|
|
The new initiatives were announced by the Deputy Head of Roskomnadzor Milos Wagner at a meeting of the Council's section on the development of the digital economy "Ensuring the technological sovereignty and information security of the Russian Federation" held on February 22 in the Federation Council.
Milos Wagner, Roskomnadzor:
– The proposed mechanism obliges the operator to have insurance or other financial mechanisms. It should be addressed to companies that process a significant amount of personal data: from 100 thousand or from 1 million records.
We are talking about a bill content writing service prepared in the Federation Council, which is intended to create a mechanism for covering risks due to leaks of personal information for companies and citizens.
He believes that it is necessary not only to impose requirements on PD operators, but also to provide for a special accreditation mechanism, and also to link it with the amount of possible punishment provided for by the draft law on personal data. According to the deputy head of the department,
State Duma deputy Anton Nemkin told RSpectr that the developers of the bill initially focused on a mechanism for compensating losses to people whose data was leaked.
Anton Nemkin, State Duma:
– Another question is whether companies will start to “buy off” affected clients with discount coupons, minimum payments, etc., in order to avoid punishment. That is why the introduction of such a mechanism requires careful consideration in order to take into account all the nuances and not make things worse.
According to him, the proposed mechanism obliges every major PD operator to have insurance in case of leakage, so that the guilty companies can at least pay fines – and they will soon increase many times over after the adoption of the bill on the introduction of turnover fines for data operators for leaks.
"This approach will not become an indulgence for companies - significant fines will still have to be paid. Rather, on the contrary, it will definitely not be possible to escape punishment thanks to this mechanism; they will have to answer for the negligence committed," the deputy believes.
TOWARDS A FAIR MODEL
A system of imputed insurance, if properly organized, can bring benefits to the market, including the development of a culture of working with data and, in general, increasing the maturity of approaches to protecting personal information, says Comply lawyer Elina Mukhanova.
Elina Mukhanova, Comply:
– However, the insurance initiative, together with the financial risks of business from personal data leaks, as well as the cost of enhanced data protection by business, will ultimately fall on the shoulders of consumers in the form of increased costs of data and other products and services.
Elina Mukhanova continues.
If accreditation involves some segregation or categorization of requirements in terms of working with data for companies of different sizes, industries and categories, then such an initiative can only be welcomed, Elina Mukhanova is sure. In this case, some standards should be developed jointly with the regulator and business associations, taking into account the scale and specifics of various companies.
In addition, accreditation should be based not only on the amount of processed PD, but also on other aspects of processing that affect the risks of subjects. For example, categories and sensitivity of data, the processing technologies used, the number of persons involved in processing.
"Can there be several records for one subject with the same operator, or 1 record = 1 subject of personal data? The lack of specifics can lead to either an excessive burden for the operator, or, conversely, insufficient protection of the subjects' personal data, which will ultimately have a negative impact on both operators and subjects of personal data," the lawyer believes.
In her opinion, it is not liability insurance that can and should protect businesses from bankruptcy, but a clear, fair and transparent model for applying fines. It should include the development and introduction into legislation of a list of mitigating circumstances for businesses when calculating fines for personal data leaks and/or a scoring model.
|
|
發表於 2024-11-7 16:49:10