News: Business will pay for personal data of clients – Expert

Small and medium-sized businesses can pay dearly for the implementation of amendments to the law “On Personal Data”. While the State Duma is considering the relevant amendments to the legislation, the public organization Opora Rossii, which supports entrepreneurs, has already calculated that if the amendments are adopted, additional costs for SMEs will reach 32.8 billion rubles a year.

Another 1.7 trillion rubles may cost equipment for connection to the system for detecting, preventing and eliminating the consequences of computer attacks (GosSOPKA). As Kommersant writes, the organization presented these figures in a letter sent by the executive director of Opora Rossii Andrey Shubin to the head of the State Duma Committee on Information Policy Alexander Khinshtein, who, in fact, is one of the authors of the amendment of the law in this area.

It will not be possible to shift costs to counterparties

According to the proposed amendments, all organizations must notify Roskomnadzor of cross-border transfers of personal data to countries “providing adequate protection of the rights of data subjects.” At the same time, the regulator may prohibit the sending of data ex post facto within thirty days after the application is submitted.

The transfer of personal information to countries not included in the mentioned list, for example, to China, initially occurs only with permissions. The draft also obliges all personal data operators to be constantly connected to the GosSOPKA system. Now such a norm exists only for critical information infrastructure facilities (banks, telecom operators, and others).

At the same time, Opora Rossii is sure that the need to coordinate the transfer of data abroad “will complicate the conduct of foreign trade activities for small and medium-sized businesses, up to a complete stoppage of work due to administrative costs for preparing and sending such notifications.”

Small businesses usually do not have a separate HR department and cannot afford the cost of restructuring processes and interacting with Roskomnadzor. And in order to connect to GosSOPKA, structures that process personal data will have to purchase software certified by the FSTEC to create a secure communication channel.

Business representatives believe that the innovation will lead to a more than halving of import volumes, since the requirements of the bill actually make it impossible to quickly transfer personal data. At least, this is the opinion expressed by Ozon.

Roskomnadzor, however, said that “the personal data operator must notify once for each country, and not about each transaction,” and the time for consideration of such a notification will be reduced to ten business days. The Ministry of Digital Development announced that they are planning a series of meetings with businesses to discuss and clarify the provisions of the project.

Alexander Khinshtein himself admits that the committee received “a large number of requests from businesses, companies and banks”, and one can partially agree with them. “With a high degree of probability, we will correct the wording on continuous connection to the State SOPKA. We did not include in it the requirements for installing new equipment, we are talking about interacting with the system in a convenient way, ”he said.

Vasily Sosnovsky, a partner at the Genesis law firm, noted in an interview with an Expert correspondent that for businesses, these amendments are at least an obvious increase in transaction costs associated with the implementation of their activities. Financial resources will be required to connect to the State SOPKA, to work with this system, to minimize the risks of being held accountable for committed (including accidental) violations.

At the same time, in a highly competitive market, and even in the conditions of a contraction of the economy, it is unlikely that these costs will be completely transferred to counterparties, the lawyer believes. According to him, it is more likely that this will lead to a decrease in the net profit of the business and, accordingly, to a decrease in investment in its own development. Marketplaces even declare that they will lose a significant part of their revenue.

It turns out that the amendments, by analogy with GLONASS or with mandatory labeling of goods (including those areas where there is obviously no need for labeling, because the level of counterfeiting is zero or close to it due to the specifics of the market), are aimed at obtaining additional income from business and to strengthen state control over it. Vasily Sosnovsky is sure that this will not contribute to increasing competition and reducing the cost of production for consumers (which, in theory, should be strived for in order to increase the welfare of the country’s inhabitants).

Innovations are like a quasi-tax

At the moment, the adoption of this law runs counter to the strategy of openness to international cooperation, said Gadzhimurad Magomedrasulov, strategic consultant for small businesses, CEO of the consulting agency GM Consult.

In his opinion, the law will be repeatedly finalized if the state really cares about the opinion of SMEs, since 1 trillion in assistance to businesses is a lot of money. If we consider the option of adopting amendments, the expert says, then, of course, the level of business responsibility will increase. But small and medium-sized companies with foreign partners will suffer first of all.

“The trouble with our laws is that they are adopted by people who are far from business and according to the method: published-announced-modified-accepted-received criticism. I believe that monetary measures and the absence of inspections are not enough to support business measures. We need maximum flexibility and openness to international cooperation with countries that are not our open enemies,” Gadzhimurad Magomedrasulov told Expert. Ultimately, he is sure, the bottom line is that the bottom line is the economic benefit, despite all the anti-Russian rhetoric.

Alexander Akimov, executive director of the all-Russian intersectoral association of employers Association “Safety and Quality”, told Expert that GosSOPKA is a well-established system that will effectively deal with the problem of personal data security. A number of SMEs operating in healthcare, science, transport, communications, energy and others have already been connected to it in order to protect critical information infrastructure.

Among more than 400 thousand personal data operators registered with Roskomnadzor, only less than 3 thousand carry out cross-border transfer of personal data to unfriendly countries, the expert noted. The bill also provides for the obligation of the operator not to report each cross-border data transfer, but to notify the intention of this transfer indicating the country. It is worth considering the connectivity options that will suit each SME, including the self-employed.

When we talk about the costs of small and medium-sized businesses in the amount of 33 billion rubles a year, this figure seems quite pessimistic, Alexander Akimov admitted. At the same time, one should not forget about the role of the state, which can make the transition to new mandatory requirements smoother. For example, the executive director of the association of employers suggested compensating businesses for the costs of software or equipment certified by the FSTEC.

One way or another, but the introduced requirements reflect two trends at the same time. Global – to strengthen regulation and responsibility in the field of cybersecurity. And national – to deepen the degree of data localization and greater control over them, Alexander Panov, partner of BGP Litigation, shared with Expert.

At the same time, the mandatory requirements and the need to invest in infrastructure make innovations look like a quasi-tax, he believes. For SMEs, such a regime could be differentiated depending on the degree of risk of information systems and the type of business.

Reasonable, according to Alexander Panov, could be in the current conditions and a delay. If the requirements still need to be implemented right now, then the “cybersecurity as a service” approach suggests itself – cloud solutions validated by the FSTEC and the FSB, which SMEs could join without expensive customization. However, now there is no such service on the market, the expert stated.

Back to top button