Aspects of personal data protection on the Russian market

In today’s world, information is worth its weight in gold. Anyone wants to be sure that it is safe to provide information about themselves. In the era of digitalization, how can personal data protection in the Russian Federation be reliable?

In the Russian market, legislation in this area has been actively developing in recent years. In 2006, the adoption of the 152nd Federal Law «On Personal Data» was a key moment in the regulation of privacy issues. This law:

• laid the foundation for the creation of a personal data protection system in Russia;
• defined key concepts;
• established a framework for permissible actions with citizen information.

Global trends and scandalous data leaks of leading companies require constant updating of legislation. For this purpose, amendments are made to the law on personal data protection, clarifying and expanding the rights of citizens and the obligations of personal data operators.

The law does not contain the names of local acts on work with personal data. The Ministry of Finance has given a list of local acts that are recommended to be issued. The list includes the Personal Data Operator’s Policy on Personal Data Processing and the Regulation on Processing and Protection of Personal Data (Letter dated 28.08.2020 No. LB-C-074-24059)

The law provides for measures to protect citizens’ personal data. All subjects of personal data protection have the right to know who and how personal information about them is used. Such rights include:

• the right to access their data;
• the right to request that they be adjusted;
• the right to have them deleted if the data are processed unlawfully or if there is no actual need to store them.

The duties of an operator handling citizens’ personal data include:

• the need to obtain citizens’ consent to data processing;
• Informing them of the purpose of the information collection;
• Taking measures to ensure data security.

The employment relationship is the most common example of interaction with personal data. The employer must process everyone’s personal data when the employment relationship is formalized. The protection of the individual’s personal data then becomes the employer’s task.

An employer must destroy employees’ personal data or ensure the destruction of such data. From March 1, 2023, the employer must confirm the destruction of personal information on citizens.

If an employer fails to follow measures to protect personal information about an employee and personal data gets to third parties, the company and officials can be held liable.

Example. An employer may be fined up to 150,000 roubles for processing personal data without the employee’s consent. If the employer uses bases outside the territory of Russia for processing personal data, the fine may reach 6 million roubles.

152 of the Federal Law «On Personal Data» confirms the employer’s obligation to carry out internal control (audit) of personal data documents (Clause 4, Part 1, Article 18.1). HR managers should monitor changes in the law, take into account clarifications of state bodies and court practice, and audit company documents.

Major personal data leaks in the financial sector have revealed vulnerabilities in the security systems of Russian banks and have prompted a push to strengthen them. In social networks, protecting the rights of personal data subjects is no less important. Even the largest platforms are not immune to errors.

The consequences of data breaches are not only a threat to a company’s reputation, but also a loss of customer trust and real economic damage. More and more companies and individuals are realizing this and investing resources in security.

In a world where every click and transaction leaves a digital footprint, it’s especially important to ensure the right to protect personal data. A few current key recommendations to avoid potential threats to your business and yourself: 

for companies:

1. Systematic threat assessment. Don’t wait for an incident — regularly analyze and assess the potential threats your business may face.
2. Staff training. Most data breaches are due to human error. Provide regular cybersecurity training to employees and keep them up-to-date.
3. Technical protection. Update your software, use modern means of encryption and information protection, monitor the status of your servers and databases.

for private citizens:

1. Beware of phishing. Scammers often use fake websites and messages to steal your data. Don’t click on suspicious links or give your personal information to strangers. Safeguarding your personal data is first and foremost.
2. Two-factor authentication. Where possible, activate two-factor authentication. This will add an extra layer of protection to your accounts.
3. Rights awareness. Know your rights in relation to personal data and make sure you only give consent to companies and services you really trust.

Modern encryption methods, the use of artificial intelligence to identify threats, and the use of blockchain technology are no longer fantasy, but real tools available to protect data.

Protecting personal data is a complex and multifaceted task, especially in a rapidly changing digital world. However, it is challenges like these that drive progress.

The company’s lawyers are professionals with extensive experience. They will provide legal support in the field of information security, ensure a comprehensive approach to solving the tasks at hand.