Review your content’s performance and reach.
Become your target audience’s go-to resource for today’s hottest topics.
Understand your clients’ strategies and the most pressing issues they are facing.
Keep a step ahead of your key competitors and benchmark against them.
Scope of inspections
What is a risk-based approach?
How will the DPA carry out inspections?
What should companies do?
At the end of 2021, the Russian Data Protection Authority (DPA) will publish its 2022 plans for regular inspections to investigate companies' compliance with data protection laws. As 2022 inspections will be subject to the new rules, it is time for companies to start preparing and monitoring their regular inspections schedule.
Scope of inspections
On 29 June 2021, the government adopted Decree No. 1046, which approved new rules of inspections for companies processing personal data. The new rules came into force on 1 July 2021 and introduce a risk-based approach and new supervisory measures for DPA inspections.
Under the new regulations, the DPA must inspect entire data processing operations and the compliance procedures performed by data operators and their processors. The concept of a "data operator" in Russia is similar to the concept of a "data controller" under the EU General Data Protection Regulation. The DPA may check national companies and local offices of international companies as well.
What is a risk-based approach?
Taking a "risk-based approach" means that the DPA will classify inspectees in one of five risk groups. Such groups determine the frequency and type of the scheduled supervisory measures carried out as part of the inspections. For instance:
International companies should take into account that the following actions may lead to classification in a high-risk or substantial-risk group:
Some of the DPA's regional offices have started publishing lists of companies classified in certain risk groups. For instance, the central DPA division has published a list of companies categorised in the substantial-risk and average-risk groups. It is expected that companies mentioned on these lists will be subject to regular inspection schedules in 2022.
The application of a risk-based approach will make the DPA's inspections more targeted, taking into account the actual activities of data operators. International companies operating in Russia should monitor the lists of companies categorised in certain risk groups on the websites of the DPA's regional offices and analyse the criteria mentioned above to assess their risks of being subject to the DPA's inspections.
How will the DPA carry out inspections?
Under the new rules, the DPA will conduct scheduled and unscheduled inspections and supervise compliance by monitoring companies on the Internet and analysing any available information about their processing activities.
Supervisory activities include documentary and on-site inspections that should not exceed 10 business days. In addition, there is the possibility of an inspector's visit. Inspectors may conduct short-term (one-day) on-site inspections and inspectees must provide free access to offices and respond to all of the inspector's inquiries. This type of supervisory activity is conducted without prior notice. Thus, the only way to be ready for such unscheduled visits is to establish routine compliance management procedures and always be prepared to demonstrate compliance with data protection laws.
Since the pattern of supervisory activities has changed, there is no relevant practice yet on how these activities will be carried out.
What should companies do?
In light of this development, companies should:
For further information on this topic please contact Nikita Maltsev at Gorodissky & Partners by telephone (+7 495 937 6116) or email ([email protected]). The Gorodissky & Partners website can be accessed at www.gorodissky.com.
© Copyright 2006 – 2022 Law Business Research