Personal data protection action plan
Apply for SearchInform DLP
The general view of the action plan for the protection of personal data is not regulated verbatim, but it is presented to the control authorities in a similar form:
Plan
measures to protect personal data
in ________________________________________
(enter the name of the legal entity)
| No. | Measures being taken | Term | Commissioner for control | Additional comments |
| 1. | Necessary legal basis for the processing of personal data | At the first stage of launching a personal data information system (PDIS) for permanent use | The head of the legal entity processing personal data writes the corresponding order | |
| 2. | Sending notification documents to Roskomnadzor regarding the processing of personal data using software | When needed | If the organization uses new electronic personal data systems or modifies existing | |
| 3. | Work schedule | When needed | Description of documents regarding processing by electronic means and data protection of persons involved | |
| 4. | Obtaining a written assurance from the persons involved in the data collection, if required by law | Permanently | Actually, all assurances of individuals that they are familiar with the collection of data and have no claims. Equally applies to automated systems and traditional (paper) methods of storing information | |
| 5. | Setting the timing for processing personal information and its disposal after all procedures | When needed | The organization - the operator of PDIS - is obliged to approve these terms in accordance with the regulations and practical need, in accordance with the specified forms | |
| 6. | Restricting access to confidential information | When needed (right at the time of creation) | When a new PDIS is created, or when the existing system is reorganized in accordance with the current legislation. Access for employees should be multi-level, in addition, an access matrix is designed, approved by the head of the organization. Based on the matrix, a hierarchy of tolerances is built, and compliance with it is the basic position of internal security | |
| 7. | Professional development of persons involved in the collection of personal data | Permanently | Authorized persons are trained at least once every two years | |
| 8. | Inventory of drives and all available sources of information, checking them for personal information | Every six calendar months | ||
| 9. | Development of PDIS classification | When needed | At the initial creation of PDIS, at each discovery of personal information, at reorganization of the system (software update, topology change, purchase of new equipment, etc.) | |
| 10. | Development of a list of potential threats to the electronic components of the system, countermeasures, a list of software and hardware required for this | When needed | During the initial creation of the PDIS protection system | |
| 11. | Obtaining a certificate, attestation of PDIS, declaration of conformity to safety requirements | When needed | Supervised by licensing authorities in the form of FSTEC | |
| 12. | Operation of PDIS and organization of the electronic security system | Permanently |
10.12.2020
