Improving the mechanism of protection of a special category of personal data

Novikov Petr Aleksandrovich ORCID: 0009-0009-5133-811X Postgraduate student; Saint Petersburg University of Management Technologies and Economics 44 Lermontovsky Ave., Lit.A, Saint Petersburg, 190020, Russia petnovikov.81@mail.ru

Special categories of personal data in the Russian Federation include information that requires increased protection due to their sensitivity and possible risk to the rights and freedoms of citizens in case of misuse ^[1]. In accordance with the Federal Law "On Personal Data" (FZ - No. 152), such data includes information about race and nationality, political views, religious and philosophical beliefs, health status, as well as personal data related to the intimate lives of citizens ^[2]. Since the processing of this data involves high security requirements, their collection, storage and processing are allowed only if special conditions are met, such as the written consent of the data subject or the legal grounds established by law.

The urgency of improving the mechanisms for protecting this data is due to the rapid development of technology, the growing volume of processed data and the need to bring national standards in line with international requirements, such as the General Data Protection Regulation (GDPR) ^[3]. These factors create new challenges for legal regulation, technical protection and organizational measures, which requires an integrated approach to security ^[4].

The purpose of this article is to analyze the existing legal, technical and organizational methods of protecting special categories of personal data and to develop recommendations for their improvement. The main directions include:

1. Strengthening legal regulation: updating legislation, expanding the powers of supervisory authorities and introducing additional liability measures to improve control and protection ^[5].

2. The use of modern technologies: the introduction of encryption, anonymization, pseudonymization, as well as biometric authentication to limit unauthorized access ^[6].

3. Organizational measures and staff training: development of standards for working with data, regular training of employees working with sensitive information ^[7].

4. Raising awareness of data subjects: informing citizens about the rights and mechanisms of personal data protection, which increases the level of legal and information security ^[8].

5. Development of information systems and risk analysis: regular vulnerability assessment, modeling of cybersecurity incidents and implementation of threat response protocols ^[9].

Stricter liability for violations in the processing and storage of special category data is one of the key areas for improving the level of personal data security in the Russian Federation. Special categories of personal data include particularly sensitive information such as race and ethnicity, political views, religious beliefs, health status, and aspects of intimate life. In order to minimize the risks of unauthorized access and information leaks, it is necessary to introduce stricter measures of both administrative and criminal liability, which will increase the level of compliance with regulatory requirements and strengthen legal protection.

Within the framework of administrative responsibility, it is advisable to differentiate punishments depending on the nature and degree of violation. For example, companies that leak data may be subject to large fines calculated on the basis of their annual turnover, which will encourage businesses to implement stricter security standards. In addition, it is proposed to introduce fixed penalties for non-compliance with mandatory data processing procedures, such as regular audits, transmission channel protection, encryption and access control. Such measures will ensure constant monitoring and monitoring of the security of information systems, which is especially important to prevent repeated incidents.

Serious violations, such as systematic disregard for legal requirements, may lead to temporary or permanent restrictions on the processing of personal data. For example, Roskomnadzor may apply measures to temporarily suspend the activities of companies that have repeatedly leaked data until the organization resolves the identified deficiencies. It also provides for the possibility of conducting a mandatory audit by the supervisory authority, which will systematize and monitor the implementation of necessary protective measures.

In addition to administrative measures, it is important to strengthen criminal liability for illegal actions with personal data. The introduction of new offences related to unauthorized access to special categories of data will allow law enforcement agencies to effectively combat attempts to misuse personal information. Thus, intentional violations, such as the sale of data to third parties, can be punishable by imprisonment, and serious negligence that led to information leakage can be punishable by forced labor or fines for officials. For individuals who repeatedly violate the law, it is possible to impose a ban on holding positions related to data processing for up to 10 years, which will significantly limit their access to information.

Additional liability measures may be provided for legal entities that have committed major data leaks, such as confiscation of property in favor of the state or a compensation fund aimed at supporting victims of data leaks. In cases of systematic and repeated violations, it is possible to forcibly terminate the company's activities through a court decision, which will prevent further violations of the rights of data subjects and enhance the preventive effect of legislation ^[10].

At the same time as stricter liability measures, it is necessary to expand the powers of supervisory authorities, such as Roskomnadzor, in the field of monitoring compliance with data protection requirements. In particular, this includes the possibility of conducting unscheduled inspections of organizations that have previously been found to be in violation. To increase the level of control, it is also proposed to tighten the requirements for storing documentation related to data processing for a period of at least five years. This will make it possible to more effectively check for compliance with legal requirements and track the history of data processing, which will help to increase the transparency of processes.

Special attention should be paid to the rights of the data subjects themselves. The introduction of compensation for victims of data leaks through a special fund formed from administrative fines will increase the level of social responsibility and help affected citizens compensate for moral damage. In addition, expanding the rights of data subjects to lawsuits, including the possibility of filing class actions in cases of massive leaks, will strengthen their legal protection and provide an additional incentive for companies to comply with information security requirements.

Thus, the proposed measures to strengthen responsibility for violations in the field of protection of special categories of personal data represent an integrated approach, including administrative and criminal sanctions, expanding the rights of data subjects and strengthening the supervisory functions of government agencies. The implementation of these measures will significantly reduce the risks of misuse of personal data, increase the level of protection of citizens' rights and create a more stable and reliable information security system ^[11].

To increase the protection of special categories of personal data in Russia, it is necessary to significantly expand the powers of Roskomnadzor in the field of control and audit. Special categories of data include sensitive information such as health information, political and religious beliefs that require increased protection. Roskomnadzor, as the main body responsible for compliance with standards in this area, should be given additional opportunities to ensure the security of this data.

First, the expansion of Roskomnadzor's powers to conduct inspections and audits will be an important step towards strengthening compliance control. The introduction of regular scheduled inspections for all organizations working with special categories of data will create a systematic approach to control. The main criteria for routine inspections may be the size of the company, the amount of data processed, and the level of potential risk. At the same time, Roskomnadzor should be given the right to conduct unscheduled inspections when receiving complaints from data subjects or information from other government agencies about possible violations, which will ensure flexibility and responsiveness to threats.

Secondly, an important area of strengthening Roskomnadzor's activities is the modernization of tools and technologies for conducting inspections. Modern analytical systems and artificial intelligence technologies can be used to automatically monitor the activities of organizations, which will effectively identify deviations in data processing and minimize the need for on-site inspections. The creation of automated monitoring systems may also include processing complaints from data subjects and analyzing company reports. Integration with databases of other government agencies, such as the Ministry of Internal Affairs, the Federal Tax Service and the FSB, will allow Roskomnadzor to quickly coordinate actions in order to quickly and completely identify and prevent violations.

In order to successfully perform its functions, Roskomnadzor also needs to increase its funding and staffing levels. Significant investments in the technical base — the purchase of server equipment, licenses for analytical programs and automated control tools — will help create conditions for effective control ^[12]. It is also important to allocate funding for educational programs in the field of cybersecurity, which will ensure a high level of qualification of employees working with modern threats. The expansion of Roskomnadzor's staff, especially in the regions, will ensure more dense coverage of territories and prompt response to incidents. Regular training of specialists in new audit methods, security system analysis and vulnerability detection will help improve the quality of control and prevent leaks.

In addition to strengthening control and professional development of employees, it is extremely important to increase the transparency of Roskomnadzor's activities. The publication of quarterly and annual reports on the results of inspections and detected violations will allow citizens and organizations to assess the level of compliance with safety standards by various companies. Information about incidents related to data leaks and the measures taken will also help to increase public confidence.

In addition, Roskomnadzor must inform data subjects about any incidents involving the leakage of their personal information, as well as about possible risks and protective measures. The introduction of mandatory notification of data subjects about incidents will allow them to take timely measures to protect their rights. The creation of a hotline and an online complaint service will also allow citizens to promptly report possible violations, which will strengthen feedback and make Roskomnadzor more accessible to citizens ^[13].

Bringing Russian legislation on personal data protection in line with international standards requires an integrated approach aimed at ensuring higher data protection and simplifying conditions for international cooperation. The transition to new standards allows us to take into account modern challenges and the specifics of the digital environment, especially when working with special categories of personal data.

One of the key measures to update legislation is to clarify the conditions for processing special category data. It is necessary to legislate the purposes for which the processing of such data is possible, for example, in the case of protecting the vital interests of the subject or to comply with legal requirements. The mandatory explicit consent of the subjects for data processing should also be part of this rule. Consent must be written in a clear and accessible form, which will allow citizens to clearly understand the purposes and types of data being processed.

Securing and expanding the rights of data subjects is also a priority. In particular, it is important to consolidate the subject's right to access information about his data and the conditions of their processing. In addition, transparency and accessibility of information should become mandatory for data operators, which includes ensuring that the purposes and timing of processing, as well as the rights of subjects, are clearly stated. Another important element is the right to opt out of automated solutions and profiling, especially if such processes can seriously affect the interests of the subject.

An equally significant part of the reform is changes in approaches to data processing. The implementation of mandatory data protection procedures, such as the Data Protection Impact Assessment (DPIA) for high-risk transactions, is relevant here. The appointment of a Data Protection Officer (DPO) is also becoming necessary, especially in large organizations dealing with personal data. This will help to centralize and strengthen control over compliance with information security requirements ^[14].

A critical aspect is the implementation of measures to respond to data leaks. Companies should be required to notify both the supervisory authorities and the data subject of leaks, especially if they may threaten the rights and security of the individual. Notification must be made immediately, but no later than 72 hours after the incident. It is also necessary to provide for the development of leak response protocols, including plans to restore operations and minimize possible damage.

Improving the legal culture and awareness of data subjects about their rights should be an important element of data protection policy. The creation of educational resources and awareness campaigns initiated by Roskomnadzor can increase public awareness of data processing rules ^[15]. Additional attention should also be paid to supporting small and medium-sized enterprises, which can be provided with consultations and training programs to facilitate their compliance with legal requirements.

The introduction of modern data protection technologies is an essential component in ensuring information security, especially for special category data. One of the main security technologies is mandatory encryption, which performs the function of protecting data both during transmission and storage, minimizing the risks of unauthorized access.

When transmitting data over a network, end-to-end encryption provides a high level of security, since data is encrypted on the sender's side and decrypted only on the recipient's side. This makes them inaccessible even in case of interception. The widespread use of the TLS protocol, in particular for secure HTTPS connections, creates a reliable channel for data transmission, ensuring their security at all levels of interaction between the client and the server. Additionally, VPN technologies provide data protection in open networks, and encryption of communications between applications and databases protects interaction at internal levels of the system ^[16].

Data encryption during storage performs protection functions both at the level of the entire medium and at the level of individual files. Full disk encryption prevents access to data in case of physical compromise of the media, for example, in case of loss or theft of the device. At the file level, encryption protects structured and unstructured data from both external and internal threats. In the case of cloud storage, third-party encryption and client-side key management provide an additional layer of security, allowing companies to maintain control over data access and protection, even if the cloud service provider itself is facing a leak.

Effective key management, in turn, plays a critical role in the security of encryption. Key management Systems (KMS) allow centralized control of the process of key generation, storage and destruction, which ensures their security and transparency. The separation of roles and responsibilities in key management restricts access to them and reduces the likelihood of unauthorized use. Regular key rotation is also an important practice that minimizes the risks associated with key compromise in a timely manner and maintains a high level of system security. Keeping a history of all key transactions allows not only to monitor their use, but also to analyze if security incidents are detected, which contributes to the overall transparency and manageability of the process.

Modern approaches to personal data protection increasingly include the use of anonymization and pseudonymization technologies, which are becoming important privacy tools. These methods make it possible to depersonalize data, while preserving its value for analytics and other purposes that require processing large amounts of information ^[17]. Thanks to anonymization and pseudonymization, the risks associated with unauthorized access are reduced, and organizations are able to work with data without violating legal requirements and ensuring the protection of personal information.

Data anonymization is a process that removes the possibility of identifying a subject, making such data completely impersonal. After anonymization, the data loses its personal character, and their processing becomes more secure and in some cases is removed from the scope of data protection laws such as GDPR. Anonymization methods include ID deletion, data aggregation, obfuscation, random blurring, and canonicalization. For example, in healthcare, anonymization allows statistical research to be conducted without revealing the identity of patients, which makes it in demand for scientific purposes. The main advantage of anonymization is a high degree of data protection, even in the event of a leak. However, anonymization is irreversible, which excludes the possibility of restoring the original information ^[18].

Unlike anonymization, pseudonymization allows you to replace data identifiers with special tags or codes, while maintaining the ability to restore the original information if there is a key. By using tokens, encoding data, or hashing with a secret key, organizations can manage data without violating confidentiality. Pseudonymization allows data to be used for analytical purposes, while maintaining access to personal information only when necessary. This is especially important in medical and analytical systems, where access to the source data may be necessary for repeated analysis or provision of services. For example, in marketing research, pseudonymization allows you to collect information about customers to analyze their behavior and preferences, while minimizing the risks of personal disclosure.

Each technology has its own advantages and limitations. Anonymization provides a higher level of protection because it completely eliminates the possibility of identification, which makes it ideal for processing large amounts of data where identification of the subject is not required. Pseudonymization, in turn, provides flexibility in the use of data, which is useful in situations where the ability to recover identifying data is required. However, pseudonymization requires reliable key management and strict control over access to additional information, as key leakage can lead to data compromise.

The use of anonymization and pseudonymization in information systems is especially relevant for areas such as healthcare, analytics, and big data management. In healthcare, anonymization allows the safe use of patient data for research, and pseudonymization allows the exchange of data between medical institutions without revealing the identity of patients. In analytical systems, companies can safely analyze user data using anonymization or pseudonymization, which protects privacy and allows the data to be used to improve the quality of services. In the field of big data, anonymization and pseudonymization help process arrays of information, taking into account the requirements for privacy protection, and also allow the secure use of cloud technologies, eliminating direct access to users' personal data.

Biometric authentication has become one of the most effective methods of ensuring the security of access to data and its processing systems. This technology relies on the user's unique physiological and behavioral characteristics, such as fingerprints, facial features, or voice, which are difficult to fake or convey. Due to this, biometrics reliably protects information from unauthorized access.

The principles of biometric authentication include the use of both physiological and behavioral data. Fingerprint scanning, face recognition, iris recognition, and voice characteristics are popular among physiological methods. These methods allow you to identify the user with high accuracy and reliability. Behavioral parameters, such as signature analysis or text input patterns, are also used to increase security, but to a lesser extent than physiological indicators ^[19].

The main advantages of biometric authentication are related to a high level of security and ease of use. Biometric data is difficult to fake or steal, which distinguishes them from traditional passwords or PIN codes. In addition, biometric data is always "at hand" — the user does not need to memorize long passwords or use additional devices to verify their identity. This reduces authentication time and reduces the likelihood of social attacks such as phishing or manipulation through social engineering.

The use of biometric authentication in practice is becoming more common. In a corporate environment, biometrics protects access to sensitive data and work devices by ensuring that only authorized employees have access to the information. In the financial sector, biometrics provides transaction security and access to banking applications, reducing fraud risks. In medical institutions, it restricts access to medical records and controls employees' working hours. Government agencies use biometrics for access to high-security areas and in electronic identity cards, which simplifies the identification of citizens and increases overall security.

The development of information systems and risk analysis are important components for improving the security of personal data in the face of ever—changing cyber threats. Effective protection requires not only the creation of reliable systems, but also their regular improvement, which involves the introduction of multi-level measures to minimize risks and promptly respond to emerging threats.

The first stage in ensuring the security of information systems is a regular assessment of risks and vulnerabilities. Identification of critical data and assets allows you to identify the most vulnerable and valuable system components, such as special category data or financial information. The analysis of potential threats includes both internal risks (personnel errors, incorrect system settings) and external risks, such as cyber attacks or natural disasters. Assessing the likelihood of incidents and their consequences helps to create a plan for priority protection measures, and the use of international standards such as ISO/IEC 27005 and NIST SP 800-30 simplifies the process of risk analysis and management.

Testing based on cybersecurity techniques is also important to identify and eliminate system vulnerabilities. Penetration testing allows you to identify weaknesses by simulating real attacks. This method helps to assess how resilient the system is to threats and improve protection by identifying and correcting vulnerabilities. In addition to pentests, you can use incident modeling, simulations of real attacks, and penetration tests to check the readiness of the system and employees for potential threats. The test results help to assess the current level of protection and adjust the security plan, updating it in accordance with identified vulnerabilities and new cyber threats ^[20].

An important element is the implementation of incident response protocols that ensure prompt recovery from cyber attacks and minimize damage. Developing a detailed incident response plan includes assigning roles and tasks to employees, as well as installing monitoring systems to quickly detect problems. Classifying incidents by severity level allows you to use appropriate response scenarios and focus efforts on the most serious threats. Remediation includes isolating infected systems, restoring data, and notifying all interested parties, including Roskomnadzor, if an incident involves a leak of personal data.

Integration with external partners and government systems is also an important element of the security strategy. Cooperation with consultants and the use of specialized software make it possible to ensure systematic monitoring and auditing, and interaction with law enforcement agencies and Roskomnadzor helps in coordinating actions in the event of large-scale incidents. It is also important to conduct regular training and staff training to raise awareness of cyber threats and security procedures.

The protection of special categories of personal data in the Russian Federation requires strict compliance with legislation and the application of comprehensive measures, taking into account their increased sensitivity and possible negative consequences in case of unauthorized access. Such data includes information about race and ethnicity, political views, religious or philosophical beliefs, health status, intimate life, biometric and genetic data.

Organizational measures aimed at improving data protection include the development of standards and regulations, mandatory employee training, and regular audits for compliance with legal requirements. These measures help to identify vulnerabilities in a timely manner and provide an appropriate level of protection for remote work and other potentially vulnerable scenarios.

Technical measures involve the use of modern technologies, such as mandatory data encryption, as well as anonymization and pseudonymization, which minimizes the risks of identification in the event of a leak. Regular testing, simulation of cyber attacks and pentests increase the resilience of information systems to external threats, and incident response protocols ensure prompt elimination of consequences in the event of security problems.

The expansion of Roskomnadzor's powers strengthens control over compliance with legislation and contributes to more effective regulation of data processing processes. Stricter administrative and criminal liability for violations increases the motivation of organizations to comply with security standards, reducing the risks of leaks and violations of confidentiality.

Bringing Russian legislation in line with international standards, such as GDPR, will integrate best practices and increase data security. Securing the rights of data subjects, transparency of processing, and the obligation of operators to inform about actions with data strengthen trust in the personal data protection system and make it more predictable and reliable.

Thus, an integrated approach based on a combination of organizational, technical and legal measures, as well as international cooperation, creates a solid foundation for the protection of special categories of personal data. Continuous improvement of security systems, adaptation to new challenges and openness in data processing contribute to the creation of a reliable and sustainable system that meets modern requirements and ensures a high degree of security.