Compliance with requirements of law on personal data in respect of information systems postponed by a further six month

Pepeliaev Group notes that Federal Law No. 152-FZ “On personal data” dated 27 July 2006 (the “Law”) has been amended so as to extend to 1 July 2011 the deadline for making personal data information systems (“PDISs”) comply with the Law’s requirements.

The requirements for PDISs are set out in the Law and in subordinate legislation, the main item of which is the Russian Government’s Resolution No. 781 “On approving the Regulations on ensuring the security of personal data during processing in personal data information systems” dated 17 November 2007.

It should be emphasised that, under the Law, PDISs created after 1 January 2011 must already meet the requirements of the Law and subordinate legislation.

The explanatory note to the draft law gives the main reason for putting back the deadline as the fact that state authorities and state-funded bodies at all levels would, in complying with the requirements for PDISs, see their expenditure increase significantly, while their budgets have made no provisions for this. However, it remains unclear how the postponement of the deadline could change the situation, bearing in mind that the law on the budget for 2011 and for the 2012 and 2013 planning period also fails to provide for the expenditure in question. This suggests that the deadline may be extended once more in 2011.

The consequences of a failure to comply with the requirements for PDISs could be extremely severe. They range fr om fines and even the confiscation of uncertified means of protecting information under administrative legislation, to orders from the supervisory authorities. The latter can include the suspension of or a ban on processing personal data (wh ere the integrity of personal data is being seriously compromised during processing), to a suspension under administrative law of business activity as a whole and also the possibility – taking account of the stance on the issue of FSTEK, the relevant supervisory authority – of criminal charges against the managers of companies.

Recommendations

Experience shows that it takes at least six months to take the steps necessary to make PDISs comply with the requirements of data protection legislation. This means that, to meet the deadline stipulated by the Law, the necessary steps should already be under way at the start of 2011.

Pepeliaev Group’s lawyers have considerable experience of advising on compliance issues under data protection legislation. They will offer any assistance needed while the necessary organisational measures are being implemented. These include formulating an action plan setting out the necessary steps and drafting the requisite legal documentation. They will also help in selecting technical experts to provide the necessary technical support.

For further details, please contact:

in Moscow – Julia Borozdna, Head of Employment and Migration Practice, at (495) 967-00-07 or by e-mail; Elena Ovcharova, Head of the Administrative Defence of Business Group, at (495) 967-00-07 or by e-mail; Andrey Slepov, Senior Associate, at (495) 967-00-07 or by a.slepov@pgplaw.ru

in St Petersburg - Sergey Spasennov, Partner, Head of St. Petersburg office, at (812) 333-07-17 or by e-mail