Personal data protection action plan

Apply for SearchInform DLP TRY NOW

The general view of the action plan for the protection of personal data is not regulated verbatim, but it is presented to the control authorities in a similar form:

measures to protect personal data
in ________________________________________
(enter the name of the legal entity)

No. Measures being taken Term Commissioner for control Additional comments
1. Necessary legal basis for the processing of personal data At the first stage of launching a personal data information system (PDIS) for permanent use   The head of the legal entity processing personal data writes the corresponding order
2. Sending notification documents to Roskomnadzor regarding the processing of personal data using software When needed   If the organization uses new electronic personal data systems or modifies existing
3. Work schedule When needed   Description of documents regarding processing by electronic means and data protection of persons involved
4. Obtaining a written assurance from the persons involved in the data collection, if required by law Permanently   Actually, all assurances of individuals that they are familiar with the collection of data and have no claims. Equally applies to automated systems and traditional (paper) methods of storing information
5. Setting the timing for processing personal information and its disposal after all procedures When needed   The organization - the operator of PDIS - is obliged to approve these terms in accordance with the regulations and practical need, in accordance with the specified forms
6. Restricting access to confidential information When needed (right at the time of creation)   When a new PDIS is created, or when the existing system is reorganized in accordance with the current legislation. Access for employees should be multi-level, in addition, an access matrix is designed, approved by the head of the organization. Based on the matrix, a hierarchy of tolerances is built, and compliance with it is the basic position of internal security
7. Professional development of persons involved in the collection of personal data Permanently   Authorized persons are trained at least once every two years
8. Inventory of drives and all available sources of information, checking them for personal information Every six calendar months    
9. Development of PDIS classification When needed   At the initial creation of PDIS, at each discovery of personal information, at reorganization of the system (software update, topology change, purchase of new equipment, etc.)
10. Development of a list of potential threats to the electronic components of the system, countermeasures, a list of software and hardware required for this When needed   During the initial creation of the PDIS protection system
11. Obtaining a certificate, attestation of PDIS, declaration of conformity to safety requirements When needed   Supervised by licensing authorities in the form of FSTEC
12. Operation of PDIS and organization of the electronic security system Permanently