The lack of an online store for a retailer today is more an exception than a rule. Over the past year, the Russian online trading market has grown by 500%! Of course, such a scale could not remain without the attention of state structures: a few years ago a law was passed on the protection of personal data of a client. This year, many companies had to report to Roskomnadzor about the reliability of their systems.
The law is not new, but it was quite logical for Roskomnadzor to give retailers a certain amount of time to think it over, prepare a technical base and take measures to comply with it. Now it seems the time has come for total checks. Moreover, any complaint of a client can become a reason for the visit of lawyers to your company. Let's say you regularly inform your client about discounts, sales and new arrivals, filling him with SMS and emails. It would seem that everything is legal - once this citizen ordered shoes from you in an online store and, of course, left all his contact information on the site. However, you do not have a “personal data processing agreement” completed and signed by the client. Whereas a citizen has ... has the right to make you pay a fine for such a disdainful attitude to such classified information - as his contact phone number and mailbox address.
So what, according to the law, is a client's personal data (PD)? The precise definition is as follows: "This is any (name, address, phone number, etc.) information relating directly or indirectly to a specific or identifiable individual (subject of personal data)." Within the framework of this formulation, all retailers have to live and work, without exception - there is a conversation about online or offline trade, ”comments Konstantin Korotnev, CISO of Eldorado.
Customer information can be sent to the retailer in several ways:
- through offline stores and loyalty programs;
- when making delivery of goods to the address of residence;
- with online purchase;
- through service centers and catering.
It's great if you have an offline store and your own loyalty systems - in this case, you can always ask the client to fill out a questionnaire, that is, to confirm in writing his consent to PD processing. But, when ordering goods by phone or when buying goods in an online store, the only thing you can count on is an electronic questionnaire. In this case, it is impossible to establish whether a person entered the data on his own or not. Coma, the order is often formed in the interests of a third party, to whom a gift is made using the Internet capabilities or data about it are included in the order. You can order shoes or a handbag as a gift for your mom or girlfriend and arrange delivery to their address of residence or place of work. In this regard, the law clearly states: "The provision of personal data by an individual to the operator of close relatives is possible only with the written consent of these persons or in cases established by federal laws." So in essence, the law restricts if not prohibits online commerce at all. Judge for yourself, according to FZ-152, the online store is the operator of personal data, which means that, at the request of Roskomnadzor, it is obliged to provide evidence of the consent of the subject to the processing of his personal data and process PD only subject to the prior consent of the subject.
Excellent wording essentially imposes on you the obligation to sell the goods only after the written assurance of the client that he does not mind telling you his phone number and address.
Open the door!
How realistic is the chance to get into the field of view of Roskomnadzor? According to the majority of market players, it is not great for mid-range sellers. But respected lawyers have already officially announced plans to increase checks and initiate cases related to violations in the field of personal data. At the seminar "Online Trading News" held last summer, organized by the AFConference company, Konstrantin Korotnev shared the experience of the Eldorado company about passing such a check. The federal body requested from the defendant 118 (!) Legal documents confirming the legality of all operations with personal data, and the entire verification process took 3 (!) Calendar weeks. These numbers clearly demonstrate the severity of the procedure and the level of its threat to the normal functioning of your business.
Step one. Inventory and adjustment of IT systems
As a rule, standard IT solutions for online stores were developed without taking into account the features of work in the conditions of the Federal Law-152. Therefore, the store owner will have to find out the architecture of the site and the possibilities of its alteration. An analysis of the existing mechanisms and means of information protection should give an answer about whether they have FSTEC and FSB certificates for security requirements or the prospects for such certification.
Step Two Drafting regulatory documents.
Alas, it will not do without bureaucratization. It will be necessary to draw up a series of regulatory acts defining the persons responsible for organizing the processing of personal data, as well as defining the company's policy regarding the processing of personal data.
Step Three Consent form
At this stage, it is necessary to register public offers offered by the online store to its customers for the collection and processing of personal data.
Describe what data and for what purpose the user provides. Indicate the further route of user data: whether it will be transferred to third parties and affiliated companies. Briefly describe why and how much time you are going to store the data, as well as how the client may request data deletion.
It is important, together with lawyers, to work out a form of a document confirming the provision of services (delivery of goods) and develop a form of confirmation of consent to PD processing, which the buyer will sign, say, when receiving the goods from the courier. Of course, these are half measures. However, such steps are much better than completely ignoring the new trends of Roskomnadzor.
Step Four Identify all possible threats.
It is necessary to predetermine possible threats to the safety of data, both external and internal. Among them:
- emergency situations (fire, overheating, channel accidents, equipment failure);
- attacks on a web application (including selection of client passwords);
- NSD of contractors;
- NSD employees;
- Interception of orders;
- Fraud with prices, promo codes, bonuses;
- Leak PD;
- Sanctions of regulators.
It is important to develop and register all possible threat models for personal data information systems, and then to design and build a reliable ISPDn security subsystem.
Step Five Notification of Roskomnadzor.
PD processing begins from the moment the organization is created (that is, registration with the Federal Tax Service), and not from the moment the Notification is submitted to the RKN. But failure to notify about the fact of personal data processing is the most frequently detected violation by the territorial bodies of Roskomnadzor. In the Notification, it is necessary to indicate all the physical addresses of the operator (if they refer to this legal entity), where the PD is processed. In case of changes in the information specified in the Notification, it is necessary to convey this information to the RKN within 10 working days (FZ-152, art. 22, clause 7).
By developing and introducing the necessary documents into the company's workflow and taking measures to ensure the security of personal data of clients, you demonstrate the desire of your company to comply with the law. And this will be noticed and will seriously simplify your life with possible verification!
|Please rate the article|