Let’s take a little sneak: it became clear what will happen to personal data after September 1, 2015


    Penalties for misconduct are added up.

    242-FZ tells us that the operator is obliged to ensure the recording, storage, modification and retrieval of personal data of citizens of the Russian Federation (this is all that directly or indirectly relates to the subject of personal data. And the phone number, and even the level of protection of its data can be attributed here according to 152 -FZ) using databases located on the territory of the Russian Federation. From September 1, 2015. For using the primary base outside the Russian Federation, you will receive a relatively small fine and, even worse, blocking resources for 3 business days from the date of the court decision. At the same time, it will be possible to unblock access and “exit” the registry only by court order.


    Who is carried


    Of course, there are no accurate statistics on how much personal data of Russians is stored outside the Russian Federation. Quite a lot of PD is stored in the USA, Germany, England, France and other European countries, because the industry of hosting providers is most developed there. It is logical that Russian regulators saw a number of risks in this. First of all, we are talking about the risks associated with the observance of the rights of subjects of personal data, as well as the likelihood of losing communication with external data centers due to the imposition of sanctions. Therefore, keep the new law.

    242-FZ covers all foreign companies that have branches in our country, international services, travel agencies - representatives of foreign companies, subsidiaries of foreign banks, etc. But new requirements do not include legal relations that are regulated by international treaties or conventions (airlines, journalism and a number of other areas). The rest should move. The same eBay, Google, PayPal and many others have already announced their readiness to continue business in Russia. Perhaps the hardest process is given to banks - there are no exceptions for them, and their IT infrastructure architecture is usually such that the transfer is rather difficult.

    Here are the foreign companies operating in our market. Please note that a domestic company may have databases outside the Russian Federation (for example, on Amazon), so the actual percentage of those who need to switch is higher.



    Large international companies have the usual architecture - “wheel and spokes”, where the head office or data center acts as the main information center (for example, in the USA). In the Russian Federation, such companies will have to raise another site - either their own regional data center, or stand in colocation to someone else. Actually, many join us at CROC due to the availability of already certified FSTEC and FSB solutions in the TIER-III TIA + UI (facility) data center.

    What a typical large system transfer looks like


    This is a rather lengthy and painful process:
    • Assessment of required resources - 2 weeks;
    • The process of choosing a supplier - 2 weeks;
    • System Analysis - 1 week;
    • Migration testing - 1 week;
    • Waiting for equipment - 6-8 weeks;
    • Data transfer - 2–4 weeks;
    • Checking the transferred data - 1 week.

    Total more than 4 months. My porting experience is from 2 weeks for a relatively simple infrastructure to 3 months. The problem is usually not only that the database carries many more infrastructure components, but that business continuity is important for many (for example, banks). The operability of customer systems at any stage of the "move" is supported.

    Most often you need to transfer:
    • Online services: online store; portal for customers.
    • Business Applications: CRM; HRMS
    • Infrastructure applications: mail; corporate forum.


    On the side of the Russian Federation we need:
    • data centers (or server, preferably 2 pieces, the main and backup, although in some cases lawyers argue that backup can be stored outside the Russian Federation; the law says that when collecting data transferred to companies, it is necessary to ensure their initial accumulation, storage and processing in Russia, after which it is already possible to transfer this data abroad);
    • Computing resources - in fact, the servers themselves and the storage system;
    • Infrastructure software - these are new licenses for the site in the Russian Federation;
    • Channels of connection;
    • Engineering resources;
    • Support + SLA;
    • Development of mechanisms for migration, synchronization and data consolidation.


    That is why the procedure is quite complicated, and many do not build their own data centers, but get into the ones already designed for this. For example, many of us are happy with our protected cloud, where there is:
    • Certified FSTEC VMWare hypervisor;
    • Firewalling (FW) - FSTEC certification; cryptographic protection of communication channels (IPSec VPN) - FSB certification;
    • Intrusion Prevention (IPS) - FSTEC certification;
    • Deep web traffic filtering (WAF);
    • Antivirus protection of network traffic;
    • And any other security features that can work in a virtual VMware environment.

    When transferring a database, we always separate the infrastructure of one customer from all the others.

    Information Security


    New legislation requires:
    1. Transfer PD to the Russian Federation.
    2. And at the same time also protect the data to a fairly good extent.



    It should be noted that the legislative initiative is directly related to the import substitution program in IT. Regulators stimulate to the maximum use of available domestic technical resources, software and other developments. However, complete import substitution in the IT sector is difficult to achieve today.



    Information security systems have a couple of interesting features. We have quite a few good manufacturers that have passed domestic certification and are doing what falls under the definition of “domestic software”, that is, they will receive priority for use in government agencies (there is a discussion of possible expansion at state-owned companies and state corporations).

    Checks




    Checks will be conducted, plus you will be monitored without direct interaction.

    Conditions for unscheduled inspections:
    1. Expiration of the execution of the order.
    2. Appeals of citizens (requires agreement with the prosecution authorities).
    3. Information from public authorities (OGV), local authorities (LSG) and the media about violations of the law.
    4. Orders of the President and the Government of the Russian Federation.
    5. Violations as a result of systematic observation.
    6. Inconsistency of the information contained in the notification with the actual activity.
    7. Failure to comply with the requirements of Roskomnadzor (ILV) to eliminate the violation.
    8. Based on the requirements of the prosecutor's office.

    Criteria for inclusion in the audit plan:
    1. A three-year period from the date of completion of the last scheduled inspection.
    2. Information from the UGA, the local self-government and the media about violations of the law and the results of systematic observation.
    3. PD processing of a significant number of PD subjects / biometrics / special PD categories.
    4. Failure to provide information, including notification, in accordance with Federal Law-152.

    Total


    • a black list of violators of the rights of PD subjects appeared;
    • systematic observations of operators appeared;
    • increased fines for violations of PD processing;
    • ILV inspections became more frequent and the grounds expanded.

    If you collect PD of citizens of the Russian Federation in any volumes, then here is what you need to do:
    • We are reorganizing business processes, IT infrastructure;
    • Save / modify PD in the database on the territory of the Russian Federation;
    • We provide the "correct" protection of this database (ISPDn);
    • We transfer PD from this database cross-border (if necessary);
    • Do not forget about the collection of consents, if necessary (this is necessary in the case of the transfer of personal data to a country that is not on the list of countries that provide adequate protection for the rights of subjects of personal data, or countries that are parties to the Council of Europe Convention for the Protection of Individuals with Automated Processing of Personal Data. In this case, you need to make sure that the organization does not fall under the exceptions of the new law and organize the collection of subjects' consent for cross-border data transfer);
    • We make changes to the notification on the website of Roskomnadzor.


    References


    • Here, in the last post , there are more detailed documents. If very briefly - yes, it is necessary to transfer so as not to remain blocked in the territory of the Russian Federation. Since this post, the data has been updated a bit, plus our team made several more large transfers and a couple of dozen smaller ones - an understanding of a number of infrastructural features appeared.
    • Page "about personal data"
    • Workshop with details and video

    Also popular now: