Misconception #1. Protection Of Personal Data Is The Concern Of The System Administrator
Comply with the requirements of 152-FZ -taking a whole range of measures is necessary. An IT specialist can take care of the functioning of the IT infrastructure, but he does not have to understand legal issues and cyber security. This requires other knowledge and experience.
If your employees (not just the system administrator) do not have the proper competencies to protect personal data, this can become a problem during verification. For inspection bodies, the lack of adequate knowledge and skills of employees is not an excuse and does not protect against fines and other measures.
Misconception #2. No Need To Complicate It; We Hired A Third-Party Specialist, And He Will Take Care Of It
As mentioned above, one person is unlikely to be competent on all fronts: IT, information security, and the legislative framework. A mistake in one of these areas can cost a company dearly, cost money, reputation, and even the entire business.
If you want to protect yourself, it is better to turn to professionals. Serious companies with a team of specialists are well versed in all matters of working with personal data and have a great deal of practice. And it’s much safer than hiring an outsider.
Misconception #3. The PD Protection System Is A Variety Of Technical Means That You Need To Select, Install And Configure Independently
It’s possible to do everything independently, but if you don’t fully understand the issue, you can mistakenly purchase the wrong software or spend much more than you need.
For this reason, to begin with, it is necessary to conduct an audit and create a project for a future protection system on its basis. Or turn to specialists who will help with technical equipment and cybersecurity and legal issues.
Misconception #4. We’ve Already Done Everything
You have approached the issue seriously and responsibly. The main thing to remember is that a one-time implementation of all the necessary activities is not enough. New laws and amendments are issued every year. If they are not taken into account, you can run into fines. The relevance of regulatory legal acts can be checked here.
Sometimes it may not be evident that you are working with PD. For example, you have photos and contacts of employees you used on the corporate portal or when applying for VHI, information about applicants, and customer data. If you do not consider this, you may encounter problems from Roskomnadzor.
Misconception #5. We Only Store Information About Employees
In the previous paragraph, it was already said that this is a delusion. At a minimum, most companies’ databases contain information about job applicants, relatives of employees, customers, and business partners. It is also worth bearing in mind that when collecting personal data from an individual, it is essential to obtain written consent.
It is also essential to indicate the availability of this information in the list of processed data and the notification to Roskomnadzor.