Proper personal data processing: how to classify and protect data and stay compliant with Federal Law GDPR

How businesses can classify, protect, and process personal data without breaking the law or facing unnecessary fines.

  • The concept of personal data
  • Why companies need to classify personal data correctly
  • Customers' rights and the company's obligations: how to protect data and keep trust
  • What rights customers (data subjects) have

70% of CIS companies process personal data in violation of the rules. The main cause of problems is not malicious intent, but employee mistakes, people who simply do not know how to work with personal data correctly under the law. Here is how businesses can bring order to personal data handling: what exactly counts as personal data, how to classify it, on what grounds to collect it, and what to do to avoid fines.

The concept of personal data

Personal data- any information that identifies a person. This includes not only a passport and SNILS, but also an IP address, location coordinates (geolocation), and online activity history if they are tied to a specific user. Examples of personal data in business: - full name, taxpayer ID, passport details; - contact phone number, email address, legal/registered address; - bank details; - workplace, job title.

If at least one of these items helps identify the client, it is personal data, and you are required by law to protect it. Not personal data: - Anonymous data that cannot be linked to a person. - Aggregated data without specifics, such as average order value. - General work contacts like info@company.ru. Why companies need to classify personal data correctly Not all personal data is equally sensitive. The law divides it into categories, and each category has its own level of protection.

Correct classification helps: - Avoid overloading business processes with unnecessary measures. - Avoid fines for mishandling sensitive data. Main categories of personal data:

CategoryWhat this meansBusiness exampleHow it can be processed
Publicly availableThe person posted this data in public sources themselvesA profile with contact details on hh.ru, a service provider listing with a phone numberCan be used, but strictly within the law.
Upon request, a person may ask for the information to be deleted.
BiometricInformation that can be used to identify a person with certaintyBiometric login (fingerprint or face),
voice in IVR
Processing is possible only with separate written consent.
There are exceptions (for example, criminal investigations).
SpecialSensitive information about private lifeData about health, religion, criminal record,
ethnic origin
Collecting and using it is prohibited without explicit consent
or specific legal grounds.
Core (general)Other information that allows a natural person to be identifiedFull name, email, phone number, passport,
address, purchase history
May be processed with consent or under a contract.
This is the most common type of data in business.

Important! Assigning data to the correct category is the operator's (company's) responsibility. A classification mistake, such as mishandling biometric or special data, leads to the most serious fines and reputational risks.

Discuss your challenge with an architect

Customers' rights and the company's obligations: how to protect data and keep trust

Working with personal data is not only about complying with the law, but also a key to trust. If a company respects people's rights, it gains reputation and loyalty; violators lose customers and face fines. According to studies, only 30% of CIS organizations comply with personal data law. The rest 70% - at risk: from reputational damage to fines and lawsuits.

What rights customers (data subjects) have

A client, employee, or user has the right to: - Find out what data you store. A customer can request a list of data, the processing purpose, and recipients. You have 10 business days to respond. - Fix errors. If there is an error in the form, for example an incorrect phone number, the person has the right to request a correction. While the check is in progress, you must temporarily block the information. The deadline is 7 business days. - Delete data.

If the processing purpose has been achieved or the data was collected in violation of the law, the client may request its deletion. You have up to 10 business days to fulfill the request. - Withdraw consent. A person can change their mind at any time. If there are no other grounds, such as a contract, you must stop processing and delete the data. - Block mailing. If a customer unsubscribed from the mailing list, they cannot be added back to marketing emails.

Deletion must be immediate. Let's look at an example: an employee sold the customer database to competitors. Consequences: a flood of spam complaints, dissatisfied customers, and reputational damage. The organization could have avoided this if it had implemented _access control and internal audit rules_ in time.

What a business must do (the operator's obligations)

Customer rights are only realized when the business has clear processes. What needs to be set up: - Clear communication channel. On the website and in documents, specify how the customer can submit a request by email, through a feedback form, or via a dedicated button in the account area. - Data owner. Identify a specific specialist who will take responsibility for data processing. - Internal policies. Describe how the company handles personal data.

Making this document publicly available is a direct legal requirement for a personal data operator. - Team training. Most mistakes happen in sales, support, and marketing. Train them on how to obtain consent, how to respond to a deletion request, and what to say to the customer. - Flexible CRM. The system must allow you to find all data for a customer, freeze it when consent is withdrawn, delete it, or export it on request. - Vendor oversight.

If you share information with external companies (for example, a mailing service or call center), make sure they also comply with the law.

How to process personal data correctly

Understanding the law is important. But the main thing is knowing how to apply it in practice. Here is a simple process that will help your company build a safe and legally compliant personal data processing system. Step 1. Find a lawful basis for each operation Collecting data "just in case" is not allowed. Each purpose must have a specific basis under Federal Law GDPR: - Customer consent - when the person has explicitly allowed the information to be used.

Consent must be separate, clear, and voluntary. - Performance of a contract with the data subject- for example, user registration or product delivery. Consent is not required here. - Under the law - if the data is needed for tax accounting, employment, military registration, and so on. - In emergencies - to protect life or health, for example when sharing medical data with a doctor. Example: A store collects a name, address, and phone number for delivery - this is contract performance.

To send advertising to the customer later, you need separate consent. You cannot combine everything into one checkbox. Step 2.

Obtain consent correctly. A consent form is a legal document that must include: - The company's name and contact details. - A clear list of the data collected. - Specific purposes (for example: "newsletters", "creating a personal account"). - How you process the data - manually and/or automatically. - The consent period and the withdrawal procedure. Important: Do not pre-check the consent box by default - the user must give permission themselves. Step 3.

Publish the Personal Data Processing Policy in a publicly accessible place. The policy is a public document where you explain how you handle data. Include: - the purposes of processing; - what information you collect; - who you may share it with (for example, a delivery service); - customer rights and how to exercise them. A policy is not consent. It is needed for transparency, while consent is needed for lawful processing. Step 4.

Notify the supervisory authority about the start of personal data processing. A company that processes personal information must submit the relevant notice to Roskomnadzor. The fine for failing to do so can reach 300,000 rubles. To submit the notice: 1. Fill out the form - the standard form can be downloaded from the Roskomnadzor website. 2. Send a notification - through the Roskomnadzor website, Gosuslugi, or by mail to your local Roskomnadzor office. 3. Wait for confirmation - the review usually takes up to 30 days.

After that, your organization will be added to the registry of operators that process personal data. Know the exceptions: You do not need to notify Roskomnadzor in only a few cases, for example if you process data only of your own employees for labor relations or if the processing is carried out entirely without automation tools (manually).

SituationIs notification required?Why
Processing only employee dataNo, if the data is not transferred outside the companyA classic exception is internal corporate processing
Processing customer data under a contract (for example, delivery)No, if the data is used strictly within the transactionThe law allows this without notification if there are no additional processing purposes
Manual data processing (without computers or CRM)NoA rare case, but formally it does not fall under the notification requirement
Email or SMS campaigns to the customer baseYesConsent is required + mandatory notification to Roskomnadzor
CRM, website forms, any automated systemsYesAlmost any automated business process
is subject to the notification requirement

Step 5. Protect data in practice, not just on paper. Security has 3 levels: organizational measures, technology, and documents. - Organizational measures: appoint a person responsible for personal data, create instructions, and train the team, especially marketing and support. - Technique:use HTTPS, keep software updated, encrypt databases with sensitive data, restrict access, and make backups. - Localization: data of CIS citizens must be stored in CIS.

Even if you use cloud services.

Discuss your challenge with an architect

Step 6. Set up intake and handling of customer requests. Customers can: - find out what you store; - correct or delete data; - withdraw consent. To avoid missing deadlines and losing credibility: - create a separate email address or a website form; - define a procedure - who is responsible, when, and how; - prepare email templates (confirmation, deletion, refusal, etc.). The legal response period is 30 days.Better, faster: 10-15 days. Step 7.

Audit and contractors - Audit: At least once a year, check how the information is actually processed. Update the purposes, data set, and processes. Contractors: if you share data with someone (an email service, a call center), make sure you have a contract and they have proper safeguards.

Cross-border data transfer: what businesses need to know

When using foreign services (cloud CRM, email platform, or support system), you are effectively transferring customers' personal data abroad, meaning you are arranging their cross-border transfer. The main rule: Data may be transferred abroad only if the country is on the list of states with "adequate personal data protection" (such a list is published by Roskomnadzor).

If the country is not on the list, you must meet one of the following requirements: - obtain the client's written consent to transfer data abroad; - transfer the data to perform a contract (for example, booking arrangements abroad); - transfer the data in an emergency (to protect life and health). Important: most popular foreign services, including Western cloud platforms, do not provide "adequate protection."

That means you need to obtain consent to work with them or review the information transfer chain.

What companies should do

It is important for a business to understand where and how personal data is processed. Run a mini-audit: find out which servers store data from the CRM, website forms, and email campaigns, and whether it is transferred abroad, directly or through contractors. If you use foreign services, make sure the country is on Roskomnadzor's list or that you have obtained separate customer consent. Transferring data without the required grounds is considered a legal violation.

That means inspections, fines, and blocking are all possible, so it is better to get things in order in advance than to explain yourself to the regulator.

Data anonymization: how to analyze data without breaking the law

Anonymization - the process of removing any features from data that could identify a user. For example, instead of the record "Ivan Morozov, ivan22@mail.ru, ordered on January 5," the anonymized version remains: "User-1435, male, 30-35 years old, purchase in January." Such data is no longer considered personal. For companies, this is convenient and safe: there is no need to obtain processing consent, prepare additional documents, or worry about compliance with GDPR.

Anonymized data can be safely used for internal analytics, marketing, or sharing with contractors - without risking a legal violation.

How it works

Methods can be simple or complex: - remove full name, email, and phone number; - pseudonymization (replace with an ID); - aggregation by groups (age, region); - add "noise" so the original data cannot be restored.

How large businesses protect personal data and reduce risks

When a company has millions of customers and employees, a mistake in data protection can be extremely costly. Below are two cases showing how CIS businesses are moving from a formal approach to real, systemic protection. X5 Group: how a breach became the trigger for reforms Situation: In 2022, the retailer had a leak of applicant data. The cause was a contractor, but X5 was still responsible.

The incident exposed weaknesses in the control system and became the starting point for major changes. Solution:comprehensive security reinforcement - the company deployed software solutions (DLP) that track and block attempts to copy or send information without authorization in real time. At the same time, it carried out large-scale employee training at all levels - from frontline staff to management - on personal data handling rules.

They also reviewed work with contractors: the contracts now include clear information security requirements and penalties for violations. Result: - Reduced the risk of repeated leaks and multimillion-ruble fines. - Restored customer trust by showing a serious approach to security. - Improved data-handling discipline from top management to cashiers. How an industrial giant protected the data of 20,000 employees Situation: A large industrial holding with tens of thousands of employees was operating on outdated processes.

Data was stored in different places, breaches were discovered after the fact, and there was almost no control.

This made it difficult to pass inspections and take part in tenders. Solution: the partner team implemented comprehensive personal data protection, namely: - Set up a single center for monitoring and controlling personal data and appointed a responsible person with access to management. - Launched proactive leak monitoring: the system scans the dark web and public sources on its own for any appearance of company data. - Conducted full audit: where and how the data is stored, and who has access to it.

Set up access control (DAM). - Introduced automatic anonymization in test environments - now real data does not reach developers. - Required all employees to complete information security training. Result: - Significantly reduced the number of incidents. - Gained an advantage in negotiations with partners and banks: a secure business is an attractive business. - Lowered incident response costs: instead of dealing with consequences, they now focus on prevention. The cases show: Investing in proper personal data handling is not a cost, but an investment in business resilience.

Companies that implement protection technologies, audit data, and train employees not only reduce the risk of breaches and fines, but also increase trust in the business. This directly affects reputation, speeds up deals, helps pass inspections, and opens the way to new contracts.

Discuss your challenge with an architect

Discuss article: Proper personal data processing…

Send via: