# NCS: Lab 1 - Security Compliance ## Student names: * Daniyar Cherekbashev * Ali Mansour * Gleb Statkevich ## Assignment ### 1. GDPR - [ ] **Main purpose of a document** GDPR is a regulation introduced by the European Union to protect the fundamental rights and privacy of individuals in regards to the processing of their personal data. Its main purpose is to give individuals greater control over their personal data and to "harmonise" data protection laws across all of its members countries. Even if a company is based outside the EU, if it processes the personal data of EU residents, it must comply with the GDPR. - [ ] **When it is mandatory to follow this regulation** GDPR is mandatory and applies to any organization or individual that processes the personal data of EU residents, regardless of their location. This means that even if a company is based outside the EU, if it processes the personal data of EU residents, it must comply with the GDPR. Also, this regulation applies to all types of organizations, including businesses, non-profit organizations, government entities, and other entities involved in data processing. Those organizations are required to notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms. - [ ] **Type of information this document is intended to (classification if applicable)** The provided document primarily offers a concise overview of the General Data Protection Regulation (GDPR), specifically detailing its purpose, scope, and applicability. ***Classification: Informative / Overview*** **Intended Purpose**: * **Purpose Explanation**: The document first aims to clarify the primary reason behind the introduction of the GDPR, emphasizing the protection of individual rights and privacy concerning their personal data. Scope and Applicability: The document elaborates on which entities the GDPR applies to, explaining its reach beyond the EU to any organization processing the personal data of EU residents. * **Regulatory Compliance**: The text underscores the mandatory nature of GDPR compliance, emphasizing the consequences for breaches, including the necessity of notifying affected individuals. This document seems tailored to provide a brief understanding or introduction to GDPR, especially for entities or individuals unsure of their obligations under the regulation. It may serve as an initial guide or reference for those looking to familiarize themselves with the basics of GDPR compliance. - [ ] **Summary of main points and requirements** **Purpose of GDPR**: The GDPR was introduced by the European Union to protect the fundamental rights and privacy of individuals concerning the processing of their personal data, give individuals greater control over their personal data, and harmonize data protection laws across all EU member countries. **Applicability and Scope**: GDPR applies to any organization or individual that processes the personal data of EU residents, regardless of the organization's or individual's location. Even companies based outside the EU must comply with GDPR if they process the personal data of EU residents. **Mandatory Nature**: Compliance with the GDPR is mandatory, not optional. All types of organizations are encompassed by the GDPR, including businesses, non-profits, government entities, and other data-processing entities. **Breach Notification**: Organizations are obliged to notify affected individuals in case of data breaches, especially if these breaches pose a high risk to the rights and freedoms of the individuals involved. The document, in essence, underscores the GDPR's purpose, its wide-ranging scope, the imperative nature of compliance, and the responsibility of organizations to inform affected parties in the event of data breaches. - [ ] **Your contemplation and judgement (conclusion)** The GDPR is a pioneering regulation by the European Union that prioritizes data protection and privacy as fundamental rights. Its key strengths include: * **Universal Scope**: It applies globally to organizations processing the data of EU residents. * **Individual Empowerment**: It grants individuals significant rights over their personal data. * **Transparency and Accountability**: Organizations are held accountable for data practices, emphasizing breach notifications. * **Harmonization**: It provides a consistent data protection framework across the EU. ***Conclusion***: While the GDPR is a significant step in safeguarding data rights in the digital era, it does pose challenges, especially for smaller businesses. Its success hinges on consistent enforcement and adaptability to technological changes. Overall, it's a commendable effort to prioritize individual privacy. ### 2. Federal Law 152-FZ - [ ] **Main purpose of a document** Federal Law 152-FZ, also known as the "On Personal Data" law, was implemented in Russia to regulate the collection, processing, and storage of personal data. The main purpose of this law is to protect the rights of individuals and ensure the security of personal information by imposing strict obligations on organizations that process personal data. - [ ] **When it is mandatory to follow this regulation** Any organization or individual that collects, stores, processes, or transfers personal data of Russian citizens, regardless of their location, must comply with the law. Non-compliance with this law can result in penalties and legal consequences. - [ ] **Type of information this document is intended to (classification if applicable)** 1. Basic personal identification information: This can include an individual's name, address, date of birth, identification numbers, passport details, and other similar information that directly identifies a person. 2. Contact information: This refers to an individual's phone numbers, email addresses, and other communication details used to reach or contact the person. 3. Financial information: This category includes account numbers, credit card details, financial transaction records, salary or income details, and any other information related to an individual's financial situation. 4. Health and medical information: It covers details about an individual's physical or mental health, medical history, medical conditions, prescriptions, treatments, and any other medical records. 5. Biometric data: This includes unique physiological or behavioral characteristics such as fingerprints, facial recognition data, iris scans, voice recordings, and other biometric information used for identification or authentication purposes. 6. Sensitive personal information: The law also covers special categories of personal data, including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership. - [ ] **Summary of main points and requirements** To begin with purpose, the law aims to regulate the processing and protection of personal data within the Russian Federation, ensuring the rights and privacy of individuals. Also the law provides clear definitions for terms such as personal data, data subject (individuals whose data is being processed), data controller (organizations or individuals responsible for processing the data), and other relevant terms. In addition, the law provides points and requirements as follows: 1. Lawful basis for data processing: The processing of personal data must have a lawful basis, such as consent from the data subject, contractual necessity, compliance with legal obligations, protection of vital interests, public interest, or legitimate interests pursued by the data controller or a third party. 2. Data subject rights: The law outlines the rights of data subjects, including the right to access their personal data, request correction or deletion of inaccuracies, restrict or object to processing, and obtain a copy of their data in a commonly used format. 3. Data controller responsibilities: Data controllers are required to take appropriate measures to ensure the security and protection of personal data, inform the data subject about the purpose and methods of processing their data, obtain consent when necessary, and comply with other obligations specified in the law. 4. Cross-border data transfer: Personal data of Russian citizens must be stored and processed within the territory of the Russian Federation. However, data transfers to foreign countries are allowed if the recipient country provides an adequate level of data protection, or if certain additional safeguards are in place. 5. Data breach notifications: In the event of a personal data breach, the data controller must notify the relevant authorities and affected data subjects in a timely manner. 6. Record-keeping: Data controllers are required to maintain records of personal data processing activities, including information about the purposes of processing, categories of data subjects, and data recipient details. 7. Audits and inspections: The law provides for audits and inspections by the relevant authorities to ensure compliance with data protection regulations. While talking about sanctions and penalties, non-compliance with the requirements of the law can result in financial penalties, suspension of data processing activities, or other administrative sanctions. - [ ] **Your contemplation and judgement (conclusion)** The main objective of Federal Law 152-FZ is to protect the privacy and rights of individuals regarding the processing of their personal data. It establishes clear obligations for data controllers, provides rights and remedies for data subjects, and outlines the procedures and requirements for the lawful handling of personal data within the Russian Federation.