New Rules For The Regulator’s Audits In The Area Of Personal Data

Pepeliaev Group advises that an updated procedure for audits with respect to compliance with personal data legislation has come into force.

The Resolution of the Russian Government[1] which establishes the procedure for organising and conducting audits with respect to personal data operators (the “Resolution”) came into force on 23 February 2019. Previously the procedure for conducting audits was regulated by the Administrative Regulation of 2011[2] (the “Administrative Regulation”). The Resolution has updated and supplemented this procedure by enshrining it at a higher regulatory level, as required by legislation.

Despite the general rules for conducting audits, established by the Administrative Regulations, not having changed, the Resolution introduces a number of provisions that we view as rather interesting. Among these, we would single out the following.

The ‘technical side’ of the issue is excluded

The Resolution draws attention to the fact that Roskomnadzor (the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications) does not check whether organisational and technical measures are carried out to ensure the security of personal data processed in personal data information systems (“PDIS”). However, the full article 19 of Federal Law No. 152-FZ “On personal data” dated 27 July 2006 is now outside of the scope of audits.

In the light of a significant block of regulatory requirements with respect to personal data security in PDISs being moved outside of the scope of audits, we may expect subsequent approval of the corresponding rules for control and supervision in this area. In all probability, this will be accompanied by the transfer of this competence to some other regulatory and supervisory authorities, for example, the Russian Federal Service for Technical and Export Control (FSTEC).

The frequency of scheduled audits is increasing

As previously, the general rule has remained that scheduled audits of operators should be conducted no more often than once every three years. However, a new classification of personal data operators has originated for audit purposes. This classification includes the following operators:

• those collecting biometric and special categories of personal data;
• those performing the cross-border transfer of personal data to a foreign state that does not ensure adequate protection of the rights of personal data subjects;
• those processing personal data at the request of a foreign entity (individual, or state authority) that is not registered in Russia.

Now such operators can be audited more often - once every two years.

Despite the fact that now Roskomnadzor has the right to perform scheduled audits of operators more frequently, it should be borne in mind that Roskomnadzor lacks the resources for regular audits of a significant number of companies. However, if one looks more closely at the list of operators, for example, in connection with the processing of special categories of personal data which is performed almost by all employers (for example, information about the state of employees’ health), this group of operators includes, in essence, all companies. For this reason, if Roskomnadzor has the intention to audit an operator so often, this would be allowed within the framework of the law.

Other procedural provisions have been clarified

The list of grounds for extending the timeframe of an audit has been clarified and expanded. For example, the fact that an operator has a multidivisional organisational and business structure and/or complex technological processes of personal data processing is a ground for extending an audit.

Unscheduled desk audits have been abolished.

The regulator’s right with respect to PDIS has been clarified: during a field audit, the regulator has the right to receive access to an operator’s PDIS in the mode of viewing and selecting information in terms of whether the contents, volume, and methods of processing, and the time limits for storing personal data that is being processed are in line with the purposes of their processing.

The timeframe of an unscheduled audit has been shortened from 20 to 10 days.

In addition, a maximum deadline for eliminating violations identified during the audit has been set. It will be six months (previously such deadline was determined at Roskomnadzor’s discretion).

What to think about and what to do

It is advisable for companies to check their compliance with the requirements of personal data legislation, and to prepare in advance for possible control and supervision measures of Roskomnadzor.

Help from your adviser

Pepeliaev Group’s lawyers are ready to provide services in terms of conducting an audit of operators of personal data with respect to their compliance with the requirements of personal data legislation and in terms of bringing operators’ activities into line with the legislative requirements.

Our lawyers have significant experience in preparing for and providing legal assistance during audits conducted by Roskomnadzor. They are ready to provide the corresponding complex legal and technical support for the timely identification and elimination of possible violations, and to represent the company and its employees when controlling events are conducted and in disputes with administrative authorities.