Implementation of Personal Data Processing
Legal support for the development and implementation of documents required for the processing of personal data
The processing of personal data has become an integral part of almost any field of activity, especially if this activity is related to the provision of services to individuals.
For example, issuing a store discount card to an individual will already require the operator of personal data to process them, notify the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) and maintain a Personal Data Processing Policy. It is not only large corporations and organizations that have to develop and implement a personal data processing policy, but also individual entrepreneurs and small firms.
After the changes being made to the legislation in personal data processing it has become the responsibility of many organizations and individual entrepreneurs to develop a personal data processing policy. However, it is often not easy to cope with this task on your own.
At the same time, verification of the already existing personal data processing policy by a qualified specialist makes it possible to identify the necessary data for each purpose of processing and indicate the categories and list of personal data being processed, the categories of subjects whose data are processed, the methods, terms of their processing and storage, the procedure for destroying personal data when achieving the goals of their processing and competently correct all this, reflect it in the necessary documents and put it into action.
In order to comply with the legislation on the protection of personal data, operators processing personal data need to develop and implement appropriate local documents. Such documents can be drawn up in the form of one local document and reflect all the requirements of the law, and can also be divided into parts and reflect all the requirements of the law in different documents, for example, such documents usually include:
- Policy for the processing of personal data and the provision on the protection of personal data. One of the most important documents in the field of personal data processing. As a rule, the personal data processing policy includes general provisions, purposes of data processing, legal grounds for processing, categories of data and categories of subjects, methods, terms and conditions of processing, conditions for the destruction of personal data, etc. In connection with the increasing illegal access to personal data of persons for fraudulent purposes, the received personal data must be protected and access to personal data of unauthorized persons must be excluded. It is necessary to prescribe measures for the protection of personal data, it is especially important, if personal data is stored on employees’ computers, to install anti-virus programs, and also to appoint a person responsible for the protection of personal data by order of the head of the organization.
- Order on the appointment of a person responsible for the processing of personal data. The responsible person is appointed by order of the head of the organization, which also reflects the duties of such a responsible person, for example, maintaining internal control over compliance with legislation on the protection of personal data.
The list of documents does not end there. Documents such as the regulation of access to personal data, the obligation not to disclose personal data, the procedure for internal control over compliance with legislation on the protection of personal data and other documents can also be developed and implemented. A specific list of local documents, in addition to those established by law as mandatory, is determined by personal data operators independently. As a rule, such a list of local documents depends on the amount of personal data being processed, the number of employees who have access to such data, the necessary security measures when processing personal data, etc.
In the context of the implementation of the processing of personal data, the operator is obliged to take measures necessary and sufficient to ensure the fulfillment of the obligations provided for by Law No. 152-FZ. The operator independently determines the composition and list of measures necessary and sufficient to ensure the fulfillment of duties. These measures include, in particular:
- Appointment by the operator, which is a legal entity, responsible for organizing the processing of personal data.
- Publication of documents defining the operator's policy regarding the processing of personal data, local acts on the processing of personal data, as well as local acts establishing procedures aimed at preventing, detecting violations, and eliminating the consequences of such violations. Such documents and local acts cannot contain provisions restricting the rights of personal data subjects, as well as imposing powers and obligations on operators that are not provided for by the legislation of the Russian Federation.
- Application of legal, organizational and technical measures to ensure the security of personal data.
- Implementation of internal control and (or) audit of compliance of the processing of personal data with the requirements for the protection of personal data, the operator’s policy regarding the processing of personal data, local acts of the operator.
- An assessment of the harm that may be caused to the subjects of personal data in the event of a violation of the processing of personal data, the ratio of the specified harm and the measures taken by the operator.
- Familiarization of the operator's employees directly involved in the processing of personal data with the provisions of the legislation of the Russian Federation on personal data, including the requirements for the protection of personal data, documents defining the operator's policy regarding the processing of personal data, local acts on the processing of personal data, and (or) training of said workers.
At the same time, in connection with the changes made to the legislation in the field of personal data processing, operators will have to make appropriate changes to the local documents regulating this branch of the organization's activity and introduce them into the work of the company. Considering that administrative liability is provided for non-compliance or violation of legislation in the field of personal data, personal data operators need to promptly analyze the existing documents, make appropriate changes, and send a notification to Roskomnadzor, if necessary.
In the absence of any documents, personal data operators need to develop them very quickly, put them into effect, implement them in the work of the organization and place them on information resources on the Internet. Often, the speed and quality of the implemented documents can be ensured by an experienced and qualified lawyer who will not only be able to point out shortcomings in existing documents, but also make appropriate adjustments or fully develop the necessary package of documents in accordance with the requirements of the current legislation in the field of personal data processing.
- Advice on the processing of personal data
- Development and implementation of documents on the processing of personal data
- Support for the activities of organizations related to the processing of personal data
- Preparation of necessary documents in the field of personal data processing
- Representing the interests of the personal data operator in interaction with Roskomnadzor