Preparation for the inspection of Roskomnadzor: harsh practice for the brave

For 13 years now, the federal law “On Personal Data” No. 152-FZ has been in force in the Russian legal field.

It would seem that over the years, PD operating companies have gone through everything: the recognition of the need to protect personal data, and the acceptance that even only your full name is also PD, and the inevitability of writing more than twenty organizational and administrative documents, and even humble agreement with the need to build a complete security system along with paper security.

152-ФЗ not only increased the awareness of PD operators, the entities themselves also began to realize that they were the owners of confidential information and demand its effective protection.

However, despite the daily experience with PD, the most urgent question before the audit will always be: “What exactly is Roskomnadzor watching?”


Fortunately, we already have an answer that is based on the extensive practice of preparing for ILV inspections: it looks at everything related to organizational defense of PD.
Unfortunately, this means that this process is not easy and large-scale, but this has its advantages: such a project is always a great occasion to take an inventory of information flows and systems, which will make business processes more transparent and will make it possible to optimize them. But this is after. This article will describe what to do when you find your company in terms of audits.

Preparation for verification

By the way, you need to see the company in the plan as early as possible: for this, right now you can go to the website of Roskomnadzor and find there the document "The plan of the Office of the Federal Service for Supervision in the Sphere of Telecommunications, Information Technologies and Mass Communications in the Central Federal District in 2019". If your legal address is located in another federal district (or, at the time of reading this article, 2019 is already past), replace these parameters with the necessary ones. If you did not get into the plan for the current year, then approximately in December you will already have access to the plan for the next year.

Since preparation for the audit includes a mandatory subsequent stage of implementing recommendations, you need to start the process at least 6 months before the official launch date - this will help you avoid time pressure and, as a result, actively distract employees from their current tasks (from colleagues it’s unlikely will be accepted positively) and the omission of important aspects in the necessary work (and this will not be approved by the inspector).

Get ready: you will find yourself between two fires when you have to create temporary inconveniences for the common good, but a bitter pill is sometimes vital, the main thing is the willingness to take it all together. Inspection related work must necessarily take place in a welcoming atmosphere of cooperation. Your task is not to punish someone, but to help the company conduct a self-assessment and eliminate violations and shortcomings.

For this, first of all, it is necessary to convey to the company management the importance of the event, and ask for its active participation. There is a rule to gold that with business it is necessary to speak the language of money that he understands. Well: fines for violations of the federal law of interest to us are indicated in Articles 137, 140, 272, 274 of the Criminal Code of the Russian Federation and Articles 13.11, 13.12, 13.25, 19.5 of the Administrative Code of the Russian Federation, and are now issued by Roskomnadzor for each fact of the violation. If your business is skeptical of losses of several hundred or millions of rubles, then your trump card is a mention of reputational risks: offended employees and customers are fully accessible on the Internet, news sites are ready to grab any small leak and inflate it to the extent of a sensation, and competitors will be happy to help them with this.

But your task is not to scare the management of the company, but to provide him with a solution to the problem and seek support. At this stage, you need to evaluate your strength and understand whether there are employees in the state who can be attracted to the project. It should be noted that these employees should be able to devote at least 80% of the working hours to the assigned task - i.e. Do not prepare the entire company for verification in parallel with personnel / accounting / legal activities, but devote almost all of its time to it. And here we come to an important condition for successful training - the presence in the state of a separate employee responsible for the processing and protection of personal data, which is part of the information security division. This is the most effective model for managing this process, and the savings here, in our opinion, are inappropriate.

There are two options for implementing this model: to hire an employee in the state or (or better at the same time) to invite an external organization specializing in the preparation and support of inspections of Roskomnadzor.

The main criteria for choosing such a company - a system integrator - is the presence of similar completed projects in this area, the ability to present a service and tell in detail about the stages of work and the results of each of them, the ability to justify the cost. It is to be expected that quality work will never cost indecently cheaply and last unexpectedly little.

A good integrator will certainly offer you a full cycle of work: from the readiness to convince the company management of the need for the project to support during the audit and help in preparing answers to the instructions on eliminating violations after it.

Regardless of whether you will attract a third-party organization or not, the biggest thing that top management can help you - in addition to the budget - is to initiate a company-wide newsletter about the start of work with a request to fully assist the responsible person. It is very important to emphasize that this is a self-assessment, not an audit to identify and punish the perpetrators. Unfortunately, there were cases of panic and resistance on the part of employees up to the refusal to provide much-needed information about a particular process. Remember: a polite request from the management and awareness of participation in a common cause for the sake of a good goal on the part of all employees work wonders.

The main stages of work

Now that the green light is given, let's go through the necessary stages of work.
The most effective way to prepare for an audit is to try to cover everything to the maximum: it is not known in advance what specific processes the regulator will look at - it all depends on the time and personnel resources allocated by Roskomnadzor.

Before the start of the audit, the company will receive an official letter indicating its terms and plan. Conventionally, the process can be divided into two parts: request and study of documentation (we are talking about more than twenty organizational and administrative documents mentioned at the beginning) and face-to-face interviewing of direct executors: the inspector is completely uninterested to sit in a meeting room and communicate with department heads for a month. Almost always, conversations take place at employees' workplaces. The inspector has the right to ask to show the systems / folders / mail, as well as search for something on the working computer: he does not need to provide access to the company’s network, however, he can take screenshots of certain processes.

They will definitely check the processes typical for all companies: passing mode (“who processes how to manage visitors’s PD?”), Search for candidates for vacant positions (“How long are resumes of job seekers?”), HR management (“why do you need to keep PD of dismissed employees? ”), accounting (“ on what basis are PDs transferred to the bank and insurance? ”), interaction with contractors (“ are they given instructions for processing? Is the data transmission channel protected? Is the protection of the transferred information controlled? ”), storage and delivery of documents the archive ( "a file whether it is in terms of legislation?").
If your main activity is the provision of services, then the field for verification is even more extensive: customer search, contracting, service, termination, advertising.

From an atypical one they can look at the company’s website (“is there a policy for processing and protecting personal data? A message about cookies and counters?”), Mobile applications (“who has the databases?”), Go to the front office as a mystery shopper, check the work call-center, request a threat model and even ask about the process of ordering business cards.

Where to start training? We propose to act in the same way as a reviewer (a great rehearsal before a real check), with the only difference that all the staff is ready to help you and will tell everything as it is, with all the shortcomings - that’s why the involvement of top management and preliminary clarification are so important reasons for sudden internal audit work.

First, carefully study the organizational structure of the company (and, if available, the list of ISPDs), boldly highlight typical PD processing processes, suggest where they can be in addition to these areas, schedule an interview. From experience: IT and information security departments are best left for later, when you already have an idea of ​​all PD processing processes. Find all available documents in the company for processing and protection of personal data.

Each interview should take from 30 to 60 minutes: during this time you can collect all the necessary information without taking your interlocutor from his work tasks for a long time. Interviews are a great chance to find out what your colleagues lack to make work more comfortable: very often we hear requests to reflect on the lack of shredders or lockable cabinets, as well as the lack of a description of the mandatory procedures for collecting and protecting PDs - this will help protect the budget in the future to build or upgrade a security system.

Be sure to draw up the minutes of the interview during the communication and coordinate it with your interlocutor after. Reflect in it all the documents that may contain PD or imply their receipt / sending, and were discussed during the conversation - in the future you need to request and analyze them.
Thus, at the end of the examination phase you should have:

• Agreed Interview Protocols
• All available valid documents on the processing and protection of PD
• All documents that may include the entry of PD, their receipt or transfer

Eventually

The most interesting thing remained: to compile a survey report, where it is necessary to include all the protocols, the analytics of each document, the analytics of each process. And as a result of your work - a list of violations found, recommendations for their elimination, indicating the timing and responsibility.

That's it: now you can breathe a sigh of relief and ... immediately proceed with the implementation of these recommendations.

Will the work done guarantee a perfect test? Nobody can promise you that the process will go without a single comment (in any case, not a single bona fide experienced specialist - for sure), but you can very well influence the number of such comments as little as possible and their elimination be minimally painful in the allotted (quite democratic now 3-6 months) terms.

After checking, be sure to think about the technical aspects of PD protection, support the implemented procedures and documents, conduct employee training, and the next time you will definitely be a little easier.