personal data processing in russia
TRANSCRIPT
Processing Personal Data in Russia:IT Technical Details
Do you know where your data go?
What is a server and database?
Company
CompanySomewhere
What is “Russian” server and database?
Russia Finland
Russia Finland
Russia Finland
Russia Finland
IP Address 1
IP Address 2
Lab here
Suggested Immediate Actions
Identify the list of the data that is used in your company and is (or can be) a subject of Personal Data Processing processes,
related to recent legislation
Analyze existing IT landscape and infrastructure to locate processing sites outside Russia that mightsummon risks
Based on the results of analysis, develop strategy and action plan,
define budgets for changes if needed
• HR and Payroll data• IT security data (Active Directory; access
software; registration of employees)• Accounting data• Clients'/suppliers agreements and contacts• CRM data• …• Any business data is under risk
What is under risk?
When analyzing IT infrastructure:• Define where personal data is collected, processed and
stored in your company, who is responsible for that
• Identify how the flow of data is organized in your company;you might not even be aware how it migrates; use DLPsoftware for analysis
• Distinguish between internal IT server capacity and third-party server capacity – some part of your data can be hostedin third-party data centers
• Ensure that you understand how your backup and restorepolicy is organized and where the backups are stored
• What software do you use to collect, process and storepersonal data
What can you do next?
• Define that some data in reality does not relate to Personal Data Processing process
• Delete personal data from the system
• Substitute the data with just IDs and process them separately, storing the data itself inside Russian Federation
• Transfer the database without re-hosting of the application
• Transfer the whole system
• Change the system
• Terminate the process
Potential transfer to Russia:
• Authentication and authorization catalogues
• Catalogues synchronization systems
• Controlling systems of common access
• Portal solutions
• Mail systems• Instant messaging
• Remote Desktops• VPN channels• Proxy Servers• Mirror servers• …
“Hacking” tools