What does the Personal Data Law (152-FL) define as personal data?

According to the law, any identifiable information about a person is considered personal data, including name, contact details, gender, and so on. The law applies to both customers and employees. In other words, if you work with people, you are almost certainly subject to the Personal Data Law.

Who is an operator of personal data according to 152-FL?

Операторами персональных данных в рамках 152-ФЗ являются все, кто обрабатывает любую информацию о частных лицах. Достаточно вести кадровый учет, пользоваться CRM или следить за статистикой посещения сайта по счётчикам Яндекса и Google.Чаще всего объектами проверок исполнения ФЗ-152 становятся организации из сфер финансовых услуг, здравоохранения, образования, гостеприимства телекоммуникаций, рекламы, ритейла.В контексте ФЗ-152 системами обработки персональных ланных могут быть бизнес-приложения, почтовые системы, службы каталогов (например, Microsoft Active Directory, Novell eDirectory) и другое широко используемое ПО.

What are the requirements of 152-FL?

Закон требует от работающих в России компаний локализовать базы с данными пользователей, настроить бизнес-процессы, разработать внутренние регламенты и использовать технические решения для защиты персональных данных.В зависимости от того, какие персональные данные обрабатывает оператор, и в каком объеме, закон предъявляет разные требования к уровню защищенности. Эти уровни подробно описаны в п. 8 постановления Правительства РФ № 1119 от 1 ноября 2012 года.

Why are the 152-FL compliance audits necessary?

Для компаний, работающих с большим объемом персональных данных, критичны риски, связанные с несанкционированным доступом, потерей данных и, как следствие, утратой деловой репутации. Недоработки в информационной системе персональных данных, бизнес-процессах и документации, регламентирующей работу с ПДн, могут привести к претензиям со стороны регулирующих органов и повлечь штрафы. Аудит поможет получить наглядную и объективную оценку соответствия 152-ФЗ, определить проблемные зоны и внести необходимые изменения. Документация, разработанная по итогам аудита, и принятые в соответствии с ней меры, обеспечат полную юридическую чистоту обработки персональных данных.

Who is the state regulator in the case of 152-FL?

Roskomnadzor, FSB and FSTEC. Roskomnadzor is allowed to run inspections and decide on sanctions.

What liability is provided for violation of 152-FL?

Нарушения 152-ФЗ могут повлечь за собой все виды ответственности: гражданскую, дисциплинарную, административную и уголовную.Дисциплинарная ответственность по ТК РФ вплоть до компенсации прямого ущерба предусмотрена для лиц, ответственных за обработку персональных данных. ГК РФ позволяет гражданину требовать от организации компенсацию если из-за нарушений правил работы с персональными данными ему был нанесен моральный или имущественный ущерб.В зависимости от состава правонарушения, административная ответственность за нарушение закона о персональных данных составляет до 100 тысяч рублей для физлиц, до 800 тысяч для должностных лиц, до 20 тысяч рублей для ИП и до 18 млн рублей для организаций.Уголовная ответственность за нарушение закона о персональных данных может квалифицироваться по ряду статей, которые предусматривают наказание вплоть до лишения свободы на срок до 4 лет.Нарушение закона о персональных данных может привести к включению организации в реестр нарушителей, сайты которых блокируются операторами связи по требованию Роскомнадзора.Нет. По закону, оператор может поручить работу с персональными данными третьим лицам — обработчикам, но их ответственность ограничена договором с оператором. Оператор определяет цели и порядок обработки персональных данных, поэтому он и несет ответственность перед государством и субъектами персональных данных.

How are the areas of responsibility delimited between the operator and the processor in the context of 152-FL?

При размещении обработки персональных данных в облаке по модели Infrastructure as a Service (IaaS), зоны ответственности оператора и обработчика можно четко разграничить:Обработчик отвечает за аппаратное и программное обеспечение вплоть до уровня гипервизора.Все, что выше — виртуальные машины, установленные на них операционные системы и приложения — это зона ответственности оператора.По умолчанию обработчик сам отвечает за информационную безопасность, но может передать задачи по ее обеспечению обработчику по модели Security as a Service (SaaS). Примером таких сервисов могут быть антивирусная защита, межсетевое экранирование, VPN и т. д.

Main page
»
Video of secure cloud

Secure cloud and audit for compliance with the personal data law (152-FL)

Storage of confidential data in a secure infrastructure and audit of personal data processing systems

secure cloud

key features

our solutions

Fast start

Ready-made architecture for personal data processing system under data protection level 2 to 4 in a matter of 2 hours

cost-effectiveness

Ensure low installation cost and reduced cost of ownership of personal data processing system

high reliability

Cloud platform based on TIER III data center; SLA up to 99.95%

data protection

Control of data access at the virtual and physical level

expertise

Over 20 years in the IT industry, licensed by FSTEC and FSB

documentation

Expert statements and certificates of conformity with the requirements of personal data law (152-FL)

CASES

client:

BEST, money transfer and payments operator

business challenge

The customer faced a technical issue with a persistent BGP session flag with Linxdatacenter hardware. We examined the problem and found out that one of customer’s hosts was under a DDoS attack.

Because of the distributed nature of the attack, traffic couldn’t be filtered effectively, and disconnecting the host from the external network wasn’t an option. The attack stopped after changes in the server configuration, but resumed the day after. A 5.5 Gbps attack overloaded the junctions with internet providers, affecting other Linx Cloud users. To mitigate the effects of the attack, we employed a dedicated DDoS protection service.

Solution

To ensure the continuous availability of resources hosted in Linx Cloud, we rerouted all the customer’s traffic through StormWall Anti-DDoS system. The attack was stopped within half an hour. To prevent future cyberattacks, we organized all connections to the customer’s resources through the StormWall network.

client:

A large international developer of IT solutions for monitoring and logistics of medications.

business challenge

To meet the legal requirements in Russia, the customer needed a virtual server and network environment hosted in a Russian datacenter.

Solution

Linxdatacenter launched two identical instances of the customer’s IT resources in cloud platforms based in Moscow and Saint Petersburg datacenters. Both instances included a development environment and a production environment running on WMware technologies.

To meet the requirements of the Russian personal data law, we used a cryptographic solution provided by a local developer. A connection to AWS was established over an encrypted channel.

solution overview

infrastructure as a service (iaas)

security as a service (secaas)

what you get

secure cloud
152-FL — solution scheme

Cisco, IBM and EMC hardware

Secure cloud 152-FL

Video of secure cloud

personal data law (152-FL) compliance audit

solution for your business goals

your benefits

Identification and mitigation of risks associated with personal data processing

Individual advice and planning for improving your personal data processing system

Improved reliability of customer’s information systems

Regulatory compliance

solution overview

stages

1 interview

In-depth interviews with stakeholders within the company involved in processing personal data

2 Documentation

Audit of documentation on personal data processing and storage

3 technical parameters

Researching the technical aspects of the personal data processing system

4 finding vulnerabilities

Security audit of personal data processing system using software and hardware security scanners. Identification of vulnerabilities in network architecture and hardware configuration

5 recommendations

Recommendations for improvement of personal data processing system and related business processes to minimize the risks associated with the processing and storage of personal data

what you get

A detailed report on the compliance with the requirements of the Personal Data Law of Russia

The list of specific steps to organize the processing of natural resources in accordance with 152-FL and international safety standards

FAQ

Within the framework of the Personal Data Law, anyone processing personal data is considered an “operator”. It’s enough to keep personal records, use a CRM, or track website users with Yandex Metrika or Google Analytics.

Companies working in financial services, healthcare, education, hospitality, telecommunications, advertising, and retail are the most prone to inspections from regulators.

In the context of 152-FL, personal data processing systems are represented by business applications, mail systems, directory services (e.g., Microsoft Active Directory, Novell eDirectory), and other widely used software.

The law requires companies operating in Russia to store and process personal data locally, set up business processes and internal policies, and employ technical solutions to protect it.

Depending on the type of personal data, the law imposes different security requirements, which are described in detail in clause 8 of Decree of the Government of Russia No. 1119 dated November 1, 2012.

Companies that process large amounts of personal data face risks associated with unauthorized access, data loss, and, as a result, significant reputational damage.

Vulnerabilities in information systems and shortcomings in business processes and documentation may lead to claims from the authorities and result in fines.

The audit will provide a clear and independent assessment of 152-FL compliance, help identify problem areas, and propose necessary updates. The documentation provided as a result of the audit, and the measures taken in accordance with it, will ensure the legality of personal data processing in the company.

Violations of the Personal Data Law (152-FL) entail all types of liability: civil, disciplinary, administrative, and criminal.

Under the Labor Code of Russia, the people responsible for the processing of personal data are liable for direct compensation of damages caused by improper management of personal data.

The Civil Code of the Russian Federation allows a citizen to demand compensation from an organization in case of moral or material damage caused by improper management of personal data.

Depending on the set of violations, administrative liability includes fines of up to 100,000 rubles for individuals, up to 800,000 rubles for officials, up to 20,000 rubles for individual entrepreneurs, and up to 18 million rubles for organizations.

Criminal liability for violation of the law on personal data can be qualified under a number of articles that provide for punishment up to imprisonment for up to 4 years.

Roskomnadzor has the right to block the websites of violators of the Personal Data Law.

The operator of personal data may entrust operations with personal data to a third party called a processor. However, the processor’s liability is limited: the operator determines the purposes and the procedures of personal data processing and stays accountable to the state and the personal data subjects.

When personal data is processed in the cloud under the Infrastructure-as-a-Service model (IaaS), the responsibility of the operator and the processor can be clearly distinguished.

The processor is responsible for the hardware and software conformity to the requirement of the law up to hypervisor level.

The operator is responsible for virtual machines, operating systems, and applications installed.

By default, the operator is responsible for information security, but can task the processor to provide the respective services under the Security-as-a-Service model (SECaaS). Such services may include antivirus protection, firewall, VPN, and so on.

Secure cloud and audit for compliance with the personal data law (152-FL)

secure cloud

key features

our solutions

Fast start

cost-effectiveness

high reliability

data protection

expertise

documentation

CASES

solution overview

infrastructure as a service (iaas)

security as a service (secaas)

what you get

secure cloud
152-FL — solution scheme

Secure cloud 152-FL

personal data law (152-FL) compliance audit

solution for your business goals

your benefits

Identification and mitigation of risks associated with personal data processing

Improved reliability of customer’s information systems

solution overview

stages

1 interview

2 Documentation

3 technical parameters

4 finding vulnerabilities

5 recommendations

what you get

FAQ

Get a quote

Licenses and certificates

Subscribe to the newsletter

Contacts

technical support 24/7

Secure cloud and audit for compliance with the personal data law (152-FL)

secure cloud

key features

our solutions

Fast start

cost-effectiveness

high reliability

data protection

expertise

documentation

CASES

solution overview

infrastructure as a service (iaas)

security as a service (secaas)

what you get

secure cloud152-FL — solution scheme

Secure cloud 152-FL

personal data law (152-FL) compliance audit

solution for your business goals

your benefits

Identification and mitigation of risks associated with personal data processing

Improved reliability of customer’s information systems

solution overview

stages

1 interview

2 Documentation

3 technical parameters

4 finding vulnerabilities

5 recommendations

what you get

FAQ

Get a quote

Licenses and certificates

Subscribe to the newsletter

Contacts

technical support 24/7

secure cloud
152-FL — solution scheme