the same time, businesses are not ready to fully comply with the requirements of the updated legislation. As a study conducted by the integrator "Krok" showed, more than 20% of companies at the end of August 2022, on the eve of the entry into force of the bulk of the requirements provided for by 266-FZ, did not plan to bring their systems into compliance with the innovations in the near future. Only 4% of survey participants fully adapted their systems to changes in legislation, and 28% did so partially.
Read also
Personal data of Russians brazil mobile number database will receive additional protection
The amendments will strengthen the protection of citizens' personal data. This includes passport data, information about real estate, flights, as well as data that allows identifying military personnel and law enforcement officers
"On March 1, 2023, RKN Order No. 178 comes into force, which contains a specific methodology for assessing the harm to the subject in the event of a leak of personal data, their disclosure and other violations in this area. Previously, this was not in the legislation. In addition, another important innovation was the requirement to control the destruction of personal data through a notification to Roskomnadzor with an unloading from the event log of the information system. Another part of the restrictions will affect companies working with cross-border data transfer. There are more requirements, but the interaction of the personal data operator with regulators has become transparent and understandable. We estimate that legislative measures in terms of personal data protection in the next year or two will form a clear practice of application. This will allow us to assess how balanced the measures taken are and whether additional changes to the laws are needed. This is all the more important in light of the previously announced turnover fines for personal data leaks," Olga, GR Director of SearchInform, comments on the innovations that come into force today. Minaeva.
The trigger for the changes was a wave of incidents related to high-profile and large-scale data leaks. According to the Kaspersky Lab report "On significant data leaks in Russia", 168 cases of publication of significant databases of Russian companies were recorded in 2022. In total, more than 2 billion records were published. "If the leaks are distributed evenly throughout the year, it turns out that almost every other day the attackers published announcements about confidential user information that was made publicly available," the report says.
At the same time, businesses are not ready to fully comply with the requirements of the updated legislation. As a study conducted by the integrator "Krok" showed, more than 20% of companies at the end of August 2022, on the eve of the entry into force of the bulk of the requirements provided for by 266-FZ, did not plan to bring their systems into compliance with the innovations in the near future. Only 4% of survey participants fully adapted their systems to changes in legislation, and 28% did so partially.