Безопасность информационных технологий (Nov 2022)
Analysis of changes in personal data legislation since September 1, 2022
Abstract
The paper analyzes regulatory and legal changes in the requirements for the organization of personal data by operators of personal data protection processes, which came into force on September 1, 2022. It is noted that a number of additional regulations are also going to come into force on March 1, 2023, although they are not considered in the paper. The new requirements contain a number of restrictions and tightening of existing protecting personal data processes, as well as a number of active innovations requiring the introduction of new processes aimed at improving the security of personal data and promptly identifying and investigating incidents. Each change and innovation are analyzed by a set of features, including the identification of the law rules, the study of new requirements and the formation of a conclusion about the essence of changes and the necessary set of actions aimed at ensuring the fulfillment of requirements. In total 14 fundamental and significant changes and additions to the requirements for the protection of personal data have been identified. The most time-consuming and costly for small businesses is the link to the state system for detecting, preventing and eliminating the consequences of computer attacks, which requires attracting additional funds and employees. Priority tasks to be solved by the personal data operators in order to ensure compliance with the new standards have been formulated. Those are the building up a team to investigate information security incidents, as well as creation of a system for managing information security incidents and the introduction of software products for solving this problem. Another important task is to train the specialists with the knowledge and competencies necessary to solve new problems and to develop the programs for the personal data management culture formation aimed at the general public.
Keywords