On 11 February 2024, Kazakhstan put into effect the Law 'On the Introduction of Amendments and Supplements to Certain Legislative Acts On Information Security, Informatization, and Digital Assets' (hereinafter - the 'Law'), dated 11 December 2023, No. 44-VIII ZRK. This Law introduces notable changes and supplements to the existing legislation, specifically the Law 'On Personal Data and Protection Thereof', dated 21 May 2013, No. 94-V (hereinafter - the 'Personal Data Law').
Key changes include:
1. Introduction of the concept of 'personal data security breach'.
2. Effective 1 July 2024, a new requirement mandates that the Ministry of Digital Development, Innovation, and Aerospace Industry of Kazakhstan (Digital Development Ministry) be notified of any breaches in personal data security.
3. Collecting and processing physical copies of identity documents is now prohibited.
4. The Digital Development Ministry is authorised to implement governmental oversight to ensure compliance with personal data legislation.
The amendments introduced to the Personal Data Law require businesses to adopt a more responsible approach to collecting and processing personal data. The law empowers the Digital Development Ministry to conduct unscheduled inspections of business entities to ensure compliance with the requirements of the Personal Data Law. Such inspections are initiated based on specific facts and circumstances concerning a particular business entity, such as complaints from individuals. The Digital Development Ministry should take a decision to conduct an unscheduled inspection and register it with the Legal Statistics and Special Records Committee of the General Prosecutor's Office of Kazakhstan. During the inspection, the Digital Development Ministry assesses the business entity's compliance with the requirements outlined in the inspection checklist. For matters related to personal data legislation, the checklist consists of 33 requirements. However, only some requirements are mandatory for some business entities. Following the state inspection, the Digital Development Ministry issues a report and a corrective order to address any identified violations according to the inspection checklist. Apart from the state inspection, a business entity may face administrative penalties if grounds for administrative offences are found.
The annex hereto provides an overview of the latest amendments and supplements to the Personal Data Law.
How can liability risks be minimised and compliance with personal data legislation ensured?
To minimise the risks of potential breaches of personal data protection legislation and ensure compliance, companies need:
1. Define the objectives of processing restricted personal data.
2. Establish procedures for processing, distributing, and accessing restricted personal data.
3. Define the procedure for blocking restricted personal data when requested by the data subject.
4. Approve a list of personal data necessary and sufficient for carrying out the tasks at hand.
5. Maintain a database within the territory of Kazakhstan where restricted personal data are stored.
6. Adopt a policy for collecting, processing, and protecting personal data.
7. Identify business processes containing restricted personal data.
8. Differentiate between publicly accessible and restricted personal data.
9. Specify the individuals responsible for collecting and processing personal data or having access to them.
10. Appoint a person responsible for organising the personal data processing (for legal entities).
11. Ensure the installation of information security devices and software updates on technical devices processing restricted personal data.
12. Implement the maintenance of (1) event logs of database management systems when processing restricted personal data and (2) user activity logs for those having access to restricted personal data.
13. Implement the use of integrity control measures for restricted personal data.
14. Implement cryptographic information security tools and encryption for storing and transmitting personal data.
15. Implement user identification and/or authentication measures when working with restricted personal data.
16. Have the ability to demonstrate the protection of personal data in countries where cross-border personal data transfer occurs.
Meeting these requirements is a complex task that companies' IT departments should perform jointly with legal experts to minimize negative consequences and risks.
This overview is provided for informational purposes only. While it offers a general understanding, it does not constitute legal advice. For comprehensive guidance tailored to your specific situation, we encourage you to contact GRATA Law Firm at almaty@gratanet.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.