39% of Russian companies manually delete personal data
Almost 40% of operations to destroy personal data are performed manually, and in 12% are not committed at all, calculated in the IB-company « Garda ». This is due to the lack of process automation tools and database fragmentation. At the same time, the data that are not destroyed within the period can be not only the reason for receiving fines from Roskomnadzor, but also a threat to sensitive information leaks.
“Kommersant” got acquainted with the study of the Garda Group of Companies devoted to the work of Russian companies with personal data (PD). A manual search for such data with removal in databases, file storages and on individual jobs use 39% of companies, 25% use shreders and burning together with specialized software, 10% – only mechanical destruction, 10% – other methods, and only 3% have certified software for removing PDs, specialists of Garda Group of Civil Code. At the same time, 12% of companies do not delete data at all.
Personal data operators are required to remove information at the request of the subject or after the expiration of their storage. The press service of Roskomnadzor “Kommersant” explained that the failure of personal data records is unlawful and the person carrying out the indicated activities may be brought to administrative responsibility.
The failure of personal data within the time limits established by law, in accordance with Part 1 of Art. 13.11 of the Administrative Code of the Russian Federation (violation of the legislation of the Russian Federation in the field of personal data), entails liability. An individual attracted under this article faces a fine of 2 thousand to 6 thousand rubles, an official – from 10 thousand to 20 thousand rubles, legal – from 60 thousand to 100 thousand rubles. To destroy personal data, the purpose of the collection, storage and use of which was achieved, the legislation allows 30 days (seven days, if a statement from the subject of personal data has received). If the operator cannot perform removal for technical reasons, he has an additional six months, provided that within 30 days the personal data will be blocked and inaccessible to processing.
Such indicators in the failure of personal data are due to the fact that companies lack automation tools, explains Dmitry Larin, head of the grocery direction for the protection of the Garda Gard of Datations. Another obstacle is that the information is stored in different databases, explains Maxim Aleksandrov Expert Expert Code of Safety. “Information about employees for employment in the company is contained in the form of registration on the site, in the HR department, in the post office at the HR department, in databases for managers and other systems that have backups,” he says. “These reasons emphasize the need to standardize and implement effective solutions for working with personal data,” adds Mr. Larin.
In addition, the data accounting process has not been established everywhere, that is, the operator may not know what exactly he needs to be deleted and from where, the head of the Gazinformservice IT infrastructure group, Sergei Polunin, notes. There are also problems with the policy of the data life cycle, without which it is difficult to solve who and what should be deleted and at what point. “Finally, a significant factor can be called a lack of motivation. All work with data is perceived by the operator as costs and do not bring any profit. Therefore, resources are reluctant to spend on them, ”adds Mr. Polunin.
Nevertheless, it does not matter for the regulator exactly how personal data will be deleted by hand or using any IT solution, however, due to the compressed deadlines for the destruction of the company, they are not done, or they do it “through the sleeves”, according to the Garda Group of Companies. Mr. Alexandrov adds that the lack of automation creates the risks of leaks due to the human factor. “When we read the news that the next database has flowed, the company will write in response that the data is not relevant for a long time,” Mr. Polunin explains.
