From scratch: how we pulled the company to compliance with the law on personal
Nikita Eremenko shares her professional experience and explains how to bring the company’s work on collecting personal data on the Internet into compliance with the law
2017 added a headache to everyone who works with personal data. The changes also affected us – a small St. Petersburg company that delivers ready-made dinners. I’ll tell you how in two weeks we were insured against the punishment of the state. The article is useful for those who start a business or have not been interested in the topic before.
Appreciated the sudden Russian legislation
Law No. 152-FZ “On Personal Data” was adopted in 2006. But its implementation was attended only after 11 years, in July 2017. Then amendments to the law on administrative offenses related to Persians came into force.
At first, entrepreneurs dismissed: they say, adding some ticks to the site, drawing up some politicians, not before. Then they learned about real fines and started scratching the back of their head.
I read the 152-FZ and the comments of lawyers, figured one to one – and I realized this. If you have a website, and at least registration with an login and email is screwed on, you are already a personal data operator. The state believes that even the guest book on “Narod.ru” should comply with the requirements of the law. Not to mention the delivery, which takes orders online.
The penalties for violations are such that it’s cheaper to put things in order. If the legal entity falls into the hands of Roskomnadzor, they will be fined 75 thousand rubles. And to reach compliance with the law, it is enough to add an additional page to the site and a couple of checkmarks. Costs – several thousand rubles.
In our company, the fundamental decision was made as follows:
– Gleb Alexandrych, we need to create a policy according to the data and finalize the site.
“Friends, she will not run away.” Let’s postpone it for a while, and then after a while we’ll get busy when we are all aware.
– Gleb Alexandrych, well, do you want a fine for a company of one hundred thousand?
Of course he doesn’t want to. Good received, and the honorary duty to complete the project was entrusted to me – the chief marketer of the company. Who else, of course.
A company that collects personal data must pack this information in a special document – “Personal Data Processing Policy”. It is assumed that before entering data, a person reads a policy and clearly fixes agreement with it.
Therefore, the first is to write a competent policy. Roskomnadzor even made official recommendations, but without a black belt on the clerical office it’s hard to figure them out. Therefore, I did not write anything from scratch and decided that I would go the other way.
I buried myself in the counterparts and looked at how direct competitors and large electronics retailers did. The logic is simple: no matter what the site is selling, the mechanics are about the same. Foreign policy can be taken as a sample if you collect similar types of data: name, phone number, place of residence and so on.
I decided that in drawing up a trust policy, big business deserves. He usually has money, and it is beneficial to sue him. Even for a trifle reason. Therefore, large companies set the standards so that the mosquito nose does not tarnish.
After searching for several hours, I realized: in fact, all politicians are the same. To get a good and understandable result, you just need to weed out the most monstrous examples with dozens of paragraphs and subparagraphs. As a result, we crossed the policies of the electronics store and flower delivery, rewriting in human form without bureaucracy.
Our version may seem scanty, but it has everything you need. We worked with this policy for two years without problems and comments of Roskomnadzor
The minimum required to comply with the law is to write down exactly what data you collect and how you use it. So that the user understands that you will not call and breathe into the phone after registration. Or what will happen if this is included in the plans.
It is also necessary to mention in the text how to request deletion of data (in our case, write to a special email).
When approving policies within the company, many copies broke around data transfer. We send customers emails and SMS, for this we use special services. Still dadata.ru cleans for us the name of typos and finds the gender of customers. Colleagues believed that this should be mentioned. I spent some time gathering arguments against bloating politics.
Firstly, we are already reporting: we will use the data to notify about promotions and contests. The client sees everything is in order. Secondly, you need to separate the controller and data processors.
The controller collects and stores the user’s personal data; it has all the information;
Processors are engaged only in secondary processing, receiving from the controller some emails and some name in a vacuum. This is not even personal data.
As a controller, it’s enough for us to warn that we will use customer data for notifications. I made up the policy for four hours: a couple of hours for searching and compiling the rules, another hour for rewrite.