Over the past few years, we have all heard the phrase “personal data.” To a greater or lesser extent, they brought their business processes into compliance with the requirements of legislation in this area.
The number of Roskomnadzor inspections that revealed violations in this area this year is persistently striving for 100%. Statistics from the Roskomnadzor Office for the Central Federal District for the 1st half of 2019 – 131 violations over 17 inspections.
At the same time, our daily reality is “cold” calls from various organizations with which we may have never dealt. From mobile phones on behalf of large businesses (banks, insurance companies, etc.). SMS newsletters that you can’t refuse. Their numbers seem to only be growing.
Maintaining a balance between business interests and meeting regulatory requirements is a real challenge for businesses of any size. The law proposes to evaluate the list and sufficiency of the measures applied independently. On the positive side, risks can be reduced by avoiding the most common violations. Moreover, this will not require additional costs or technically complex measures.
And so, top 1 on the list is violation of the terms of personal data processing. Examples: incomplete list of processing purposes, categories of subjects, as well as third parties who are granted access to data.
A truth that will have to be accepted: it is impossible to make one standard consent for all situations - neither for employees, nor for clients, nor for users of a software product. Although I really want to.
Every time you launch a new marketing campaign or change your sales system, spend 5 minutes and check that the consent contains:
1) name and address of the operator company,
2) purposes of processing,
3) list of data,
4) a list of actions with data and methods of processing them,
5) cross-border transfer and/or transfer to third parties (indicating specific countries and third parties),
6) the validity period of the consent and
7) method of its withdrawal.
A rare template from the Internet can boast of meeting all the criteria, so you can borrow it, but with caution and additions.
Did the auditors gain access to documents containing personal data? — Consent is required indicating the purpose (audit), name and address of the auditor’s company. Has the company delivering online store goods changed? — The consent obtained when registering a client on the site is no longer sufficient. The option with a link to a list of partners will not provide 100% peace of mind, but it is better than nothing.
The processing of data from end users of the software deserves special mention. When you want to know your user as best as possible and send him current offers. When data is collected and stored, although a license key is sufficient to register a software product. We may use such data with the consent of the subject, but do not tie the possibility of providing the main service/selling a product to mandatory marketing mailings. This is not only about personal data, but also about advertising legislation.
Other conditions are no less difficult to meet. The list of goals should not be redundant. The principle is one goal - one agreement. That is, it will not be possible to obtain consent to process the applicant’s resume data and include him in the personnel reserve with just one signature. As a compromise, viable examples appear to be those where, in one document, each goal is highlighted in a separate paragraph and the subject is given the opportunity to enter “agree”/“disagree” in each case.
And finally, what is personal data? How can you tell from the vague definition given in the law (“any information relating to a directly or indirectly identified or identifiable natural person”) whether a particular case falls within its scope? Roskomnadzor promised to approve the personal data matrix by the end of 2018. The deadline has been postponed to the end of 2019. We are waiting.
What else are we waiting for:
- Bill No. 04/13/09-19/00095069. Simplification of the consent form. Legalization of the electronic consent form (tick, SMS, etc.). Today, the practice is twofold; the court can either apply the rules on paper consent by analogy, or recognize electronic consent as improper.
- Bill No. 729516-7. Increase in fines. For repeated violation of the requirement for localization (initial collection of data into a database on the territory of the Russian Federation) – 18 million rubles. Changes in the procedure for calculating fines. Will we multiply the amount of the fine by the number of subjects whose consent was found to be improper?
And subjects of personal data are waiting for the intrusive calls and mailings that cannot be stopped to stop. I'm not interested in a loan, contextual advertising interferes with viewing content, and I remember that insurance for my car is being downloaded.
Source: habr.com