The MCRIAP has issued an order on February 28, 2023, introducing amendments to the rules governing the protection of personal data by owners, operators, and third parties.
Starting from July 1, 2024, a new provision requires notifying the authorized body within one working day upon the discovery of a personal data security breach, including the contact information of the person responsible for data processing organization (if applicable).
Additionally, the amendments include:
- Identification of business processes containing personal data;
- Segregation of personal data into public and restricted access categories;
- Specification of individuals collecting or processing personal data, or having access to it;
- Appointment of a person responsible for organizing personal data processing in cases where the owner or operator is a legal entity. The responsibilities of this person are outlined in Article 25, Paragraph 3 of the Law. This provision does not apply to data processing by courts.
- Establishment of procedures for accessing personal data;
- Approval of documents defining the operator's policy regarding data collection, processing, and protection;
- Provision of information, upon request by the authorized body, on methods and procedures used by the owner or operator to comply with legal requirements;
- Integration of the operator's IT systems involved in data collection and processing with the state service for controlling access to personal data when interacting with IT objects of state bodies or legal entities containing personal data, except in certain cases.
- Ensuring the security of personal data storage devices during data collection and processing in IT systems.
Furthermore, the order specifies that owners or operators handling restricted access personal data must notify the authorized body of any information security incidents related to unauthorized access to such data.
The order will come into effect on March 15, 2024.
