Russia’s new data breach notification duty in force from 1 September

Russia has amended its data protection law.

The new Federal Law No. 266 signed by Russia’s president on 14 July 2022 substantially amends some of the legislative acts governing personal data processing in Russia, Victor Naumov, Managing Partner of Denton’s St Petersburg office told PL&B.

One of the new legal obligations is the requirement to notify data breaches. The obligation involves giving Roskomnadzor, the regulator of personal data in Russia, two notifications of an incident. The initial notification must be within 24 hours with information about the security incident, and a subsequent notification within 72 hours with the results of internal investigation of the incident, Dentons reports.

Russia’s data protection law has currently no special administrative liability for security incidents, but the possibility of introducing fines, both for the incidents themselves and for failing to report them, is being discussed.

See Dentons - Key changes to personal data laws in the first half of 2022