The National Center for Personal Data Protection has published a checklist on the technical protection of personal data.
- The National Center for Personal Data Protection of the Republic of Belarus (NCZPD, the Center) has prepared a sample checklist of questions that are reviewed during inspections of technical measures for personal data protection.
- What the checklist includes
- Contact our lawyer to learn more
The National Center for Personal Data Protection of the Republic of Belarus (NCZPD, the Center) has prepared a sample checklist of questions that are reviewed during inspections of technical measures for personal data protection.
|
The document is based on Article 17 of the Law of the Republic of Belarus “On Personal Data Protection,” which requires data operators to ensure the protection of personal data against unauthorised access, alteration, disclosure, deletion, and other unlawful actions. |
The Centre separately emphasises that technical measures must not be purely formal. During inspections, not only the existence of internal policies is assessed, but also the actual implementation of security measures — how information systems operate, how access rights are configured, the use of security tools, and how personal data processing is organised in practise.
The prepared checklist is intended for internal audits within organisations and helps assess readiness for inspections, identify weaknesses, and avoid common violations.
What the checklist includes
First of all, the Centre reviews the organisation of information security processes: whether a responsible person has been appointed, whether employees have received relevant training, and whether a register of information systems containing personal data is maintained.
Special attention is paid to information resources themselves. It is checked whether excessive amounts of personal data are being processed, whether the scope of collected data corresponds to the purposes of processing, and how data is transferred between systems and to third parties.
Also in focus are:
- access procedures to personal data and distribution of user rights;
- video surveillance, storage periods for recordings, and camera coverage zones;
- official websites, feedback forms, cookies, and user personal accounts;
- use of cloud infrastructure and cross-border data transfer;
- remote workplaces of employees;
- storage of personal data on employees’ computers;
- access control and management systems;
- procedures for deletion and blocking of personal data.
If an organisation has a certified information security compliance system, the Centre cheques whether the actual infrastructure matches the approved documentation, whether certified security tools are used, and whether external connections are properly configured.
Unscheduled inspections
In addition to complaints from data subjects, a serious basis for an unscheduled inspection by the Centre may also include the detection of critical vulnerabilities in information systems and potential personal data leaks. If a critical vulnerability is identified, NCZPD may require the suspension of personal data processing until the violation is resolved.
What this means for business
Essentially, the Centre has created a practical set of technical questions that organisations should already be checking internally. The checklist can be used as a basis for internal audits and preparation for regulatory inspections, as cheques will focus not only on documentation but also on the real state of personal data protection.
| The checklist has been published on the Center’s website. |
Contact our lawyer to learn more
Contact a lawyer
