Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Russia does not have a general personal data breach notification requirement. That said, there are some sectoral laws relating to infrastructure in the field of communications (such as communication networks and Russian data centers).
Personal Data Laws define security threats as a batch of conditions that entail the threat of unauthorized access (including accidental access) to personal data which may result in the destruction, modification, blockage, copying, provision, dissemination of personal data, or any other unlawful actions in relation to the personal data. Therefore, when sectoral laws do not apply, employers should still include incident management procedures as part of the company’s overall data security. Employers can determine the security measures that are appropriate based on security assessments.
HR Best Practices: While there is no general data breach notification requirement in Russia that applies to employee data, employers should still include incident management procedures as part of their overall employee data protection strategy. The procedures and tools used to secure data should be based on the company’s assessment of potential risks considering the employer’s personal data processing activities.