THE LAW COULD BECOME A BURDEN FOR SMALL AND MEDIUM BUSINESSES

The proposed amendments are consistent with the general trends in development of foreign legislation in this area. In particular, in the European Union, communication services providers are required to notify clients and authorized bodies of security violations which adversely affect personal data of such users. In addition, in autumn 2018, the General Data Protection Regulation takes effect in the EU, which not only directly obliges to notify authorities and users of leakages, but also contains strict punishment for companies that conceal the data disclosure. Almost all US states provide for the obligation to notify of personal data leakages.

The Russian draft law also obliges the operator to notify the Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) of the fact of user personal data leakage to the public. At the same time, the current draft law does not oblige the operators to notify the users directly of the leakages, which is undoubtedly a substantial omission, as the user does not have an opportunity to take the appropriate measures on minimizing the consequences of the personal data disclosure. Among the weakness of the draft law is also the absence of procedure and specific timeframes for notifying Roskomnadzor of leakages. Nevertheless, it has been told that the authors intend to amend the draft law and make the respective amendments by the second reading.

In general, the idea of the draft law can be assessed as a positive one, and the draft law finalization and its course of examination at the State Duma can be monitored in the future.

This draft law, if adopted, should not substantially influence the Russian information security market. Major and technologically advanced companies spend substantial money on ensuring data security, including personal data of their clients, employees and users. Furthermore, many companies understand the value of data protection, as its leakage or unauthorized access to it is fraught with high reputational risks.

For small and medium businesses, this draft law can be more burdensome; however, due to the small volume of personal data being processed, it is unlikely to be valuable for criminals, and as compared to the large organizations, they are less exposed to the leakage risks.

In general, we can speak to the point on the consequences of the draft law being adopted after the amendments and additions are made, and the procedure and timeframes for notifying of personal data leakage are specified.

For more details see the article at https://securenews.ru/personal_data_operators/