What security obligations are imposed on data controllers and data processors?
Security requirements may not always be included in the data protection law, but are key to guaranteeing lawful processing of personal data. The entity processing the data must take all useful precautions with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and prevent alteration, corruption or access by unauthorized third parties. Appropriate technical and organizational measures should be implemented to ensure a level of security appropriate to the risk.
Russia’s Labour Code includes the requirement that employers must guarantee, at their own expense, the protection of an employee’s personal information from improper usage, damage or loss (Art. 86-7). The Personal Data Law (Art. 18) requires that employers (and other data controllers) take necessary legal, organizational and technical measures to protect personal data from unlawful/accidental access, destruction, modification, blocking, distribution and other illegal acts. Russian law includes a broad list of security measures which might be applied by the data controller (such as the appointment of a data protection officer, data recovery and implementing internal policies).
HR Best Practices: Security assessments should be performed to implement an effective and legally compliant security system. The results of the assessment should be used as the basis to implement measures necessary to neutralize any threat that has been identified. There are a number of different security measures which can be taken, for example, restricting access to only those on a need-to-know basis, implementing hardware and software data security tools, and appointing an officer to be responsible for securing personal data processed by the company, etc.