RU2690763C1 - System and method of making a web site gathering personal information in accordance legislation on personal data when detecting its violations - Google Patents

Abstract

FIELD: information technology.SUBSTANCE: present invention relates to information security tools in electronic networks. Method of making a web site that collects personal information of users in accordance with the legislation on personal data contains the steps of modifying the information system on which data is collected or used, by embedding a program code (script) into the specified web page, which eliminates the violation by creating an appropriate solution.EFFECT: ensuring compliance with a web resource that collects personal data of a user, the legislation on personal data.13 cl, 6 dwg

Description

Technical field

The present invention relates to information security tools in electronic networks and, more specifically, to the means of bringing websites (web resources) that process personal data of users in accordance with the legislation on personal data, including when identifying violations related to non-compliance. requirements of relevant state legislation.

The level of technology

Currently, more and more people interact with other people through electronic networks, both global, such as the Internet, and local, for example, the Intranet. The development of electronic networks has allowed them to be used as a means of obtaining or providing various services. Various web resources (web sites) provide various services. Examples of web resources are information resources, online representations, including online stores, and web services, including social sites and search and postal services. Depending on the resource, in order to access the service, the user is required to provide various information, including personal (personal) data. Examples of personal data are data such as passport information, credit card information and other financial information, information about his family, and more.

In addition, websites also collect various user data for processing, for example, to provide the best service and needs to a specific user. Information collected may also relate to information about the user during his work with the relevant website. For example, what information did the user look at, which pages did he make the transition to, what actions did he take, etc. For example, to complete an online transaction or register on a website, you usually need to provide personal information such as name, address, phone number, email address, credit card numbers, etc. In addition, the widespread adoption of mobile devices has influenced the emergence of a number of applications that also collect information about the user of the device for future use, for example, to improve the application. After providing this information to relevant websites or mobile device applications, the user loses further control over the use of the personal information provided to them, and in addition is in the dark about the information collected about him.

Thus, it appeared necessary to provide a system for monitoring and managing the use of personal information. For example, in the application US 20170193624 A1 of the company PAYPAL INC. describes a system of certification and personal information management for the exchange of personal information in the network, and the system includes memory-related processors to determine the pre-authorized consent associated with the website.

Also, actions related to the management and control of information collected and processed by users began to be regulated at the legislative level of various states, in particular the Russian Federation (RF), the USA, Canada and the EU countries. For example, in the Russian Federation - by federal law No. 152-ФЗ “On personal data”, in the European Union countries it is an act on the protection of personal data (English General Data Protection Regulation, GDPR), and in Canada - an act “Canadian Personal Information Documents Act (PIPEDA). " The laws on personal data impose a number of standards and requirements on web resources that process, including collection and use, user personal data, as well as user data. Examples of such requirements are the requirements for ensuring confidentiality, informing the user about the collection of his personal data, obtaining the explicit consent (permission) of the user to the further use of his personal data and others.

At the same time, the fulfillment of the requirements of legislation in the field of personal data and the organization of proper protection of personal data are at an extremely low level. One of the reasons for the increase in the number of violations and the associated leakage of personal data is the failure to comply with legal requirements by a significant number of companies, in particular those related to small or medium-sized businesses, and individuals.

In this regard, there is a task in ensuring the execution and control over the implementation of this legislation by persons who own a website that is subject to the requirements of relevant legislation, i.e. processing personal data of users. To solve this problem, it became necessary to create an approach to assessing the compliance of these requirements with a website, followed by detection of violations, and an approach to automatically bring a website that collects personal information of users in accordance with the legislation of the relevant state. In particular, in accordance with the legislation of the relevant state, the website contains the required level of protection / processing of personal data of users, in particular, mandatory informing the user about the type, extent and purpose of using his data on websites or in mobile device applications.

DISCLOSURE OF INVENTION

The present invention was made in view of the problems described above, and the purpose of the present invention is to identify and correct (bring into compliance) violations of the requirements of the legislation on personal data on websites that collect personal information. It is also necessary to take into account the legislation of at least the particular country (jurisdiction) that corresponds to the website or the person who owns the specified website.

The technical result of the present invention is to ensure compliance with at least part of the legislation on personal data of a web resource (website) that collects personal data of users, including in the event of a violation of this legislation. This technical result is achieved by modifying the information system (for example, web pages) on which data is collected or used by embedding a program code (script) into the specified web page, which eliminates the violation by creating an appropriate solution. For example, it will generate a notification about the collection of personal user data or receive consent from the user to process his data.

As one variant of execution, a method of bringing a website that collects personal information of users in accordance with the legislation on personal data is proposed, and the method includes the steps of: collecting information on a specified website, associated with elements containing processing attributes personal data of users, and information about the actions necessary to produce the user when interacting with these elements; analyze the information collected using the evaluation criteria, during which the compliance of each identified element with each evaluation criterion is determined; decide on non-compliance of at least one specified element of the website with the requirements of the legislation on personal data based on the results of the analysis; request from the owner of the site through electronic interaction the necessary data, which include at least information about the owner of the website; Based on the data obtained, an electronic package of documents is formed for each element that does not comply with the requirements of the legislation; create a program code that is placed on the specified website for the created document package, while the program code links the package of documents with the corresponding element.

In another embodiment of the method, the evaluation criterion is at least one of the following criteria:

- the presence of a window for entering the user's consent to the processing of personal data for each identified element,

- the presence of the input window of the user's consent to the disclaimer of the owner of the site in the processing of data associated with user information,

- the availability of data transmission over secure protocols and the availability of an SSL certificate,

- availability of documents related to informing about the personal data processing policy.

In yet another embodiment of the method, the requested data about the owner of the website is at least one of: the tax identifier of the organization or the taxpayer identification number (TIN).

In another embodiment, the method automatically updates the specified package of documents when changes in the requirements of the legislation are detected.

In yet another embodiment, the method periodically checks for updates in the requirements of the legislation on the relevant information resources.

In another embodiment of the method, the program code is at least one of the following script and widget.

In yet another embodiment of the method, the storage location of said document packages is either a remote web resource or a specified web site.

As another option, a system for bringing a website that collects personal information of users in accordance with the legislation on personal data is proposed, and the system includes: a scanning module designed to collect information on a specified website related to elements containing attributes processing personal data of users, and information about the actions to be performed by the website user when interacting with the specified elements, and transferring the collected information analysis module; an analysis module designed to analyze the collected information using the evaluation criteria, during which determines the compliance of each identified element with each evaluation criterion, and transfer the analysis results to the evaluation result generation module; the evaluation result generation module, designed to make a decision on the failure of at least one specified website element to comply with personal data legislation, based on the results of the analysis, and if the specified element does not comply with at least one evaluation criterion, it determines that the specified element does not comply requirements of legislation on personal data, and the formation of the assessment result, which contains information about the violations found; the module of preparation of the required changes, associated with the module of conformity, intended to form and send a request to the website owner through electronic interaction necessary data, which include at least information about the website owner, and the formation of an individual on the basis of the received response in electronic form package of documents for each specified element that violates the requirements of the law; a matching module designed to create a program code for the generated document packages and to place the generated program code on a specified website, while the program code links the document package with the corresponding element; data storage associated with these modules and designed to store at least the requirements of legislation on personal data from different countries, evaluation criteria and created documents.

In another embodiment of the system, the evaluation criteria are at least one of the following criteria:

- the presence of a window for entering the user's consent to the processing of personal data for each identified element,

- the presence of the input window of the user's consent to the disclaimer of the owner of the site in the processing of data associated with user information,

- the availability of data transmission over secure protocols and the availability of an SSL certificate,

- availability of documents related to informing about the personal data processing policy.

In yet another embodiment of the system, the requested data about the owner of the website is at least one of: the tax identifier of the organization or the taxpayer identification number (TIN).

In another embodiment of the system, this system additionally contains a module for updating the requirements of the legislation, designed to periodically check for updates in the requirements of the legislation on personal data on the relevant information resources, and update the documents in the created document packages, if changes in the indicated requirements of the legislation are detected.

In yet another embodiment of the system, the matching module generates a program code for the website in the form of a script or widget.

In another embodiment of the system, the matching module saves the created document packages on the specified website.

Brief Description of the Drawings

The accompanying drawings are included in this description and form part of it, illustrate one or more embodiments of the objects of the claimed technology, together with a detailed description, and serve to explain the principles and embodiments of the claimed technology.

FIG. 1 illustrates the scheme of interaction of an information system of the type of web site with the claimed invention during its audit or alignment with the legislation.

FIG. 2 illustrates a block diagram of a system for evaluating a website for compliance with legal requirements and compliance, in case of violations.

FIG. 3 presents a method of evaluating an information system in the form of a web site for compliance with the legislation on personal data and identifying a violation.

FIG. 4 presents a method of bringing a website that collects personal information of users in accordance with the legislation on personal data when violations are detected.

FIG. 5 and 6 demonstrate examples of elements containing attributes of processing personal data of users.

Description of embodiments of the invention

The objects and features of the present invention, methods for achieving these objects and features will become apparent by referring to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it may be embodied in various forms. The above description is intended to assist a specialist in the field of technology for a comprehensive understanding of the invention, which is defined only in the scope of the attached formula.

The present invention allows for the verification of information systems such as the website (hereinafter referred to as the website) for their compliance with the requirements of the legislation on the protection and processing of personal data of users, in particular the legislation of the Russian Federation on personal data, such as Federal Law No. 152-FZ "On Personal data ". The verification is carried out on the basis of an assessment of the compliance of the checked website with the requirements specified in the legislation on personal data with the identification of possible violations, in the event of determination that the website does not conform to any requirement of the legislation on personal data. In particular, legal requirements are related to informing users (for example, by notifying) about collecting personal data, checking the user's consent or having the opportunity to give such consent to the processing of personal data for each specific category of personal data and ensuring security during data transfer between the web browser contained on the user's computer and the web server containing the website to be checked. In the event of a violation, the presented invention has the opportunity to form a decision on the necessary changes on the website and then submit such changes so that the website meets the necessary requirements.

In describing the present invention, at least the following terms will be used:

Legally significant actions are actions that entail the occurrence of any legal consequences. In the framework of the claimed invention, examples of such actions may be actions aimed at meeting the requirements of the law.

Legislative requirements are understood as formalized criteria of the legislation of the country to which the website belongs, and on the basis of the criteria, a compliance assessment is made. In other words, the criteria are formed on the basis of legal requirements. It is worth noting that when the requirements of the legislation on personal data change, the criteria are brought in line with them.

Under the processing of personal data is understood any action (operation) or set of actions (operations) performed using automation means or without using such means with personal data, including, but not limited to, collecting, recording, systematization, accumulation, storage, clarification , modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data.

Automated processing of personal data - processing of personal data using computer technology, such as a personal computer or a web server.

Personal data - any information relating directly or indirectly to a specific or definable user, i.e. physical person or personal data subject. So, examples of personal data are surname, name, patronymic, date and place of birth, education, address, geolocation lists, identifiers of external user information resources in social networks, family, social, property status, profession, personal audio, photo and video files financial information, as well as cookies and other metadata, IP address, device identifiers (IMEI, UDID, IMSI, MAC address) through which the user interacts with the website, mobile phone number, etc.

Website - information system, which is a web resource hosted on the hosting provider. At the same time, the information system can belong both to an organization (legal entity) and another user (individual).

Website element - is part of a web page and / or some form containing information about personal data, and the form can be completed and / or issued.

Operator - a legal or natural person who organizes and / or carries out the processing of personal data, as well as determining the purposes of processing personal data, the composition of personal data to be processed, actions (operations) performed with personal data.

Script or script (English script) - a sequence of commands and / or actions, a small program or macro that is executed by an application or OS under specific circumstances, for example, when a user is registered in the system. Scripts are often stored as text files that are interpreted during execution.

Widget (English Widget) - a visual element of the interface, for example, for a web site that has a specific function. In the present invention, the widget performs the function of providing the necessary information to the website user.

The implementation of the presented invention includes the identification of elements containing signs of processing personal and / or personal data of users on the website, collecting information on the website related to signs of processing personal data of users and information about the website, their analysis during which the category / type of data is determined, on the identified elements of the website, and deciding whether the website’s discrepancies from the website meet the requirements of the legislation on personal data. In addition, the claimed invention allows to align the website to eliminate the violations found. The following describes the embodiments of the invention in the form of systems and methods.

FIG. 1 shows a diagram of the interaction of a web-based information system with the web site evaluation system 105 during its audit or alignment with the laws of countries on personal data.

The rating system of the website 105 is implemented using a general-purpose computer system (not shown in Fig. 1), which can be either a personal computer or a web server 110. The computer system (hereinafter referred to as computer) has all the components of modern computer devices. and / or web servers. A computer, including a file system, which contains a recorded operating system, as well as additional software applications, program modules and program data. The computer is able to work in a networked environment, using a network connection with one or more remote computers. The remote computer (or computers) are the same personal computers or web servers. In addition, other computing devices may also be present in the computer network, for example, the Internet 102, for example, routers, network stations, peer-to-peer devices, or other network nodes that interact with the web site 120.

Network connections can form both a local area network (LAN) and a wide area network (WAN), including networks of mobile operators. Such networks, for example, are used in corporate computer networks and, as a rule, have access to the Internet 102. In LAN or WAN networks, a computer is connected to a local network through a network adapter or network interface. When using networks, a computer can use various means of providing communication with a global computer network, such as the Internet 102, for example, a modem. It should be clarified that network connections are only approximate and are not required to display the exact network configuration.

Website 120 is a web resource that combines a number of web pages 130 and is hosted, for example, on a web server 110b. As a rule, the web server 110b belongs to the hosting provider. A hosting provider combines the capabilities of a hosting (from the English hosting) and a provider (from the English internet service provider). A web server can also be called a computer program that performs the functions of a normal server (computer system) on which this program works, but with the ability to interact in a global network. In addition to the web server, different server applications can be installed, for example, a mail server, a file server, etc., each of which provides its own service. To access these services, special programs are used, such as a web browser, an email client, a file access service client, and others. Accordingly, users 170 using a web browser 180 can access the presented data on websites 120 through the URL of the web page 140 they need website 120.

It is worth noting that the interaction between website 120 and users 170, including the website rating system 105, is performed using various data transfer protocols, such as HTTP (S), (S) FTP, SSH, POP3, SMTP and IMAP4. Thus, the system of assessing the website 105 during the verification of the website 120 for compliance with the requirements of the legislation produces remote interaction with it, through communication networks, such as the Internet 102.

In addition, to fulfill its mission, the website rating system 105 can also interact with various external services (sources of information) to update data, for example, related to the requirements of legislation of countries, in case of a change in these requirements or the appearance of new requirements or laws.

When interacting with the user 170 via the web browser 180, the website 120 installed on the user's computer 110 will, in most cases, process the user data or user input both at the request of the website and independently. Therefore, the website rating system described below allows you to check the website for compliance with the requirements of the legislation on personal data, prepare and make changes that eliminate the violations found.

FIG. 2 illustrates a block diagram of the system for evaluating the website 105 for compliance with the requirements of the legislation and for compliance with it, in case of violations.

The site evaluation system 105 is designed to evaluate a web site that processes personal user data for the specified web site to meet the requirements of personal data legislation. Moreover, the site rating system 105, depending on the location of the hosting provider, which provides resources for hosting the website, and the person (operator) who owns the website, generates a list of requirements for the website in accordance with the requirements of the country to which the website belongs. For example, if the hosting provider that contains the website is geographically located in the territory of the Russian Federation, the list of requirements will be formed in accordance with the requirements of Russian legislation. If the site operator is a person of the Russian Federation, the list of requirements will also be formed in accordance with the legislation of the Russian Federation.

So, an example of the requirements of the legislation of the Russian Federation are such requirements as: performance by the owner (operator) of the website of the operator when processing data in accordance with the Federal Law; the consent of the user to the processing of his personal data and the processing purposes stated by the operator; ensuring confidentiality and protection of processed data.

The site evaluation system 105, when it receives a request to check the website for compliance with the specified requirements, identifies at least one element containing the attributes of processing personal data of users on one web page of the website. As mentioned above, at least various forms of personal data are used as such elements, which are filled out and issued on the website. Forms of personal data can include such typical fields as last name and first name, user IDs, credit card number, mailbox, callback order, basket, payment, registration, newsletter subscription (email) and so on. In addition, various mechanisms can be established on the website that collect information about the user's actions on the website during its interaction with the website. Such mechanisms are also elements that contain signs of personal data processing, and must comply with legal requirements. An example of such a mechanism is the technology to collect cookies (from the English. HTTP cookies).

The site evaluation system 105 includes at least the following modules in the implementation: scan module 210, analysis module 220, evaluation results generation module 230, and data storage 250. In addition, the website evaluation system 105 to bring the website into compliance with legal requirements in case of violations, it also contains the matching module 270 and the change preparation module 260. In another particular implementation, the website evaluation system 105 also contains the law requirements update module 280. Each The specified module of the site evaluation system 105 can be either hardware or software, which is implemented using a computer, or their combination.

Scan module 210 is designed to scan a website with the ability to identify the above-mentioned elements of the website and collect the necessary information. During the scanning of the website, the scanner module 210 collects information that includes both information associated with the signs of personal data processing (first information) and information about the website itself (second information). The first information includes any information about these elements, including information related to the requirements of the legislation. It should be noted that during the implementation of this system, the requirements of the legislation are converted into the necessary evaluation criteria for further analysis. The second information includes, without limitation, legal and contact information about the organization or person, carrying out the software and hardware of the website and its availability on the Internet, as well as information about the hosting provider that provides resources to host the specified website . In turn, this information (second information) allows you to determine the territorial identity of the site and the official status of storing personal data in the relevant territory (for example, the territory of the Russian Federation), which indicates the relevant legal requirements. In addition, information may contain technical information about Internet addresses to which software and hardware is attached. At these addresses, the physical location of the hosting is determined, which during analysis by the analysis module 220 allows you to check the validity of the stated legal address. All collected information scan module 210 transmits to analysis module 220 for further work. In a preferred embodiment, the collection of information is removed via communication networks, such as the Internet.

The analysis module 220 is designed to analyze the information received from the scan module 210. Information analysis can be divided into two parts. One part is the analysis of the second information mentioned above, during which the determination of the territorial affiliation of the website and the operator is made, followed by the selection of the necessary list of requirements of personal data legislation that is relevant for the checked website at the time of inspection. Therefore, the list of requirements is selected depending on the needs of the assessment site. In particular, during the analysis of the second information, the information on the hosting of the website is checked, to which legislation and which state they correspond. Another part of the analysis is to verify the above-mentioned first information about the identified elements containing signs of personal data processing. Each specified element is checked using assessment criteria, formed on the basis of legal requirements. Therefore, after determining the appropriate list of legal requirements, evaluation criteria are selected. The analysis of the first data is carried out on the basis of selected evaluation criteria, during which the compliance of each identified element with each evaluation criterion is determined. For example, one of the evaluation criteria is at least the following criteria:

- the presence of a window for entering the user's consent to the processing of personal data (for example, in the form of a check mark, a button);

- the presence of the user consent disclaimer (Disclaimer) window of the site owner in processing data related to user information (for example, cookies);

- availability of data transmission over secure protocols (HTTPS) and using an SSL certificate, its relevance;

- availability of documents (data) related to informing the user about the personal data processing policy.

- availability of relevant documents in the form of files or an electronic link to them for each form containing signs of personal data processing.

It is worth noting that the evaluation criteria can also take into account the class of data being processed, as the legislation on personal data may impose requirements depending on the class of personal data. Classes of personal data are, for example, such classes as ordinary personal data (such as full name, place of birth, TIN), special personal data (such as health, race, religious beliefs) and biometric personal data (such as as a copy of the photograph from the document, fingerprints, palm shape). The class of personal data allows you to adjust the level of significance, in the case of the implementation of the mechanism for determining the class of personal data. Thus, storing only the last name, first name and middle name sets the personal data class as having low significance due to the lack of uniqueness for such sets of field values. The storage of unique personal identifiers, such as TIN, SNILS, medical insurance certificate numbers and numbers of registered transport tickets and electronic payment cards increases the importance of the element and the class of personal data to high. The higher the significance of this element, the higher the risks of unauthorized access to personal data, and the potential damage. Accordingly, depending on the class of personal data, the evaluation criteria may also change, for example, related to the verification of requirements to ensure the protection or confidentiality of personal data.

In the particular case of the implementation of the invention, the site evaluation system (analysis module 220) can be configured in such a way that it will always contain one list of legislative requirements, which was originally created for a particular country or a particular legislation (law). Thus, one implementation variant will contain one liver of requirements, which will be described by federal law No. 152-фз “on personal data”. Another implementation option will contain another list of requirements that will be contained in the requirements according to all the laws of a particular country. In this case, the lists can be updated. This implementation of the invention allows to optimize the site evaluation system to the conditions of a particular country or legislation. Thus, eliminating the stage of selection of requirements, but limiting the territory of use, will allow adapting the evaluation system and speeding up the analysis process, but it will still remain necessary to check the website for territorial affiliation.

In another particular case of the implementation of the invention, another characteristic for the selection of requirements and, accordingly, the evaluation criteria is the definition of possible operations that can be performed on personal data. Examples of data operations are reading, writing, modifying, and deleting data. Thus, the possibility of using a particular operation in an element containing signs of processing personal data of users of the website will leave its mark in the analysis of the information collected.

In another embodiment, when analyzing information in accordance with the evaluation criteria, each specified element can be calculated with a weight value, according to which the violation will be determined using decision module 230. The weight value depends on the degree of non-compliance of the specified element with any evaluation criterion. Weights are determined by comparing the information collected about the element and the content of the criterion. For example, an element should contain a provision for informing the user about the collection of the corresponding data class, but there is no such provision for the immediate element, and there is an informative provision on the main page of the website. Accordingly, according to the specified conditions, the weight value will be calculated.

In one embodiment, the implementation of the weight value can use a binary system for determining the non-compliance of an element with the requirements of the law. In this case, in the case of the complete absence of a violation, it will be determined as an element that meets the requirements. Otherwise, if even a minor inconsistency is revealed, it will be determined as an element that does not comply with the requirements of the legislation.

The analysis module 220, at the end of the analysis of information received from the scan module, transmits the analysis results to the evaluation results forming module 230. The analysis results contain at least information on checking each element containing personal data processing attributes, based on the evaluation criteria. Also, depending on the implementation of the invention, the results of the analysis may also contain information about the class of personal data, their significance and the weight values of each element.

The module for forming the result of the assessment 230 (hereinafter referred to as module 230) is designed to make a decision on the site’s compliance with the requirements of the legislation on personal data and generate an assessment report that contains information about the violations found. The decision is made on the basis of the results of the analysis. The results of the analysis contain at least information on the compliance of each specified element with the evaluation criteria.

Also, in particular, the decision may be made on the basis of the weight values of the detected elements, which describe the results of the assessment of the compliance of each identified element with the evaluation criteria. In addition, the module 230 during the formation of the assessment report for each identified element that does not comply with the requirements of the legislation, generates / makes information about the necessary changes. Next, module 230 provides a prepared assessment report to the requested person (operator).

In one of the options for implementing a website evaluation system 200, said system automatically prepares the required changes in order to bring the website in compliance with the requirements of the law. In this case, the system further comprises a change preparation module 260 and a matching module 270.

So, if the evaluation report contains information about detected violations of legal requirements, module 230 notifies module 260 of the violations found. For example, reports the evaluation.

Module 260 is designed to generate in electronic form a package of documents for each element, including those that do not meet the requirements of the legislation. For this, the module 260 requests from the owner (operator) of the website through electronic interaction data necessary for the formation of a package of documents for each element of the website. The requested data is, but is not limited to, data such as the owner’s identification number (TIN) or the tax ID of the organization. After receiving the data, module 260 generates a package of documents for each element of the website, taking into account the requirements of the legislation of the country that owns the website and the owners. Examples of documents that may be included in the created list are documents: a user consent document for processing personal data in the amount of data collected by the relevant element, a document informing the user about personal data processing, a list of personal data being processed, personal data processing policies, protection provisions personal data, instructions for the processing of personal data and others. It should be noted that electronic samples of documents are stored in data storage 250 and can be published and updated on the website remotely or transferred to a website and stored locally there. In particular, the package of documents also contains documents that can be intended for several elements of a website at once. For example, a disclaimer is formed (English Disclaimer) - a written disclaimer for possible delicate consequences of a particular act as a result of the actions of a third party who has declared the refusal.

The matching module 270 is designed to create a program code that allows the user to provide the website with the necessary document or the entire package of documents, in the case of user interaction with an element that contains signs of personal data processing, of the website. Module 270 generates the specified program code that links the prepared documents from the package of documents with the corresponding elements of the website. In one embodiment, the implementation of the formation of a program code is made on the basis of a sample stored in data storage 250. That is, made adaptation to a specific website. Next, the module installs the generated program code on the website automatically or with the help of the website operator. In the case of an unattended installation, the operator of the website, along with the information provided above, provides access to modify the website. Otherwise, the module provides the generated program code to the operator for posting on the website and waits for an answer about such an installation. The generated program code, depending on the implementation, can be, for example, a script or a widget.

It is worth noting that the package of documents for the elements of the website can be stored either together with the website or remotely, for example, in the data store 250 of the website rating system 200.

The principle of operation after the formation of a package of documents and the installation of the program code will be the following: 1) the user visits the website and refers to an element containing signs of personal data processing; 2) at this moment, the user is provided with the text of documents that comply with the requirements of the legislation, using the installed program code; 3) in terms of informing the user through documents, the requirements of the law are fulfilled.

In yet another embodiment, the web site evaluation system includes a module for updating the requirements of legislation 280. Module 280 is designed to maintain up-to-date samples contained in the data store and formed document packages for web site elements. To do this, module 280 interacts with special web resources where changes in legislation are stored or published. If a new change is detected, it makes changes on its own, for example, in sample documents, or it forms the task of the change preparation module 260 to correct documents. Thus, module 280 periodically checks for relevance and updates of documents as necessary.

It is worth noting that data warehouse 250 is designed in such a way as to interact with all modules of the website rating system 200 and to store data necessary for the operation of this system 200. In particular, data storage 250 contains the requirements of legislation on personal data from different countries, assessment criteria related to the requirements, samples of electronic documents, a list of current documentation, a script for obtaining the necessary data for preparing documents, a sample of the program code for posting on the web site in order to eliminate the violations found.

FIG. 3 shows a method for evaluating an information system in the form of a website for compliance with personal data legislation and identifying a violation.

The method of evaluating an information system in the form of a web site (a method of evaluating a web site) makes it possible to identify possible violations by elements containing signs of the processing of personal data of users and the web site of the requirements of legislation on personal data. The method of evaluating a website is implemented using a computer system, in particular using the tools of the website rating system 200.

At step 310, a web site is scanned, during which elements containing features of the processing of personal data of users are detected on the scanned web site. If at least one specified element on one web page of the website is identified, then proceed to step 320. Otherwise, if these elements are not identified, the work is completed.

At step 320, information is collected, which includes collecting information associated with the specified elements and features of processing personal data of users on the website and information about the website. Information about the website is collected both from the website itself and from other web resources containing information about the website being scanned. Examples of information collected and options from the collection are presented in the description of FIG. 2. In particular, as information collected on the elements and characteristics of processing, include information on the personal data being processed and information on compliance with the requirements of the legislation on personal data associated with the personal data being processed. For example, documents are searched for informing the user about the processing of their personal data, about the consent of users to the processing of their personal data and other requirements. Information about the website includes, without limitation, legal and contact information about the website owner (operator) and information about the hosting provider providing resources to host the specified website. After collecting the necessary information, go to step 330.

At step 330, the required list of requirements of the legislation on personal data is determined, which will contain the actual requirements for evaluating the website. The definition is to identify the territorial affiliation of the web site and its owner based on the collected data on the web site and the subsequent selection of the relevant legislation requirements. Territorial affiliation (affiliation with a state, for example, the Russian Federation) indicates the attitude of the website to this and other legislation and, accordingly, to their requirements. After determining the necessary legislation for evaluating the website, a list of requirements is formed from the requirements contained in the data warehouse. The data storage contains all relevant legal requirements of various countries at the time of the evaluation of the website. These requirements are pre-formalized and are presented in a form that allows you to automatically evaluate the website, i.e. without human intervention. One of the options for such an implementation is the creation of evaluation criteria for evaluating the website based on the requirements of the legislation. Examples of evaluation criteria are presented in the description of FIG. 2

It is worth noting that step 330, depending on the implementation, may also be an optional step. So, for example, in cases when the web site is obviously known to belong to a specific territory / state and / or the list of requirements is known, in accordance with which verification is necessary. For example, the website operator notified the website rating system in advance (provided the necessary information), or the method is implemented in such a way as to make an assessment for compliance with a specific list of requirements. Then the list of requirements will contain requirements that comply with the laws of the state for which the present invention (method or system) is adapted. Accordingly, step 330 can only consist in checking whether the website is compliant with the relevant website or, in general, step 330 will be excluded if we assume that the website meets specific requirements and the website is assigned to a specific territory.

At step 340, an analysis is made of the collected information about the elements and their signs of processing personal data in accordance with a specific list of legislative requirements (evaluation criteria). So for each identified element, information about this element is checked according to the evaluation criteria. In one embodiment, each weight criterion can be assigned a weight value. In this case, when evaluating an element for compliance, the weight values are calculated. In another embodiment, a more stringent assessment can be formed, when in case of non-compliance with at least one evaluation criterion, the element will be recognized as non-compliant with legal requirements.

At step 350, a decision is made on the existence of a non-compliance of the website with the requirements of the legislation on personal data based on the analyzed information about the elements of the website. The rendered decision is based on the results of the analysis of each identified element of the website. So in the event that at least one element does not comply with the requirements of the legislation, then a decision is made on the violation of the website of the current legislation, which applies to the assessed website. Otherwise, if each element meets the specified requirements, then a decision is made on the compliance of the website with current legislation.

In step 360, the results of the website evaluation are generated. Methods for generating evaluation results may be different and depend on the specific implementation of the invention. Evaluation results are formed in the preferred form containing information about the detected violations. In one embodiment, is a text file containing information about the evaluation of the website, which contain at least the conclusion of the assessment in the form of violates or does not violate and in case of violation of the information about the element that does not meet the requirements and what criteria of evaluation. In another embodiment, it is a task for the preparation of changes module 260, which contains information about violations, for the subsequent preparation of the necessary changes to meet the identified nonconformities.

FIG. 4 shows a way to bring a website that collects personal information of users in accordance with the legislation on personal data when violations are detected.

At step 420, information is collected as in step 320, described in the description of FIG. 3, and taking into account the fact that elements that contain signs about the processing of personal data of users are already known or have been identified. At step 440, the collected information is analyzed in the same way as step 340. At step 450, a decision is made on whether the website violates the legal requirements. In the event that no match is found for each identified element of the website, then proceed to step 455, at which a decision is made on the compliance of the website with legal requirements and the work is completed. Otherwise, if at least one mismatch is found for one element of the website, then proceed to step 460. At step 460, assessment results are generated that contain information about the detection of violations. Information at least includes information about the elements of the website and the evaluation criteria, which do not correspond to the elements of the website. Next, at step 470, based on the generated report, module 260 creates and sends a request for additional data to the owner / operator of the website. The request is sent via electronic interaction. After receiving the answer, proceed to step 480. At step 480, an electronic package of documents is generated for each element that has been identified as not in compliance with legal requirements, in accordance with the violated evaluation criteria, based on sample documents stored in data store 250, and taking into account received data from the owner of the website. In other words, a personalized package of documents is created for each specified element of the website in order to eliminate the revealed violations and meet the requirements of the law. At step 490, program code is generated that is located on the website in order to create a link between the generated document package and the website element. In this case, when the user interacts with the element of the website, an appropriate package of documents will be provided. An example of a program code is a script (JavaScript) code / file or widget. The placement / embedding of the program code on the web site can be realized both with the help of the web site operator and automatically. With automatic mode, you must have access to the website to modify it. It should be noted that the generated lists of documents can be stored both with the website and remotely, for example, in the data warehouse 250.

FIG. Figures 5 and 6 demonstrate examples of web pages on websites that contain elements containing signs of processing personal data of users.

FIG. 5 shows an example of a web page 500 that contains element 510 in the form of a form, which in turn contains fields for entering personalized user data, such as login 512 for identifying a user on a web site and a password 514 for logging onto a website. The webpage 500 also contains elements 520 and 530, which require checking for the presence of personal user data. For example, in the event that a previously registered user re-enters a website, element 520 may contain a photograph of a user that was previously obtained upon first logging on to the website.

FIG. 6 shows an example of an online bank web page. Webpage 600 presents an element (section) 610 for transferring funds or paying financial bills. In section 610, you are required to enter the user's personal data in order to receive the corresponding online banking service. Section 620 contains an information field that may also contain some personal user data, for example, user identification data on a website.

In conclusion, it should be noted that the information given in the description are examples that do not limit the scope of the present invention as defined by the formula.

Claims (41)

1. A computer-implemented method of bringing a website that collects personal information of users in accordance with the legislation on personal data, and the method includes the steps of: a) collect information on the specified website, associated with elements containing signs of processing personal data of users, and information about the actions that need to be performed by the user when interacting with these elements; b) analyze the collected information using the evaluation criteria, during which the compliance of each identified element with the evaluation criteria is determined; c) decide on the non-compliance of at least one specified element of the website with the requirements of the legislation on personal data based on the results of the analysis at stage b) d) request from the owner of the site through electronic interaction the necessary data, which include at least information about the owner of the website; e) on the basis of the obtained data, form an electronic package of documents for each element that does not comply with the requirements of the legislation; e) create a program code that is placed on the specified website for the created document package, while the program code links the package of documents with the corresponding element. 2. The method according to claim 1, wherein the evaluation criterion is at least one of the following criteria: - the presence of a window for entering the user's consent to the processing of personal data for each identified element, - the presence of the input window of the user's consent to the disclaimer of the owner of the site in the processing of data associated with user information, - the availability of data transmission over secure protocols and the availability of an SSL certificate, - availability of documents related to informing about the personal data processing policy. 3. The method according to p. 1, in which the requested data about the owner of the website is at least one of: the tax identifier of the organization or taxpayer identification number (TIN). 4. A method according to claim 1, in which updates of the specified package of documents are automatically performed when a change in the requirements of the legislation is detected. 5. The method according to claim 5, in which periodically checks for updates in the requirements of the legislation on the relevant information resources. 6. A method according to claim 1, wherein the program code is at least one of the following script and widget. 7. A method according to claim 1, wherein the storage location of said document packages is either a remote web resource or a specified web site. 8. The system of bringing the website, collecting personal information of users in accordance with the legislation on personal data, the system contains: but. scanning module designed to: i) collecting information on the specified website related to elements containing characteristics of the processing of personal data of users, and information about the actions that the website user needs to take when interacting with these elements; ii) transmitting the collected information to the analysis module; b. an analysis module designed to analyze the collected information using the evaluation criteria, during which the correspondence of each identified element to each evaluation criterion is determined, and transferring the analysis results to the evaluation result generation module; at. assessment result generation module designed for: i) deciding on the non-compliance of at least one specified element of the website with the requirements of the personal data legislation, based on the results of the analysis; , ii) the formation of the assessment result, which contains information about the violations found; The module of preparation of the required changes, connected with the module of alignment, intended for: i) generating and transmitting a request to the website owner through the electronic interaction of the necessary data, which includes at least information about the website owner, ii) forming, on the basis of the received response in electronic form, an individual package of documents for each specified element that violates the specified requirements of the law; e. a matching module designed to create a program code for the generated document packages and to place the generated program code on a specified website, while the program code links the package of documents with the corresponding element; e. a data warehouse associated with the specified modules and intended to store at least the requirements of legislation on personal data of different countries, evaluation criteria and created documents. 9. The system of claim 8, in which the evaluation criteria are at least one of the following criteria: - the presence of a window for entering the user's consent to the processing of personal data for each identified element, - the presence of the input window of the user's consent to the disclaimer of the owner of the site in the processing of data associated with user information, - the availability of data transmission over secure protocols and the availability of an SSL certificate, - availability of documents related to informing about the personal data processing policy. 10. The system of claim 8, in which the requested data about the owner of the website are at least one of: the tax identifier of the organization or taxpayer identification number (TIN). 11. The system of claim. 8, which further comprises a module updates the requirements of the legislation, designed to: but. conducting periodic checks for updates in the requirements of the legislation on personal data on relevant information resources, b. updates of documents in the created packages of documents, at detection of changes in the specified requirements of the legislation. 12. The system of claim 8, wherein the mapping module generates a program code for the website in the form of a script or widget. 13. The system of claim 8, wherein the mapping module saves the created document packages on the specified web site.

Images