The number of inspections of Roskomnadzor, which revealed violations this year this year, is persistently striving for 100%. Statistics of the Office of Roskomnadzor in the Central Federal District for the 1st half of 2019 - 131 violations for 17 inspections.
At the same time, our daily reality is “cold” calls from various organizations with which, perhaps, I have never had any business. From mobile phones on behalf of a large business (banks, insurance companies, etc.). SMS mailings that you can’t refuse. Their number seems to be only growing.
Keeping a balance between the interests of the business and meeting the requirements of the regulator is a real challenge for a business of any size. The list and sufficiency of the measures applied is proposed to be evaluated independently by the law. Of the positive aspects - you can reduce risks by avoiding the most common violations. Moreover, this does not require additional costs and the adoption of technically complex measures.
And so, the top 1 in the list is a violation of the conditions for processing personal data. Examples: an incomplete list of processing goals, categories of subjects, as well as third parties who have access to data.
The truth that will have to be accepted: it is impossible to make one standard agreement for all occasions - neither for employees, nor for customers, nor for users of a software product. Although I really want to.
Each time, starting a new marketing company or changing the sales system, spend 5 minutes and check that the consent contains:
1) the name and address of the company - operator,
2) processing objectives,
3) a list of data
4) a list of actions with data and methods for their processing,
5) cross-border transfer and / or transfer to third parties (indicating specific countries and third parties),
6) the validity period of the consent and
7) the method of its recall.
A rare template from the Internet can boast of meeting all the criteria, so you can borrow, but with caution and additions.
Have the auditors accessed documents containing personal data? - Consent is required with an indication of the purpose (audit), name and address of the auditor's company. Has the company that delivers the goods of the online store changed? - Consent obtained when registering a client on the site is no longer enough. The option with reference to the list of partners will not provide 100% peace of mind, but it is better than nothing.
Special mention should be made of data processing by end users of the software. When you want to know your user as best as possible and send him current offers. When data is collected and stored, although a license key is enough to register a software product. We can use such data with the consent of the subject, but do not tie the possibility of providing the main service / sale of the product to the mandatory marketing newsletter. This is not only about personal data, but also about legislation on advertising.
Other conditions are no less difficult to fulfill. The list of goals should not be redundant. The principle is one goal - one consent. That is, obtaining consent to process the data of the resume of the applicant and its inclusion in the personnel reserve with one signature will not work. As a compromise, examples seem viable when in one document each goal is highlighted in a separate paragraph and the subject is given the opportunity to enter “agree” / “disagree” in each case.
And finally, what is personal data? How to understand from a vague definition given in the law (“any information relating directly or indirectly to a specific or determinable individual”), does a particular case fall under its effect? Roskomnadzor until the end of 2018 promised to approve a personal data matrix. The deadline was postponed to the end of 2019. We are waiting.
What else are waiting for:
- Bill No. 04/13 / 09-19 / 00095069. Simplification of the consent form. Legalization of the electronic consent form (checkmark, SMS, etc.). To date, the practice is twofold, the court can both apply the rule of paper consent by analogy and recognize electronic consent as inappropriate.
- Bill No. 729516-7. The increase in fines. For repeated violation of the requirement for localization (primary data collection into a database on the territory of the Russian Federation) - 18 million rubles. Change in the procedure for calculating fines. Will we multiply the amount of the fine by the number of entities whose consent is deemed inappropriate.
And the subjects of personal data are waiting for the obsessive calls and newsletters to stop, from which it is impossible to stop. I'm not interested in credit, contextual advertising interferes with viewing content, and I remember that insurance is being downloaded to my car.