Reviewing data handling procedures: the importance for corporations to scrutinize data management practices

Reviewing data handling procedures: the importance for corporations to scrutinize data management practices

Updated Article:

Get ready to buckle up, folks! On May 30, fresh updates to the Code of Administrative Offenses are coming into play, beefing up the sanctions for skirting the "Personal Data" law. With prices soaring, these changes aim to motivate companies to beef up their info security game, helping to stem the tide of data leaks.

The rise in penalties can be traced back to the glaring disparity between the meager consequences of data leaks and the measly max fines of 100,000 rubles for first-time offenders. This catch-22 has allowed sloppy storage and distribution of personal data to fuel spam calls, ad campaigns, and fraud schemes, while the puny fines failed to warrant operators to step up their protection game. But fear not, my friends! Russian lawmakers aren't the first to embrace the idea of hefty fines for personal data violations, as foreign legal systems have already seen bigwigs footing multi-million-dollar bills for similar infractions.

To keep things digestible, let's break this down into three main sections:

• General Tightening of the Screws

The needle is moving for offenses covered under parts 1 and 1.1 of Article 13.11 of the Code of Administrative Offenses. From now on, any violation of data processing (without consent, in excess, or for purposes not in line with the collection purposes) will result in a minimum fine of 150,000 rubles, and repeated violations could land you with a hefty 500,000 ruble fine.

• Increased Responsibility: A Closer Look

A boost in accountability also comes in the form of an amendment that cranks up penalties for processing data without written consent, especially when it's mandatory (e.g., in the case of transferring employee data to third parties or handling sensitive data categories such as health status or biometric data). If caught in the act, companies stand to face a fine of up to 700,000 rubles for the first offense, with a repeat offense fetching a 1.5 million ruble fine.

• The Elephant in the Room: Data Leaks and Notifications

Roskomnadzor hasn't been amused by companies' reluctance to notify the controlling authority about the commencement of data processing. As of September 1, 2022, nearly all operators are required to send such notifications, but compliance has been lackluster. Stepping out of line can cost you up to 300,000 rubles, though it remains unclear whether the new fine will apply to cross-border data transfers. It's recommended that businesses review their data transfer processes to ensure they're on the right side of the law.

The business and legal community has been given a stark warning about the newly introduced liability for data leaks in the Code of Administrative Offenses. Failure to notify Roskomnadzor of a data leak could result in a fine of 1 to 3 million rubles. If a leak stems from the company's actions or inaction, the fine could reach astronomical heights. Fines are calculated based on the volume and categories of data disclosed. Here's a rough glimpse of what companies might face:

• Finances: 3 to 5 million rubles if information about 1,000 individuals or 10,000 identifiers leaks; if it's more than 100,000 subjects or 1 million identifiers, the fine is 10-15 million rubles.
• Identifiers: It's unclear which data can be considered identifiers, with the Code of Administrative Offenses defining it as a unique designation of information about a physical person in an operator's personal data information system, relating to that person. It's vital to find the practical solution to this question as it will directly impact the size of the penalty.

Another bone of contention is the introduction of recurring fines, as these have sparked debates for quite some time. Now, if an operator allows a data breach within a year of paying an administrative fine for the initial violation, they may be subject to a recurring fine of 1% to 3% of the company's total revenue for the year.

In essence, the tides are turning, and it's high time for businesses to give their data processing practices a thorough stress test. These amendments apply to all companies, but the level of risk depends on the specifics of the business and the volume of data processed. Companies dealing with large user databases are under the microscope––online stores, marketplaces, banks, insurance companies, retail, and online appointment or delivery services. The same goes for startups and IT companies using cloud solutions or foreign analytics services that don't always formally standardize their data transfer processes or notify Roskomnadzor. Even traditional offline businesses aren't off the hook––fitness clubs, medical centers, hotels, and restaurants process personal data and must comply with the law and be prepared for inspections.

Lastly, it's important to remember that Roskomnadzor's attention often falls on companies due to obvious slip-ups in data protection processes. To avoid grabbing the regulator's unwanted attention, make sure your operations check these boxes:

1. In place: A personal data handling policy on the company's website.
2. Up-to-date: A current personal data handling policy that reflects current practices.
3. Informed: Collecting data only with active, demonstrated user consent.
4. Limited: Processing personal data only with sufficient grounds or in line with the collection purposes.
5. Agreed: A data processing agreement with contractors when transferring personal data to them.

Hopefully, these preventive measures will keep you out of trouble and save you from facing hefty fines. As always, when the consequences are significant, it's wise to play it safe!

Editor's opinion may not reflect the author's viewpoint

Bonus Insights:

The specifics of the new Russian amendments to the Code of Administrative Offenses regarding fines for violating the "Personal Data" law include an increased fine for notification failures (previously 5,000 rubles; now 100,000 to 300,000 rubles) and stricter penalties for data leaks and repeated offenses. The search results suggest a broader trend of increasing regulatory oversight in Russia concerning data protection and processing, with fines for failing to notify Roskomnadzor of personal data commencement, and large companies facing multi-million-ruble fines for data leaks.

1. Russian lawmakers have increased the sanctions for violating the "Personal Data" law, with the fines for failing to provide notification reaching 100,000 to 300,000 rubles.
2. The Code of Administrative Offenses now imposes stricter penalties for data leaks and repeated offenses, with fines potentially reaching astronomical heights.
3. To avoid attracting unwanted attention from Roskomnadzor, businesses must ensure their data processing practices adhere to certain guidelines, such as having a personal data handling policy and collecting data with active, demonstrated user consent.
4. With the rise in penalties, technology companies in sectors like online stores, banks, insurance, retail, and delivery services should invest in improving their infosecurity and education-and-self-development to stay in compliance with the law.

Read also: