A Decree of the Russian Government revised the requirements for the protection of personal data contained in information systems (the “Decree”).

Organisations who process personal data are now required to have a security system in place for the protection of personal data during its processing and to prevent unauthorised access (including inadvertent access) that may lead to the manipulation of personal data (such as destruction, modification, blocking).

The main obligation to ensure that personal data is protected is placed on the operator (an authorised individual) who is in charge of processing the personal data. The operator monitors any potential threats to the security of personal data processed by the organisation and checks compliance with the established requirements at least once every three years. If these control functions performed by the operator are outsourced to a legal entity or a self-employed entrepreneur, the operator must verify whether they have a licence for the technical protection of confidential information.

According to the Decree, the operators are required to select the appropriate information security tools in order to ensure that personal data is protected in compliance with the regulations of the Federal Service for Technical and Export Control and the Federal Security Service. However, these regulations have not been adopted yet. Therefore, to implement certain provisions of the Decree, the relevant regulations and additional clarifications of the state authorities are required.

[Decree No. 1119 of the Government of the Russian Federation “On Approving the Requirements to the Protection of Personal Data when Processing Personal Data in Information Systems”, dated 1 November 2012]