Draft Resolution of the Cabinet of Ministers of the Kyrgyz Republic "On Amendments to the Resolution of the Government of the Kyrgyz Republic "On approval of criteria for assessing the degree of risk in the conduct of entrepreneurial activity" dated February 18, 2012 No. 108"

Draft

RESOLUTION OF THE CABINET OF MINISTERS

KYRGYZ REPUBLIC

On Amendments to the Resolution of the Government of the Kyrgyz Republic "On approval of criteria for assessing the degree of risk in the conduct of entrepreneurial activity" dated February 18, 2012 No. 108

In order to implement the Law of the Kyrgyz Republic "On the procedure for conducting inspections of business entities", in accordance with Articles 13 and 17 of the Constitutional Law of the Kyrgyz Republic "On the Cabinet of Ministers of the Kyrgyz Republic", the Cabinet of Ministers of the Kyrgyz Republic decides:

1. To make the following addition to the Resolution of the Government of the Kyrgyz Republic "On approval of criteria for assessing the degree of risk in the conduct of entrepreneurial activity" dated February 18, 2012 No. 108:

- the criteria for assessing the degree of risk in carrying out entrepreneurial activity, approved by the above-mentioned resolution, should be supplemented with chapter 25 of the following content:

"Chapter 25. Criteria for assessing the degree of risk of entrepreneurial activity related to the collection, storage, processing and transfer of personal data

88. The criteria for assessing the degree of risk of entrepreneurial activity related to the collection, storage, processing and transfer of personal data are directly related to the ratings of threats to the security of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of personal data security.

89. A business entity, based on the specific conditions of working with personal data, the value of the protected information and the cost of measures to protect it, as well as taking into account the level of technical development, approves its own list of threats to the security of personal data in the form approved by the authorized state body for personal data.

90. The risk assessment is carried out by the authorized state body on personal data during the audit of the business entity in order to determine the period of the subsequent scheduled audit.

91. Assessment of the degree of risk of entrepreneurial activity related to the collection, storage, processing and transfer of personal data is carried out by the authorized state body for personal data based on their following criteria:

Criteria	Range of points	Score (points)
1. Relevance of the threat to the security of personal data	0-10 points	0 - irrelevant; 10 - relevant
2. Possible harm to the subject of personal data, which may be caused in the event of a threat	0-30 points	0 - harm cannot be caused (does not entail damages and moral harm to the subject of personal data); 10 - minor damage, easily compensated by the holder (minor costs - less than 1000 calculated indicators, for liquidation/compensation of consequences for losses and moral damage caused); 20 - significant damage that can be compensated by the operator (entails significant costs – more than 1000 calculated indicators, for liquidation/compensation of consequences for losses and moral damage caused); 30 - critical damage that cannot be compensated (entails causing losses and moral damage that cannot be compensated)
3. The volume of processed personal data that are subject to this threat	10-30 points	10 - insignificant volume (the information system processes personal data in a volume not exceeding 10,000 subjects of personal data at the time of verification); 20 - a significant amount (the information system processes personal data in the amount of more than 10,000 to 100,000 subjects of personal data at the time of verification); 30 - critical volume (the information system processes personal data in the amount of more than 100,000 personal data subjects at the time of verification)
4. The content of the processed personal data that are subject to this threat	10-15 points	10 - personal data not related to special categories; 15 - special categories of personal data (in accordance with part 1 of Article 8 of the Law of the Kyrgyz Republic "On Personal Information"), as well as biometric data (in accordance with part 3 of Article 5 of the Law of the Kyrgyz Republic "On Biometric Registration of Citizens of the Kyrgyz Republic")
5. Duration of personal data processing activity to which the threat applies	5-15 points	5 - short-term (data processing for no more than 2 (two) weeks); 10 - medium-term (data processing from 6 months to 1 year) 15 - long-term (use and storage of personal data is carried out for more than 1 year)
6. Availability of cross-border transfer of personal data	0-15 points	0 – there is no cross-border transfer of personal data; 10 – personal data is transferred to third countries on the basis of international agreements; 15 – personal data is transferred to third countries based on the consent of the owner of personal data;
7. Availability of documentation to ensure the security of personal data	0-15 points	0 - availability of documentation on ensuring the security of personal data in accordance with the threat ratings defined by the Requirements for ensuring the security and protection of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of personal data security approved by the Decree of the Government of the Kyrgyz Republic dated November 21, 2017 No. 760. At the same time, the list and content of the documentation correspond to the levels of security. 10 - Availability of documentation on ensuring the security of personal data in accordance with the threat ratings defined by the Requirements for ensuring the security and protection of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of personal data security approved by the Decree of the Government of the Kyrgyz Republic dated November 21, 2017 No. 760. At the same time, the list and content of the documentation does not correspond to the security levels. 15 - Lack of documentation on ensuring the security of personal data in accordance with the threat ratings defined by the Requirements for ensuring the security and protection of personal data during their processing in personal data information systems, the implementation of which ensures the established levels of personal data security approved by the Decree of the Government of the Kyrgyz Republic dated November 21, 2017 No. 760.
8. The presence of an authorized person responsible for ensuring the security of personal data	0-10 points	0 - an authorized person responsible for ensuring the security of personal data has been appointed; 10 - there is no authorized person responsible for ensuring the security of personal data;
9. Advanced training of the person responsible for ensuring the security of personal data	0-10 points	0 - advanced training completed no more than 2 years ago; 5 - advanced training completed no more than 3 years ago; 10 - advanced training completed more than 3 years ago;
Criteria for assessing the degree of risk of entrepreneurial activity related to the collection, storage, processing and transfer of personal data is determined as the sum of points for each of the criteria. 92. The number of points reflecting the history of the business entity's activity depends on the number of cases of non-compliance by the business entity with the requirements of the legislation of the Kyrgyz Republic in the field of personal information identified during unscheduled inspections for a certain period:
History of the subject	Scores
No cases have been identified in the last 12 months	15
No cases have been identified in the last 3 years	10
No cases have been identified in the last 5 years	5
No cases have been identified in the last 7 years	0 (no points are awarded)

Note: the points established for each time period are added to the sum of the points established during the determination of the degree of risk of entrepreneurial activity related to the collection, storage, processing and transfer of personal data in accordance with paragraph 91 of these criteria.

93. Criteria of security threats by levels and availability of necessary documentation for each level are determined in accordance with the Requirements for ensuring the security and protection of personal data when processing them in personal data information systems, the implementation of which ensures the established levels of personal data security approved by the Resolution of the Government of the Kyrgyz Republic dated November 21, 2017 No. 760.

94. Criteria for assessing the degree of risk of entrepreneurial activity related to the collection, storage, processing and transfer of personal data without the use of information systems are carried out on the basis that such business entities are divided into the following categories:

№	The volume of personal data processed	Degree of risk	Score (points)
1.	A business entity processes personal data in an amount not exceeding 10,000 personal data subjects at the time of verification	insignificant	40 points
2.	A business entity processes personal data in the amount of more than 10,000 to 100,000 personal data subjects at the time of verification)	average	60 points
3.	A business entity processes personal data in the amount of more than 100,000 personal data subjects at the time of the audit)	high	80 points

2. This resolution shall enter into force from the date of its official publication.

Chairman

Cabinet of Ministers

Kyrgyz Republic A.U. Zhaparov