Large turnover fines for personal data leaks will come into force on May 30. In this regard, businesses have become more active in auditing their information security systems. Personal data operators hope that through such actions and compliance with regulatory requirements, they will be able to avoid large fines in the event of information leakage. However, cybersecurity experts see certain risks in this. They fear that companies may shift responsibility for data security to auditors or information security specialists, which could lead to undesirable consequences.
Organizations that work with personal data are increasingly checking their information storage and protection systems. This was reported by experts in the field of cybersecurity and legal professionals.
Companies are investing in security audits to avoid fines from regulatory authorities and to be able to reduce the amount of a potential fine in the event of a data leak.
For example, according to the EBR law firm, the demand for audits of data storage and protection systems has more than doubled compared to the spring of last year.
Artyom Evseev, an advisor in the company's intellectual property practice, notes that audits used to be carried out formally, "for show", but now the price of the issue has become too high for such an approach.
It is necessary to conduct it in order to identify risks in advance and minimize them before being held liable. This is also relevant against the background of the lifting of the moratorium on unscheduled inspections by Roskomnadzor.
Since the end of 2023, companies will have to pay up to 700 thousand rubles for each incorrectly executed consent to the processing of an employee's personal data. In December 2024, a separate article was added to the Criminal Code of the Russian Federation, which provides for liability for violation of Federal Law No. 152-FZ "On Personal Data".
From May 2025, turnover fines will be introduced for personal data leaks. If previously the maximum fine was 18 million rubles, now companies may face sanctions of up to 500 million rubles. Thus, the maximum amount of fines has increased by 27 times.
Growing Needs
Due to the increasing demand for products and services in the field of information security, the need for verification of personal data processing and storage systems is also growing.
As Mikhail Dobrovolsky, Deputy General Director of SKB Kontur, emphasized, such requests were received before the changes in legislation, but in recent months their number has increased significantly. Large holdings and groups of companies are particularly interested in this service, as they seek to minimize risks and comply with regulatory requirements.
Including, attention to the audit is due to the prospect of reducing the amount of the turnover fine if the organization can prove that all legislative requirements are met, including regular audits of personal data, notes Artyom Evseev.
As part of this process, an analysis of information processes is carried out, a complete set of internal documents is created, and effective methods of protecting confidentiality are implemented.
Representatives of regulatory authorities have repeatedly drawn attention to the fact that the strengthening of liability measures for information leaks is a reaction to the increase in the number of such incidents.
So, according to Roskomnadzor, 140 cases of data leakage were detected in 2022. In 2023, this figure increased to 168, and in 2024 - to 135. In the first months of 2023, the department has already recorded 19 cases of information leakage.
In total, since 2021, more than 1.6 billion records about Russian citizens have become publicly available.
Check and Protect
To conduct an audit, companies usually involve specialists in the field of personal data protection, as well as cybersecurity experts with certificates from the FSTEC and the FSB of Russia.
Projects for organizing work with personal data include several stages, as noted by Alexander Baryshnikov, Head of Consulting and Audit Department of Informzashita.
At the first stage, an analysis of the current data processing processes, information systems, IT infrastructure and data protection measures is carried out.
Then, specialists identify potential data security threats and classify systems according to protection levels in accordance with the requirements of regulatory authorities.
After that, a package of necessary regulatory and organizational documents regulating the processing of information is prepared for the audit customer. Lawyers can also check the legality of obtaining data as part of the audit.
Irina Yakunina, Head of Consulting and Audit of Information Protection at Bastion, believes that the most important aspect in preparing for an audit is compliance with the requirements of regulatory legal acts of the Russian Federation.
The existing legislative documentation accompanies the data processing process at the stages from the beginning of processing to complete destruction, and at all these stages it is important to bring the customer's systems into compliance with the norms of the law.
Roskomnadzor emphasized that they support companies' desire to protect data.
We believe that it is advisable to audit the processes of data collection and use in order to ensure compliance with the principles of working with them: to analyze the legality of data sources and the legal grounds for their collection, to monitor compliance with the principle of minimizing the amount of data collected, to verify that the data correlates with the purpose of collection and is disposed of upon achievement of this goal.
Roskomnadzor advises domestic organizations to use the services of Russian hosting providers.
The price for conducting such an audit can range from several hundred thousand rubles to tens of millions. This depends on various aspects: the size of the company, the volume and type of data processed, the use of biometric data or information about health status, the complexity of the IT infrastructure and other factors, - notes Anton Isupov, Head of Audit, Consulting and Compliance Assessment at Kross Technologies JSC.
Organizations that work with personal data report that they are strengthening control over their storage and protection. In particular, the Big Data Association, which unites companies such as Yandex, VK, Rostelecom, MegaFon and others, recalls that its specialists have developed the "Industry Standard for Data Protection". This standard is comparable to the international series of standards ISO/IEC 27000.
Although there is a general decrease in the number of data leaks in the world, their frequency is still a cause for concern. At the end of 2024, Russia took second place among the analyzed countries in terms of the number of leaks - Russian companies accounted for 8.5% of all recorded cases of data compromise in the world. At the same time, the country rose from seventh to fifth place in the ranking of personal data leaks.
Read more on the topic:
Hackers are increasingly using leased servers for attacks
Growing threat: regional companies are becoming a target for DDoS attacks
The number of attacks on Russian companies has increased many times over
