How to Protect Personal Data and Comply with the Federal Law No.152
In recent years, the problem of personal data protection has become extremely important. Millions of people around the world use social networks, media and e-commerce platforms, where they leave their personal information. Unfortunately, personal data leaks happen quite often – literally every month we read about how user information has disappeared from a social network, online store or bank.
Businesses of all sizes should carefully arrange protection of personal data of clients or employees in advance, as the risks are high. In case of PD leakage, apart from reputational problems you will also receive huge fines. In this article, we discuss how to avoid these risks, and the ways to organize collecting and storing personal data in accordance with the law.
What is personal data under Federal Law No.152
The Law defines personal data as any information directly or indirectly related to an identified or identifiable individual. It is divided into three groups:
General: first name and surname, date of birth, education, passport details, etc.
Special: nationality, race, political and religious views, health conditions.
Biometric: height, weight, fingerprints, photos and videos.
If it is possible to define an individual, the data becomes personal. For example, only name or nickname cannot be considered personal data. When two different persons with the same name make an order on your website, you can only identify the person by additional information, like phone number, or date of birth.
Am I a personal data operator?
Organizations and individuals, which are involved in PD collecting, storing and processing, are personal data operators. How to identify if the company is an operator? Here are few examples:
Your website allows registering users (even with a minimum data “name + e-mail”) – forums, social networks, blogs, advertisement websites, etc.
Your website allows users to enter their personal data into forms. For example, if the site has the "call me back" function, the option to send a quick order or subscribe to a newsletter, etc.
Your company (legal entity or individual entrepreneur) is constantly processing personal data of citizens. This is true for travel agencies, law firms, banks and other financial companies, which work with citizens; shops and beauty salons, which offer personal club cards.
Your company use CRM.
Processing of personal data is any type of manipulation with the client's personal information: entering the visitor's name to database, updating the client's phone number, etc. Every person who does something with the data is the processor.
How to collect personal data properly and not get fined
When collecting personal data of your visitors, do not forget to get their consent. This can be a document signed personally by the client, or a tick in the field "I agree to the processing of my personal data" on your website. You should inform users why you collect personal data, and what will you do with it.
In addition, be attentive which data you collect – companies can only request personal data that is necessary for the sale of a product or service. For example, you do not need customer’s passport data to deliver product from your online shop.
Data operator is also obliged:
to ensure data confidentiality
to answer all the customer's questions regarding his personal data
to delete personal data once the processing time is reached.
To minimize the risk of cyber-leakages, personal data should be deleted within 30 days after the customer has received a service. If you want to further interact with the client, for example, inform about promotions, then you can ask for permanent consent to process and store their personal data. Remember, if you provide services or sell goods for Russian citizens, your personal database must be stored on a server located on the territory of Russia.