Ðóñ Eng Cn Translate this page:
Nota Bene. Books, journals, publishing technologies.
Please select your language to translate the article


You can just close the window to don't translate
Library
 Your profile
Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Back to contents

Legal Studies
Reference:

Modern challenges in ensuring the protection of personal data of employees

Novikov Petr Aleksandrovich

ORCID: 0009-0009-5133-811X

Postgraduate student; Saint Petersburg University of Management Technologies and Economics

44 Lermontovsky Ave., Lit.A, Saint Petersburg, 190020, Russia

petnovikov.81@mail.ru
Other publications by this author
 
 

DOI:

10.25136/2409-7136.2025.3.73694

EDN:

YKSZHR

Received:

14-03-2025

Published:

03-04-2025

Abstract: In the era of digital transformation, when data has become an integral part of business processes, the issue of protecting employees' personal data is of paramount importance. Modern organizations face unprecedented challenges related to the need to comply with regulatory requirements, counter cyber threats, and maintain employee trust. This study aims to analyze these challenges and develop practical recommendations for effective protection of employees' personal data. Ensuring the protection of employees' personal data is a complex and multifaceted task that requires organizations to take an integrated approach and continuously improve their policies and procedures. Compliance with legal requirements, countering cyber threats, ensuring transparency and control over data processing, as well as taking into account the specifics of certain categories of personal data are key success factors in this area. The methodological basis of the research is an integrated approach combining the analysis of the regulatory framework and expert assessments. One of the key aspects of scientific novelty is the identification and systematization of new threats to the security of personal data caused by the use of modern technologies. Such threats include, in particular, data leaks caused by cyber attacks on the employer's information systems, unauthorized access to personal data by insiders, as well as risks associated with the use of cloud services and mobile devices for processing and storing personal information. Another important element of the scientific novelty of this study is the development of a methodology for evaluating the effectiveness of existing measures to protect employees' personal data. Traditional assessment methods tend to focus on the general requirements of personal data protection legislation and do not take into account the specific risks that arise in the context of an employment relationship.

Keywords:

personal data, data processing, employee rights, compliance, cloud technologies, artificial intelligence, Internet of things, cybersecurity, data leaks, privacy policy
This article is automatically translated. You can find original text of the article here.

Introduction

In the context of the rapid development of information technology, global digitalization and the widespread introduction of electronic data storage and processing systems, personal data protection issues are becoming particularly important. Modern society, based on the principles of technological interconnectedness and rapid information exchange, is facing increasing risks of unauthorized access to confidential information, misuse of personal data, their leakage, modification and destruction due to cyber attacks, technical failures or actions of third parties. These threats affect both individuals and legal entities operating in various fields of economics and public relations. In particular, this problem concerns the personal data of employees processed by employers during the execution of employment relations and personnel administration. Such data includes information about the identity of employees, their professional activities, medical indicators, financial situation and other aspects, which makes them objects of increased attention from intruders and requires reliable legal and technical protection at all stages of their life cycle.

State regulation of personal data protection is aimed at creating unified information security standards, legal regulation of data processing processes and ensuring an effective mechanism for civil protection of the interests of personal data subjects [1]. In the Russian Federation, the main regulatory legal act regulating relations in this area is Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", which defines the basic principles, legal grounds and requirements for the processing, storage, transfer and destruction of personal data. This law establishes the rights of personal data subjects, establishes the duties of operators for their processing, provides for information protection measures and responsibility for violations committed. However, the practice of its application demonstrates the presence of significant difficulties due to both technical and organizational aspects, as well as gaps and conflicts in legal regulation. In the context of the active introduction of new digital technologies such as artificial intelligence, cloud computing, distributed ledgers (blockchain), the Internet of Things, big Data analysis technologies (Big Data) and biometric identification systems, traditional information protection mechanisms face new challenges that require the adaptation of the regulatory framework, the development and implementation of integrated technical solutions. and improving law enforcement methods.

Among the most significant problems in the field of personal data protection of employees, several key areas can be identified. Firstly, there are technological risks associated with software vulnerability, insufficient security of information systems and the threat of cyber attacks. In the modern world, personal data is processed using digital platforms, cloud storage, mobile applications, and automated document management systems, which significantly expands potential attack vectors on personal information and requires improved information security, encryption, and data protection against unauthorized access. Secondly, there are legal conflicts arising from contradictions between national and international norms, difficulties in determining jurisdiction for cross-border data transfer, and the lack of clear regulations for interaction between operators and authorized authorities. Thirdly, organizational difficulties related to the need to ensure an adequate level of information protection in companies, the lack of uniform standards of corporate cybersecurity policy, as well as insufficient awareness of employees about personal data protection measures. Fourth, there are ethical issues related to the balance between the right of employees to protect their privacy and the interests of employers related to the need to monitor the activities of employees, monitor their work activity, use biometric data and other identification methods [2].

An effective solution to the above problems requires a detailed analysis of current legislation, its application practices, international experience in regulating personal data processing, as well as the development and implementation of comprehensive mechanisms for civil protection of the rights of personal data subjects. An important role in this process is played by the formation of a corporate culture in the field of cybersecurity, the development and implementation of internal regulations for the processing of personal data that comply with international standards, such as the General Data Protection Regulation (GDPR) of the European Union, as well as regulatory acts of the Council of Europe and the United Nations [3]. Considerable attention should be paid to improving user identification and authentication mechanisms, the introduction of advanced information security technologies such as multifactor authentication, biometric access systems, the use of blockchain technologies to ensure transparency of data processing, as well as machine learning methods to identify anomalies and potential threats in information systems.

Thus, the study of issues of civil protection of personal data of employees in the context of digital transformation is an urgent scientific and practical task that requires a comprehensive approach, comprehensive analysis and the search for effective legal, organizational and technical solutions. This article is aimed at investigating existing problems in the field of personal data protection, identifying legal and technological risks, as well as developing proposals to improve the civil law mechanism for protecting the means of individualization of citizens (individuals) and their personal data, which will increase the level of information security in the modern legal and business environment.

The research methodology is based on an integrated approach combining the analysis of the regulatory framework and expert assessments. This approach is conditioned by the need for a comprehensive study of the problem, taking into account both the legal aspects and the practical realities of the functioning of personal data processing systems in organizations.

The first stage is the analysis of the regulatory framework governing the protection of personal data. The analysis involves identifying gaps, contradictions and ambiguities in the current legislation that may create difficulties in ensuring the protection of personal data of employees.

The second stage is to conduct expert assessments. The purpose of this stage is to identify practical problems that arise when implementing the requirements of the legislation on personal data, as well as to evaluate the effectiveness of existing personal data protection measures.

The combination of an analysis of the regulatory framework and expert assessments allows us to form a comprehensive understanding of modern challenges in ensuring the protection of personal data of employees, as well as to develop practical recommendations for improving the personal data protection system in organizations.

Modern challenges and technological risks in the field of personal data protection

The digital transformation of business has led to a significant increase in the volume of personal data processed. Companies are increasingly using cloud storage, data management systems, big data platforms, and artificial intelligence to analyze information. According to D.A. Kartashov, such innovations entail significant threats to the security of personal data of employees, customers and partners. In the context of the active use of digital technologies, the risks of data leakage, misuse and violation of the rights of personal data subjects are increasing. Modern challenges require an integrated approach to information security, taking into account not only technical, but also legal, organizational and behavioral aspects [4].

One of the key threats is cyber attacks aimed at unauthorized access to databases containing personal information. Hackers use a variety of attack methods, including phishing, malware, software vulnerability attacks, and targeted attacks on corporate infrastructure. For example, phishing attacks are aimed at deceiving employees in order to gain access to confidential information, and malware can encrypt files or steal data. There are cases when large companies have been subjected to similar attacks, which led to the data leakage of millions of users. For example, the data leak resulting from the Yahoo hacking in 2013 affected about three billion user accounts. We can also give an example of the Equifax hack in 2017, when hackers gained access to the personal data of more than 147 million people, including social security numbers and credit information [5].

D. Rymashevskaya believes that the use of the Internet of Things (IoT) in the corporate environment also creates new threats. Smart devices, biometric systems, surveillance cameras, and other sensors can become targets of hacker attacks if they are not properly protected. Data leaks often occur due to the low level of security of IoT devices, lack of encryption and weak passwords [6]. According to O.V. Bychkov's research, about 70% of IoT devices have critical vulnerabilities that can be exploited by intruders [7]. In particular, in 2020, massive attacks on video surveillance systems were recorded, during which hackers gained access to thousands of surveillance cameras installed in offices, hospitals and schools [8].

Remote work and the use of cloud technologies also increase the vulnerability of systems. Many companies have switched to hybrid and remote work models, which has led to an increase in the number of devices connected to corporate networks from various locations. This creates additional vulnerability points if reliable protection systems such as VPNs, multi-factor authentication, and monitoring of abnormal activity are not used. In accordance with the Federal Law of the Russian Federation "On Personal Data" No. 152-FZ, personal data operators are required to take measures to protect information, including organizational and technical security measures. However, A.A. Minyaev believes that even with compliance with all regulatory requirements, there are risks associated with the human factor and insufficient digital literacy of users [9].

G.A. Maistrenko, considering the sources of legal regulation of employee personal data protection in Russia, believes that social engineering remains one of the most dangerous methods of attack. Even the most modern security systems can be powerless in the face of the human factor. The use of weak passwords, careless handling of confidential information, and lack of cyber literacy can cause serious data leaks. According to cybersecurity reports, more than 80% of hacks occur due to the use of weak passwords or the theft of credentials through social engineering methods. For example, in 2020, Twitter employees became victims of a social engineering attack, as a result of which attackers gained access to the accounts of famous personalities, including Barack Obama and Elon Musk [10].

To minimize risks, companies need to implement comprehensive security systems, including data encryption, the use of multi-factor authentication, constant threat monitoring and analysis of user behavior, regular software updates and access control. For example, the use of the AES-256 encryption standard can significantly increase the level of data protection. In addition, it is necessary to use technologies for analyzing user behavior anomalies that can detect suspicious actions and automatically block potential threats [11].

Staff training and increasing the level of cyber literacy of employees are also important aspects of information protection. According to Article 19 of Federal Law No. 152-FZ, personal data operators are required to ensure the security of personal information, including training employees in data protection methods. Training programs should include cybersecurity trainings, phishing attack simulations, and regular security policy checks. For example, large international companies such as Google and Microsoft conduct regular cyber training aimed at raising workers' awareness of cyber threats [12].

The legal aspects of personal data protection should also be taken into account. For example, the General Data Protection Regulation (GDPR) applies under European law, which sets strict requirements for the processing of personal information. In case of GDPR violations, companies can be fined up to 20 million euros or 4% of their annual turnover. In Russia, similar measures are provided for in Federal Law No. 152-FZ, but the practice of applying penalties is not yet so extensive [13].

Thus, the protection of personal data in the context of digital transformation requires an integrated approach, including both technical and organizational measures. The introduction of reliable security systems, the use of modern protection technologies, as well as increasing the level of cyber awareness of personnel are key factors in ensuring information security. At the same time, compliance with the norms of current legislation, such as the Federal Law "On Personal Data", is a mandatory requirement for all organizations working with personal data. In the future, we can expect stricter regulation in this area, which will require companies to invest more in information security and introduce new data protection technologies.

Legal regulation and organizational measures for personal data protection

According to O.K. Korobkova, compliance with legal requirements is a key aspect of protecting employees' personal data, since information about individuals requires reliable protection against unauthorized access, leaks and misuse. In the Russian Federation, there are a number of regulations governing this issue, including Federal Law No. 152-FZ of July 27, 2006 "On Personal Data", the Labor Code of the Russian Federation, as well as numerous subordinate regulations developed by Roskomnadzor and other authorized bodies [14].

According to the provisions of the Personal Data Act, companies are required to obtain the informed consent of employees to process their personal data, except in cases provided for by law. It is also necessary to strictly justify the purposes of processing, limit the storage time of information, and apply adequate security measures, including encryption, authentication, access control, and security auditing.

One of the important guarantees of citizens' rights is the principle of data minimization, according to which an employer should request only the information necessary to fulfill legitimate duties to an employee. Otherwise, the company risks facing administrative liability under Article 13.11 of the Code of Administrative Offences of the Russian Federation for the illegal receipt and processing of personal data.

However, law enforcement practice shows that many organizations face difficulties in ensuring compliance with these standards. The main problems include the lack of a unified standard for the processing of personal data in various sectors of the economy, discrepancies in the interpretation of legislation, as well as the difficulty of adapting it to modern conditions of digitalization. In addition, the lack of awareness of employees about their rights and responsibilities in the field of personal data protection also exacerbates the problem [15].

For example, the banking sector uses one approach to the processing of personal data of customers and employees, including multi-level protection systems, strict access control and regular monitoring of information flows. At the same time, in small businesses or educational institutions, personal data protection is often less structured, which creates prerequisites for violations of the law.

Another difficulty is the inconsistency of the companies' internal regulations with current legal requirements, which can lead to inspections by Roskomnadzor and the imposition of fines. For example, in 2023, Roskomnadzor fined a number of large Russian companies for non-compliance with the requirements for the storage and processing of personal data, since their internal policies lacked provisions on the procedure for deleting information after the expiration of storage periods [16].

To effectively comply with legal requirements, companies need to implement internal regulations and information protection policies. The development of local regulations should take into account the following key aspects [17]:

1. Determination of the procedure for processing personal data. The document should clearly regulate the categories of processed data, the purposes of their use, the retention period and measures for their destruction after completion of the necessary processing.

2. Information security measures. The organization should implement technical and organizational measures such as encryption, data backup, access control, audit logging, and regular vulnerability testing of information systems.

3. Duties of employees. All employees should be familiar with the internal data protection policies, undergo appropriate training and be responsible for violations of the rules for processing personal information.

4. Control and responsibility mechanisms. The employer is required to ensure compliance with legal requirements by conducting regular internal audits, checking access logs and maintaining a register of security incidents.

Also, one of the effective methods of increasing the level of personal data protection is the development of a methodology for evaluating the effectiveness of existing measures to protect personal data of employees.

The development of a methodology for evaluating the effectiveness of existing measures to protect employees' personal data is a multidimensional task that requires an integrated approach based on regulatory requirements, best practices and the specifics of the organization's activities. The purpose of this methodology is to provide a structured and measurable way to assess the adequacy and effectiveness of applied measures aimed at ensuring the confidentiality, integrity and accessibility of personal data of employees.

The methodology is based on the provisions of Federal Law No. 152-FZ "On Personal Data", which establishes general requirements for the processing of personal data, including the principles, conditions and procedure for such processing (Article 5 of the Law). In addition, the provisions of other regulations are taken into account, including the Labor Code of the Russian Federation, which defines the rights and obligations of the employer and employee regarding the processing of personal data, as well as bylaws regulating information protection issues [18].

The proposed methodology for evaluating effectiveness includes the following key steps (Fig. 1):

Fig. 1 – The stages of evaluating the effectiveness of the level of protection of personal data of employees

At the first stage, a detailed analysis of the processes of processing personal data of employees in the organization is carried out. All categories of personal data are defined, including identification data, contact information, information about education, employment, financial data, and others. It is important to note that the amount of data processed should be strictly limited by the purpose of processing (Article 5 of the Law).

The second stage involves identifying and analyzing potential threats and vulnerabilities that may lead to improper processing, leakage, destruction or modification of personal data. The risk assessment is carried out taking into account the likelihood of negative consequences and the degree of damage that may be caused to personal data subjects. The methodological recommendations of the FSTEC of Russia on the assessment of information security threats can be used as a starting point.

At the third stage, a detailed study of the organizational and technical measures used to protect personal data is carried out. Organizational measures include the development and implementation of internal policies and procedures governing the processing of personal data, staff training, and the appointment of responsible persons. Technical measures include the use of information security tools such as access control systems, encryption, antivirus protection, intrusion detection systems, and others (FSTEC of Russia Order No. 21 "On Approval of the Composition and Content of Organizational and Technical Measures to ensure the Security of Personal Data during their Processing in Personal Data Information Systems").

The fourth stage involves evaluating the effectiveness of the measures applied, it is necessary to establish clear and measurable criteria. The criteria can be quantitative (for example, the number of incidents involving violations of personal data confidentiality, the recovery time after the incident) and qualitative (for example, the level of staff awareness of the requirements of legislation in the field of personal data protection, the degree of compliance of the applied measures with the requirements of regulations).

At the fifth stage, the compliance of the applied protection measures with the established effectiveness criteria is assessed. The assessment can be conducted through audits, penetration testing, event log analysis, staff surveys, and other methods. The evaluation results are presented in the form of a report containing conclusions on the effectiveness of the applied measures and recommendations for their improvement.

Based on the results of the assessment, an action plan is being developed during the sixth stage aimed at eliminating the identified deficiencies and improving the effectiveness of the applied protective measures. The action plan should contain specific actions, deadlines for their implementation and responsible persons.

An important aspect of the methodology is to ensure the continuity of the process of evaluating the effectiveness of personal data protection measures. The assessment should be carried out on a regular basis, as well as when regulatory requirements, technological infrastructure or personal data processing processes change. The evaluation results should be used for continuous improvement of the personal data protection system in the organization [19].

Additionally, to reduce the likelihood of unauthorized use of personal data, it is important to implement access monitoring systems, automated security tools, and authentication tools such as two-factor identification (2FA). As an example, we can cite the practice of a number of Russian IT companies that use strict data access control policies, use a biometric identification system, and keep centralized records of all actions with confidential information.

An important aspect remains the balance between the employer's control and trust in employees. Excessive control can lead to a decrease in the level of trust within the team and a deterioration in the psychological climate in the organization. Therefore, measures to ensure the protection of personal data should be reasonable and justified, consistent with the principle of proportionality, enshrined in the legislation on personal data [20].

Thus, effective protection of personal data requires an integrated approach that includes not only compliance with legal regulations, but also the introduction of modern information security technologies, increasing the level of legal literacy of employees and creating a culture of awareness of the importance of data protection in the corporate environment. Compliance with these principles will minimize the risks of violations of the law, avoid significant fines and ensure reliable protection of personal data of employees and customers of the company.

Conclusion

The protection of personal data of employees is a multifaceted and complex task that requires coordinated actions in the technological, legal and organizational spheres. In the context of the rapid development of digital technologies and the processes of digital business transformation, companies face growing challenges related to information security. Threats such as confidential information leaks, unauthorized access, cyber attacks, malicious software, and social engineering are becoming more widespread and complex.

One of the key aspects of personal data protection is the improvement of legal regulations that establish requirements for the processing, storage and transmission of information. In modern conditions, it is necessary to take into account both national legislation and international standards in the field of data protection, such as the General Data Protection Regulation (GDPR), Convention 108+ of the Council of Europe and other regulations. The introduction of strict security standards makes it possible to increase the level of legal protection of employees and reduce the likelihood of violations related to the processing of their personal data.

An equally important area is the use of modern technological solutions that provide a high level of information protection. Such solutions include data encryption systems, access control tools, biometric authentication, user activity monitoring tools, data leak prevention (DLP) systems, and malware protection tools. The use of advanced technologies helps to minimize the risks of unauthorized dissemination of personal information and increases the overall level of cybersecurity in the organization.

However, technological measures alone cannot guarantee absolute protection of personal data. The formation and development of a corporate cybersecurity culture plays an important role. Training employees in the basics of information security, conducting regular trainings, developing internal regulations and instructions on data protection, as well as creating awareness of responsibility for information security – all this helps to reduce the likelihood of human factors as one of the main causes of data leaks.

In addition, special attention should be paid to risk management issues related to the processing of personal data. The development and implementation of information risk management programs, regular security audits, incident analysis, and continuous improvement of the data protection system enable companies to identify vulnerabilities in a timely manner and take measures to eliminate them.

Only an integrated approach, including legal, organizational and technical measures, can guarantee effective protection of employees' personal information. The introduction of modern technologies, compliance with legal requirements, the development of an information security culture and constant risk monitoring will create a reliable personal data protection system. This, in turn, will contribute not only to reducing threats and preventing information leaks, but also to strengthening the trust of employees, partners and customers in the company. Trust is the most important asset of any organization, and ensuring the security of personal data becomes an integral element of a successful and sustainable business strategy.

References
1. Dorzhieva, N. G. (2023). Analysis of the current state of the problem of protecting personal data of enterprise employees. E-Scio, 4, 21-25.
2. Muntian, S. I. (2024). Protection of employee rights in court in case of disclosure of personal data by the employer. In Scientific support of the agro-industrial complex: Proceedings of the 79th scientific-practical conference of students based on the results of research work for 2023 (Vol. 2, pp. 923-925). Kuban State Agrarian University named after I. T. Trubilin.
3. Kuemzhieva, Y. N. (2023). The role of judicial practice in the formation and implementation of the principles of civil procedure. Trends in the Development of Science and Education, 103, 98-100. https://doi.org/10.18411/trnio-11-2023-217
4. Kartashova, D. A. (2018). Protection of employee personal data. Student, 11-7, 33-36.
5. Latypova, D. R. (2020). Problems of protecting employee personal data. In LXX Youth Scientific Conference dedicated to the 75th anniversary of Victory in the Great Patriotic War and the 100th anniversary of V. P. Lukachev's birth: Abstracts of reports (pp. 170-171). Samara National Research University named after Academician S. P. Korolev.
6. Rymashevskaya, D. (2020). Protection of employee personal data in Russia and Poland. In Current Issues in Legal Science: Proceedings of the XVI International Scientific and Practical Conference of Young Researchers (Vol. 2, pp. 149-151). South Ural State University.
7. Bychkova, O. V. (2024). Protection of personal data of hired workers. In Current Issues of State and Municipal Management: Theoretical, Methodological, and Applied Aspects: Proceedings of the All-Russian Scientific and Practical Round Table (pp. 16-18). Donetsk State University.
8. Kryshchenko, N. I. (2020). Development of a scheme and determination of methods for protecting personal data of employees and clients in small enterprises. Youth Scientific School of the Department of “Secure Communication Systems”, 1(2), 69-71.
9. Minyaev, A. A. (2020). Method for assessing the effectiveness of the information protection system of territorially distributed personal data information systems. Bulletin of St. Petersburg State University of Technology and Design, 1, 29-33.
10. Maistrenko, G. A. (2021). Sources of legal regulation for the protection of employee personal data in Russia. Legal Bulletin, 5(1), 24-29.
11. Afanasyev, I. V. (2019). Legal foundations of professional activity. Yurait.
12. Uvarova, Y. A. (2018). Legal guarantees for the protection of employee personal data in labor legislation of the Russian Federation. Young Scientist, 19, 328-330.
13. Vered, E. B. (2021). On strengthening criminal law protection of employee personal data. Labor Law Issues, 8, 588-595. https://doi.org/10.33920/pol-2-2108-03
14. Korobkova, O. K. (2021). Problematic issues of information security in organizations within the framework of economic security in the Russian Federation. Bulletin of Khabarovsk State University of Economics and Law, 1, 48-54.
15. Popova, S. A., & Solovyev, M. A. (2018). Protection of employee personal data. Bulletin of the Master's Program, 12-5, 87.
16. Ababkova, A. Y. (2024). Protection of personal data of medical workers: Problems of theory and practice. In Medical Law: New Legal Challenges in the Work of Medical Organizations: Proceedings of the IV International Forum on Medical Law (pp. 155-160). Ural State Law University named after V. F. Yakovlev.
17. Gadzhiev, K. I. (2019). Protection of privacy in the digital age. Journal of Foreign Legislation and Comparative Law, 6, 5-20. https://doi.org/10.12737/jflcl.2019.6.1
18. Karpova, E. V. (2022). Protection of employee personal data. In Current Issues in the Theory and Practice of Financial and Economic Activity: Proceedings of the IV All-Russian (National) Scientific and Practical Conference (pp. 154-157). Voronezh.
19. Musaeva, G. B. (2024). Protection of employee personal data. In The Role of Agricultural Science in the Sustainable Development of Rural Areas: Proceedings of the IX All-Russian (National) Scientific Conference with International Participation (pp. 1282-1285). Novosibirsk State Agrarian University.
20. Sokolova, Z. V. (2019). Features of the protection of employee personal data in educational institutions of Crimea. In Problems of Information Security: V All-Russian Scientific and Practical Conference with International Participation (pp. 142-144). Crimean Federal University named after V. I. Vernadsky.

First Peer Review

Peer reviewers' evaluations remain confidential and are not disclosed to the public. Only external reviews, authorized for publication by the article's author(s), are made public. Typically, these final reviews are conducted after the manuscript's revision. Adhering to our double-blind review policy, the reviewer's identity is kept confidential.
The list of publisher reviewers can be found here.

The subject of the research in the article submitted for review is, as its name implies, modern challenges in ensuring the protection of personal data of employees. The declared boundaries of the research have been observed by the scientist. The research methodology is not disclosed in the text of the article. The relevance of the research topic chosen by the author is undeniable and is justified by him as follows: "In the context of the rapid development of information technology, global digitalization and the widespread introduction of electronic data storage and processing systems, personal data protection issues are becoming particularly important. Modern society, based on the principles of technological interconnectedness and rapid information exchange, is facing increasing risks of unauthorized access to confidential information, misuse of personal data, their leakage, modification and destruction due to cyber attacks, technical failures or actions of third parties. These threats affect both individuals and legal entities operating in various fields of economics and public relations. In particular, this problem concerns the personal data of employees processed by employers during the execution of employment relations and personnel administration. Such data includes information about the identity of employees, their professional activities, medical indicators, financial situation and other aspects, which makes them objects of increased attention from intruders and requires reliable legal and technical protection at all stages of their life cycle." Additionally, the scientist needs to list the names of the leading experts involved in the research of the issues raised in the article, as well as disclose the degree of their study. The scientific novelty of the work is reflected in a number of the author's conclusions: "Thus, the protection of personal data in the context of digital transformation requires an integrated approach, including both technical and organizational measures. The introduction of reliable security systems, the use of modern protection technologies, as well as increasing the level of cyber awareness of personnel are key factors in ensuring information security. At the same time, compliance with the norms of current legislation, such as the Federal Law "On Personal Data", is a mandatory requirement for all organizations working with personal data. In the future, we can expect stricter regulation in this area, which will require additional investments in information security and the introduction of new data protection technologies from companies"; "... effective protection of personal data requires an integrated approach that includes not only compliance with legislation, but also the introduction of modern information protection technologies, increasing the level of legal literacy of employees and creating a culture awareness of the importance of data protection in a corporate environment. Compliance with these principles will minimize the risks of violations of the law, avoid significant fines and ensure reliable protection of personal data of employees and customers of the company"; "Protection of personal data of employees is a multifaceted and complex task that requires coordinated actions in the technological, legal and organizational spheres. In the context of the rapid development of digital technologies and the processes of digital business transformation, companies face growing challenges related to information security. Threats such as confidential information leaks, unauthorized access, cyber attacks, malicious software, and social engineering are becoming more widespread and complex. One of the key aspects of personal data protection is the improvement of legal regulations that establish requirements for the processing, storage and transmission of information. In modern conditions, it is necessary to take into account both national legislation and international standards in the field of data protection, such as the General Data Protection Regulation (GDPR), Convention 108+ of the Council of Europe and other regulations. The introduction of strict security standards makes it possible to increase the level of legal protection of employees and reduce the likelihood of violations related to the processing of their personal data," etc. Thus, the article makes a definite contribution to the development of Russian legal science and certainly deserves the attention of potential readers. The scientific style of the research is fully supported by the author. The structure of the work is logical. In the introductory part of the article, the scientist substantiates the relevance of his chosen research topic. The main part of the article consists of two sections: "Modern challenges and technological risks in the field of personal data protection"; "Legal regulation and organizational measures for personal data protection". The final part of the paper contains conclusions based on the results of the conducted research. The content of the article corresponds to its title and does not cause any particular complaints. The bibliography of the study is represented by 20 sources (scientific articles). From a formal point of view, this is enough. There is an appeal to the opponents, but it is of a general nature. The author does not enter into a scientific discussion with specific scientists, referring to a number of theoretical sources solely to substantiate his judgments or to illustrate certain points of the work. There are conclusions based on the results of the study ("The protection of personal data of employees is a multifaceted and complex task that requires coordinated actions in the technological, legal and organizational spheres. In the context of the rapid development of digital technologies and the processes of digital business transformation, companies face growing challenges related to information security. Threats such as confidential information leaks, unauthorized access, cyber attacks, malicious software, and social engineering are becoming more widespread and complex. One of the key aspects of personal data protection is the improvement of legal regulations that establish requirements for the processing, storage and transmission of information. In modern conditions, it is necessary to take into account both national legislation and international standards in the field of data protection, such as the General Data Protection Regulation (GDPR), Convention 108+ of the Council of Europe and other regulations. The introduction of strict security standards makes it possible to increase the level of legal protection of employees and reduce the likelihood of violations related to the processing of their personal data. An equally important area is the use of modern technological solutions that provide a high level of information security. Such solutions include data encryption systems, access control tools, biometric authentication, user activity monitoring tools, data leak prevention (DLP) systems, and malware protection tools. The use of advanced technologies helps to minimize the risks of unauthorized dissemination of personal information and increases the overall level of cybersecurity in the organization. However, technological measures alone cannot guarantee absolute protection of personal data. The formation and development of a corporate cybersecurity culture plays an important role. Training employees in the basics of information security, conducting regular trainings, developing internal regulations and instructions on data protection, as well as creating awareness of responsibility for information security – all this helps to reduce the likelihood of human factors as one of the main causes of data leaks"), have the properties of reliability, validity and undoubtedly deserve the attention of the scientific community.
The interest of the readership in the article submitted for review can be shown primarily by experts in the field of administrative law and information law, provided that it is finalized: disclosure of the research methodology, additional justification of the relevance of its topic (within the framework of the remark made), the introduction of additional elements of discussion.

Second Peer Review

Peer reviewers' evaluations remain confidential and are not disclosed to the public. Only external reviews, authorized for publication by the article's author(s), are made public. Typically, these final reviews are conducted after the manuscript's revision. Adhering to our double-blind review policy, the reviewer's identity is kept confidential.
The list of publisher reviewers can be found here.

REVIEW of an article on "Modern challenges in ensuring the protection of personal data of employees". The subject of the study. The article proposed for review is devoted to topical issues of ensuring the protection of personal data of employees. The author focuses on the civil law mechanisms of personal data protection at the current stage of society's development, when personal data is actively used for various purposes, including in the digital space. The problems of modern challenges and technological risks in the field of personal data protection, legal regulation and organizational measures of personal data protection are revealed. It is proposed to disclose the stated problems from the point of view of "an integrated approach that includes not only the implementation of legislative norms, but also the introduction of modern information security technologies, increasing the level of legal literacy of employees and creating a culture of awareness of the importance of data protection in the corporate environment." The specific subject of the study was practice materials, provisions of regulatory legal acts, and opinions of scientists on the subject of personal data protection. Research methodology. The purpose of the study is not stated explicitly in the article. At the same time, it can be clearly understood from the title and content of the work. The purpose can be designated as the consideration and resolution of certain problematic aspects of the issue of ensuring the protection of personal data of employees. Based on the set goals and objectives, the author has chosen the methodological basis of the research. As stated in the article itself, "The research methodology is based on an integrated approach combining the analysis of the regulatory framework and expert assessments. This approach is conditioned by the need for a comprehensive study of the problem, taking into account both the legal aspects and the practical realities of the functioning of personal data processing systems in organizations." In particular, the author uses a set of general scientific methods of cognition: analysis, synthesis, analogy, deduction, induction, and others. In particular, the methods of analysis and synthesis made it possible to summarize and share the conclusions of various scientific approaches to the proposed topic, as well as draw specific conclusions from practical materials. The most important role was played by special legal methods. In particular, the author actively applied the formal legal method, which made it possible to analyze and interpret the norms of current legislation on personal data protection. For example, the following is the author's conclusion: "In the Russian Federation, the main regulatory legal act regulating relations in this area is Federal Law No. 152-FZ of July 27, 2006 On Personal Data, which defines the basic principles, legal grounds and requirements for the processing, storage, transfer and destruction of personal data. This law establishes the rights of personal data subjects, establishes the duties of operators for their processing, provides for information protection measures and responsibility for violations committed." In general, the article presents the author's approaches to how the provisions of current legislation should be interpreted in relation to personal data and their protection. The possibilities of the empirical research method should be positively assessed. The author draws conclusions about how to improve the personal data protection regime, taking into account statistics and other data. For example, it is stated that "in 2023, Roskomnadzor fined a number of large Russian companies for non-compliance with the requirements for the storage and processing of personal data, since their internal policies did not contain provisions on the procedure for deleting information after the expiration of storage periods." Thus, the methodology chosen by the author is fully adequate to the purpose of the study, allows us to study all aspects of the topic in its entirety. Relevance. The relevance of the stated issues is beyond doubt. There are both theoretical and practical aspects of the significance of the proposed topic. From the point of view of theory, the topic of ensuring the protection of personal data of employees is complex and ambiguous. At the moment, when the number and volume of personal data leaks have increased with the development of the Internet, as well as the forms and mechanisms of hacker activity, it is important to ensure the safety of personal data of employees. Massive leaks of personal data can have adverse consequences, primarily in terms of the potential threat to the rights and legitimate interests of citizens. It is difficult to argue with the author that "threats affect both individuals and legal entities operating in various fields of economics and public relations. In particular, this problem concerns the personal data of employees processed by employers during the execution of employment relations and personnel administration. Such data includes information about the identity of employees, their professional activities, medical indicators, financial situation and other aspects, which makes them objects of increased attention from intruders and requires reliable legal and technical protection at all stages of their life cycle." The practical examples given by the author in the article clearly demonstrate this issue. Thus, scientific research in the proposed field should only be welcomed. Scientific novelty. The scientific novelty of the proposed article is beyond doubt. Firstly, it is expressed in the author's specific conclusions. Among them, for example, the following conclusion: "Only an integrated approach, including legal, organizational and technical measures, can guarantee effective protection of personal information of employees. The introduction of modern technologies, compliance with legal requirements, the development of an information security culture and constant risk monitoring will create a reliable personal data protection system. This, in turn, will contribute not only to reducing threats and preventing information leaks, but also to strengthening the trust of employees, partners and customers in the company." These and other theoretical conclusions can be used in further scientific research. Secondly, the author suggests ideas for improving the current legislation. In particular, "One of the key aspects of personal data protection is the improvement of legal regulations that establish requirements for the processing, storage and transmission of information. In modern conditions, it is necessary to take into account both national legislation and international standards in the field of data protection, such as the General Data Protection Regulation (GDPR), Convention 108+ of the Council of Europe and other regulations." The above conclusion may be relevant and useful for law-making activities. Thus, the materials of the article may be of particular interest to the scientific community in terms of contributing to the development of science. Style, structure, and content. The subject of the article corresponds to the specialization of the journal "Legal Research", as it is devoted to legal issues related to the protection of personal data of employees at the present stage. The content of the article fully corresponds to the title, as the author examined the problems and identified the most important issues of protecting employees' personal data, in particular, in terms of potential database leaks. The purpose of the study can be fully considered achieved, as the author proposed some solutions to the problem of protecting personal data of employees, both legally and technically. The quality of the presentation of the study and its results should be fully recognized as positive. The subject, objectives, methodology, and main research results follow directly from the text of the article. The design of the work generally meets the requirements for this kind of work. No significant violations of these requirements were found. Bibliography. The quality of the literature used should be highly appreciated. The author actively uses the literature presented by authors from Russia (Dordjieva N.G., Muntyan S.I., Afanasyev I.V., Popova S. A., Soloviev M. A. and others). Many of the cited scientists are recognized scientists in the field of personal data protection.
Thus, the works of these authors correspond to the research topic, have a sign of sufficiency, and contribute to the disclosure of various aspects of the topic. Appeal to the opponents. The author conducted a serious analysis of the current state of the problem under study. All quotations of scientists are accompanied by the author's comments. That is, the author shows different points of view on the problem and tries to argue the more correct one in his opinion. Conclusions, the interest of the readership. The conclusions are fully logical, as they are obtained using a generally accepted methodology. The article may be of interest to the readership in terms of the systematic positions of the author in relation to the problem of creating a legal and technical framework for the effective protection of personal data of employees. Based on the above, summarizing all the positive and negative sides of the article, "I recommend publishing"
Nota Bene
 
For authors
 
Other
 
Our sites
© 1998 – 2025 Nota Bene. Publishing Technologies. NB-Media Ltd.