2024 Author: Malcolm Clapton | [email protected]. Last modified: 2023-12-17 03:44
Every company heard about the law "On personal data" (152-FZ), but few wanted and were able to fulfill the requirements. Today we are sharing the post of Igor Lukanin, head of the service "".
Step 1. Remember what personal data is
This is any information that pertains to a specific person: mobile phone number, salary, political opinion, even photos on social networks and information about goods ordered from an online store last week.
Step 2. Make sure the law applies to the company
It so happened that the law applies to every company or individual entrepreneur. Companies collect employee data when applying for a job, service companies collect data from individual customers.
As soon as personal data appears in the company's forms, files and services, this article becomes a guide to action from a cognitive one. The company stores personal data even when employees write on the internal social network that they profess Pastafarianism.
Step 3. Examine the scale of the lesion and remove unnecessary
Understand the data of which individuals the company has accumulated. Often these are employees and contract employees, job seekers and clients.
Understand what this data is, and literally write it down in a column. Employees: full name, date of birth, salary. Clients: name, email and home address.
Study what forms this data goes into, on which computers and in which services of the company they are stored. Personal data goes everywhere.
If you find something that is unnecessary for the work of the company, feel free to get rid of it. It's been two years since we changed direct mail to SMS mailing - delete clients' email addresses. Personnel officers still keep the resume of applicants for the past 15 years - under the knife.
Step 4. Ask for permission
You can transfer data to another company or make it public only with the consent of an individual. Typical examples: the bank credits money to the cards of employees on a salary project, and a courier company delivers orders to customers.
You can use special categories of personal data only with written consent. These are data on nationality, political and religious views and beliefs, health and intimate life.
To transfer data to foreign counterparties - also only with written consent. You don't have to do this if the counterparty is from one of the 17 countries approved by Roskomnadzor Order No. 274 of 2013-15-03. You run a tourist business and send clients to Croatia - take written consent for the transfer of data to hotels and companies organizing the transfer.
Sending advertising messages or making advertising calls - only with prior consent, otherwise Roskomnadzor and the FAS will be upset. Obtain customer consent when collecting contact information online or in a paper form.
Step 5. Get a bunch of local regulations
The results of the previous step are entered into an internal regulation - a policy regarding the processing of personal data.
152-FZ and the Labor Code require the company to approve the policy, familiarize employees with it, and that clients can do this too.
A printout on the information stand and a page on the website solve the problem.
In the event that an audit comes to the company, the auditors will want to receive more than one policy. At the same time, the law does not contain a list of required local acts. Savvy, Yandex and Google, helper services or skilled contractors help out.
Step 6. Take a closer look at the site
Be sure to post a policy on the processing of personal data on the site if you collect data through it. If not, publish it too, this will make the company stand out in the eyes of clients and Roskomnadzor, which can check the presence of a policy on the company's website without any warning.
When collecting data through the site, be sure to refer to the policy and ask for customer permission to use the data. Putting a checkmark in the form on the site is also a sign of consent.
Step 7. Notify Roskomnadzor
152-FZ advises sending a notification to Roskomnadzor that the company is using personal data.
The law lists a number of cases when it is not necessary, but it is better not to use exceptions.
It is difficult to correctly apply exceptions to a company. It is not easier to prove this to the supervisory authority if it does not agree.
The notification is sent through the Roskomnadzor website or the state services portal, and then by mail. Please include company details and policy information in the notification. Use the instructions on the Roskomnadzor website, it will answer some questions about filling out.
These steps will be enough to prepare for an audit or a "letter of happiness" from Roskomnadzor. It is impossible to guarantee success in dealing with the regulatory body, but it is worth taking reasonable measures today … or tomorrow. And Roskomnadzor is lobbying for an increase in fines by an order of magnitude.
Recommended:
Beauty, mysticism and Jude Law: how the series "The Third Day" fascinates and frightens at the same time
The authors of the series "The Third Day" immerse the viewer in a crazy world at the intersection of drama, horror and thriller. And all this against the backdrop of magnificent nature
Personal experience: how to prepare for a foreign language exam
It is impossible to pass an exam in a foreign language without first preparing. This article will show you how to learn a language from scratch
What you need to do right now to protect your personal data on the Internet
From unique passwords to 2-Step Verification and enabling encryption - a memo for those who care about their own online security
How to protect personal data on the Internet
We explain why our personal information is at risk every day, and share tips on how to protect personal information on the Web
Understanding the new law "On personal data": imaginary and real risks
On September 1, amendments to the law "On personal data" will come into force. Will it affect regular Internet users, and if so, how?