Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Unlike the cybersecurity laws, the Personal Data Act requires data operators to implement extensive legal, organisational and technical measures to ensure the security of personal data and its protection against unauthorised access, modification, replication or other unlawful acts. Such measures include (but are not limited to):

  • identification of personal data security threats in the course of data processing in the information systems;
  • implementation of organisational and technical measures which ensure the levels of personal data protection established by the Russian government;
  • implementation of security measures that have undergone the prescribed conformity assessment procedure;
  • evaluation of the effectiveness of the measures to ensure that the personal data security applied before commissioning the personal data information system;
  • registration of personal data machine-readable media;
  • identification of events of unauthorised access to personal data and taking corresponding action;
  • restoration of personal data that has been modified or destroyed as a result of unauthorised access;
  • establishment of access rules for personal data processed in the personal data information system, as well as ensuring the registration and recording of all actions carried out with the personal data in the personal data information system; and
  • control over the measures taken to ensure personal data security and the security level of personal data information systems.

Detailed rules in respect of personal data security are set out in Russian Government Decision 1119 (November 1 2012) and Federal Service for Technical and Export Control Order 21 (February 18 2013).

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

No, there is no obligation to notify individuals (ie, personal data subjects) if their personal data is compromised.

Are data owners/processors required to notify the regulator in the event of a breach?

No, there is no obligation to notify Roskomnadzor (the regulator) in the event of a breach.

Click here to view the full article.