Kazakhstan: Administrative liability for failure to protect information systems containing personal data
Published 1 January 2016
What does this cover?
A new law entitled 'On Amendments to Certain Legislative Acts of the Republic of Kazakhstan on Informatization' (24 November 2015 No. 419-V) was published on 26 November 2015 making amendments to the Code of the Republic of Kazakhstan entitled 'On Administrative Violations' (5 July 2014 No. 235-V) (the Code).
The amendment to the Code came into effect on 1 January 2016 and imposes liability on owners or proprietors of systems containing personal data for (i) failures to implement security measures, or (ii) the improper implementation of security measures intended to protect such systems.
Violations will lead to fines on the following scales: (i) for individuals: 10 times the monthly calculation index; (ii) for officials, small business and non-profit organizations: 15 times the monthly calculation index; (iii) for subjects of medium business: 30 times the monthly calculation index; and (iv) for subjects of large business: 100 times the monthly calculation index. The one monthly calculation index in 2016 is equal to KZT 2121 (approximately USD 6).
Article submitted by Ravil Kassilgov, Kassilgov & Partners LLP – Almaty, Kazakhstan.
What action could be taken to manage risks that may arise from this development?
Companies should ensure that any systems located in Kazakhstan that contain personal data are properly protected by the implementation of appropriate security measures.