Who Is in Charge of Compliance With Personal Data and Anti-Insider Legislation?
Head of Employment and Migration Law Practice
The Russian Labor Code prescribes that employers having more than 50 employees should have a position of the labor safety specialist or labor safety department in its staff schedule, the government regulations require that a special person shall be responsible for maintenance of labor books, etc. Recently the list of accountable persons has been significantly extended. The new version of the law on personal data requires appointment of a person or entity responsible for arrangement of personal data processing. The anti-insider law prescribes to have on board an employee or department responsible for supervision over compliance with the requirements of this law. The list may be continued. While the law on personal data allows to engage as accountable either an existing or new employee via an employment contract or an individual/legal entity via civil law contract, the law on insider information requires that the controlling function shall be exclusively internal (which is apparently dictated by the nature of the relations regulated by this law) and be supported by a single employee or the whole department. Thus, the law dictates, what functions should exist in each company processing personal data (i. e. almost all companies) and companies being issuers of securities traded on the Russian stock market and relating to other categories of insiders.
Head of Data Protection Group
The purpose of appointment of accountable persons is to procure conditions for achieving goals of the relevant laws as well as to establish a controlling mechanism, as the explanations notes (that were attached to the relevant draft laws) say or imply. In other words relevant organizations should have someone, who would be responsible for procuring compliance with the relevant legal requirements and, thus, the government relays some share of controlling duties on companies themselves. The time will show, whether this self-control will prove to be effective. However already now there are some doubts in this respect.
First of all, appointment of an accountable person/department/entity requires additional expenses from business. A company shall either introduce a new function into the staff schedule/hire a services provider or add to duties of an existing employee new obligations. In the case of introducing a new position/hiring a services provider it significantly boosts expenses of the company (including payroll, taxation, etc.), while in the latter case, where new duties are added, extra payment to the employee is due. All novelties requiring financial investments and not implying return are usually not welcomed by business.
Secondly, a person or group of persons engaged for the position that requires special qualification and skills should be trained accordingly. Obviously, there are very few experienced specialists at the human resources market in the outlined field. Who will pay for training? Obviously, employers. Though it is possible for employees to reimburse funds invested into such education, in case an employee leaves a company early without justifiable reasons and an employment contract provides for such an opportunity, but lack of "ready-for-use" specialists additionally complicates the whole matter.
As a matter of practice, currently almost no special vacancies are opened for relevant positions. However many vacancies (including those of compliance control officers, economic security officers, etc.) published in the Internet are supplemented by new functions, including control over compliance with the personal data and anti-insider law.
Thirdly, a person responsible for arrangement of personal data processing shall be employed or engaged irrespectively of the number of employees in the company (as opposed to hiring labor safety specialists). Taking into account that, as a matter of law, the general director could not exercise this function, each company from now on should either have at least two employees or enter into an agreement with a third party services provider. It looks as a non-proportional requirement.
The anti-insider law provides that the relevant employee or department responsible for control over compliance shall report directly to the board of directors or, if there is no board, to the general director of the company that is an issuer or otherwise falls into the rank of insiders. Taking into account that members of the board and the general director of the insider-issuer are themselves insiders, it looks strange that a controller over behavior of insiders will report to these insiders.
The above list of questionable provisions is not exhaustive. Each company should decide, whether to comply with the relevant legal requirements. However it is notable that non-appointment of a person/entity responsible for compliance with the data protection legislation does not entail any express sanctions for a company, whereby non-appointment of an employee/department responsible for compliance with the anti-insider law entails fines for companies up to 700,000 rubles.