Understanding the law is important. But the main thing is knowing how to apply it in practice. Here is a simple process that will help your company build a safe and legally compliant personal data processing system. Step 1. Find a lawful basis for each operation Collecting data "just in case" is not allowed. Each purpose must have a specific basis under Federal Law GDPR: - Customer consent - when the person has explicitly allowed the information to be used.
Consent must be separate, clear, and voluntary. - Performance of a contract with the data subject- for example, user registration or product delivery. Consent is not required here. - Under the law - if the data is needed for tax accounting, employment, military registration, and so on. - In emergencies - to protect life or health, for example when sharing medical data with a doctor. Example: A store collects a name, address, and phone number for delivery - this is contract performance.
To send advertising to the customer later, you need separate consent. You cannot combine everything into one checkbox. Step 2.
Obtain consent correctly. A consent form is a legal document that must include: - The company's name and contact details. - A clear list of the data collected. - Specific purposes (for example: "newsletters", "creating a personal account"). - How you process the data - manually and/or automatically. - The consent period and the withdrawal procedure. Important: Do not pre-check the consent box by default - the user must give permission themselves. Step 3.
Publish the Personal Data Processing Policy in a publicly accessible place. The policy is a public document where you explain how you handle data. Include: - the purposes of processing; - what information you collect; - who you may share it with (for example, a delivery service); - customer rights and how to exercise them. A policy is not consent. It is needed for transparency, while consent is needed for lawful processing. Step 4.
Notify the supervisory authority about the start of personal data processing. A company that processes personal information must submit the relevant notice to Roskomnadzor. The fine for failing to do so can reach 300,000 rubles. To submit the notice: 1. Fill out the form - the standard form can be downloaded from the Roskomnadzor website. 2. Send a notification - through the Roskomnadzor website, Gosuslugi, or by mail to your local Roskomnadzor office. 3. Wait for confirmation - the review usually takes up to 30 days.
After that, your organization will be added to the registry of operators that process personal data. Know the exceptions: You do not need to notify Roskomnadzor in only a few cases, for example if you process data only of your own employees for labor relations or if the processing is carried out entirely without automation tools (manually).
| Situation | Is notification required? | Why |
| Processing only employee data | No, if the data is not transferred outside the company | A classic exception is internal corporate processing |
| Processing customer data under a contract (for example, delivery) | No, if the data is used strictly within the transaction | The law allows this without notification if there are no additional processing purposes |
| Manual data processing (without computers or CRM) | No | A rare case, but formally it does not fall under the notification requirement |
| Email or SMS campaigns to the customer base | Yes | Consent is required + mandatory notification to Roskomnadzor |
| CRM, website forms, any automated systems | Yes | Almost any automated business process is subject to the notification requirement |
Step 5. Protect data in practice, not just on paper. Security has 3 levels: organizational measures, technology, and documents. - Organizational measures: appoint a person responsible for personal data, create instructions, and train the team, especially marketing and support. - Technique:use HTTPS, keep software updated, encrypt databases with sensitive data, restrict access, and make backups. - Localization: data of CIS citizens must be stored in CIS.
Even if you use cloud services.
Discuss your challenge with an architect
Step 6. Set up intake and handling of customer requests. Customers can: - find out what you store; - correct or delete data; - withdraw consent. To avoid missing deadlines and losing credibility: - create a separate email address or a website form; - define a procedure - who is responsible, when, and how; - prepare email templates (confirmation, deletion, refusal, etc.). The legal response period is 30 days.Better, faster: 10-15 days. Step 7.
Audit and contractors - Audit: At least once a year, check how the information is actually processed. Update the purposes, data set, and processes. Contractors: if you share data with someone (an email service, a call center), make sure you have a contract and they have proper safeguards.