Personal data protection under GDPR: how businesses can avoid fines, leaks, and pass Roskomnadzor inspections

What businesses need to know about GDPR: documents, consents, Roskomnadzor inspections, fines, and data protection requirements.

  • What personal data is and who is required to protect it
  • Which data the law classifies as personal
  • Who monitors personal data protection and how
  • Which personal data protection documents a company must have

If you collect website inquiries, hire employees, or maintain a customer database, you are already working with personal data. That means you must comply with GDPR. Even a mistake in a consent form or the absence of an internal policy can lead to a fine. We explain which data is protected, who is responsible for processing, which documents must be in order, and how to avoid fines even during an unplanned Roskomnadzor inspection.

What personal data is and who is required to protect it

Any company that works with information about people is legally a _personal data controller._ Using a CRM system, sending commercial offers, and hiring employees automatically impose obligations to GDPR.Improper handling of confidential information leads to fines, lawsuits, and damages trust in the business. In 2023, a major data leak occurred at MTS Bank.

Roskomnadzor confirmed the compromise of personal data of _about one million people._ Full names, phone numbers, tax IDs, dates of birth, and some bank card numbers were leaked online. A breach of this scale created serious risks for customers, as the information could be used by attackers for phishing campaigns and fraud schemes.

Which data the law classifies as personal - Publicly available- full name, phone number, email, social media profile. - Biometric - photographs, fingerprints, CCTV footage, genetic information. - Special - information about health status, nationality, religious and political beliefs, and criminal records. - Other- any other information that the company classifies as personal in its internal policies. Important! The law recognizes any information as personal data, including technical identifiers (IP, cookies), if they can be used to identify a specific person.

This is confirmed by case law, including Roskomnadzor decisions.

Who controls personal data protection and how The state strictly monitors compliance with personal data legislation through a system of supervisory authorities: - Roskomnadzor: checks how the company obtains consent, publishes documents, and organizes data processing workflows. - FSTEC:sets requirements for technical information protection and checks compliance, especially for information systems. - FSB: participates in inspections when the issue concerns the use of cryptographic protection - encryption tools information and data security related to national security. - Prosecutor's Office: can initiate an inspection if it receives a complaint from a citizen about a violation of their rights.

Inspections are carried out _on schedule or unscheduled_ - after a customer complaint or an information leak. Inspectors request internal documents: the organization's privacy policy, orders assigning responsibility for processing personal data, information system classification documents, and the threat model. Example of a Mistake: the inspector will issue a fine for the absence of a log of personal data subject requests, because it shows that the business is not complying with the law's requirement to respond to citizen requests in a timely manner.

Which personal data protection documents a company must have To comply with the law, an organization must develop internal documents that Roskomnadzor checks for. - Personal Data Processing Policy - the main document that describes how the controller collects, stores, and uses data. - Order Assigning Responsibility for Personal Data Processing - without this document, it is impossible to hold a specific specialist accountable. - Consent to Process Personal Data- special forms for customers, employees, and partners that comply with legal requirements. - List of Personal Data Processed - the exact list of what information you store and process. - Personal data handling instructions for employees - rules that prevent accidental leaks caused by employees. - Log of personal data subject requests - contains requests from individuals to access, correct, or delete their data. - Classification act for systems that process personal data - sets the protection level of your databases. Example of a Mistake: a network of medical clinics did not update its consent forms for processing patient health data.

During an inspection, Roskomnadzor fined the company _RUB 75,000,_ because the old forms did not include all legal requirements. Fixing it took a month and required resigning documents with thousands of customers.

Discuss your challenge with an architect

Responsibilities of a personal data operator

The law requires businesses not only to store data, but also to be able to prove it. For noncompliance - fines of up to RUB 500 million. Below are the key obligations for businesses under the law.

Obtain the data subject's consent

Separate consent is required for each data processing purpose. Make sure the document contains the full list of actions with the information, the processing terms, and the controller's full name. Since 2025, requirements for _electronic consent_ have become stricter - to execute it, the personal data controller must use an enhanced qualified electronic signature.

Publish personal data handling rules on the website

The privacy policy on your website shows customers that their data is under control, which reduces drop-off when submitting an application. The document should clearly describe what data you collect, how you store it, and who you share it with.

Assign a data handling owner

Issue the appropriate order and assign a specific employee to monitor compliance with legal requirements. The responsible person will track changes in the law and update documents on time, which will help avoid fines.

Notify Roskomnadzor about starting data processing

You can submit a notice to Roskomnadzor in three ways: online through the official portal, through Gosuslugi, or by the traditional paper method - _before actual data processing begins._Exceptions are the cases specified in Article 22 of GDPR (for example, processing data only for employment relations).

Ensure data security

With a threat model, you will understand exactly where a leak may occur so you can close vulnerabilities in time before customers are affected. Set rules for restricting staff access to information and use technical protection measures. The amendments to GDPR that are in force from September 1, 2025, are changing the approach to cross-border transfer and processing of certain data categories: - _New rules for cross-border data transfer_ - companies can transfer information to EAEU countries through a simplified procedure.

To transfer data to other countries, you must either obtain Roskomnadzor approval or ensure an adequate level of protection in the recipient country, meaning you must prove that data subjects' rights will be protected at least as well as in CIS. - _Clarification of biometric data status_ - biometric data may now be processed only after obtaining the person's written consent. Exceptions apply when the data is processed as part of public services or for access control.

For example, using facial data in the Unified Biometric System requires separate written consent. - _Expansion of personal data subjects' rights_ - citizens gained the right to withdraw consent for data processing through the public services portal. If data is not deleted within 30 days of a client's request, you may receive a fine or a complaint to the prosecutor's office.

Penalties for violations: how much careless handling of data will cost a business

Starting in 2025, lawmakers increased liability for violations of personal data protection rules. In addition to fixed penalties, for repeated breaches there are turnover-based fines, which can reach RUB 500 million. Roskomnadzor can also completely block the violator's website. A notable example is the blocking of LinkedIn in CIS for systematic failure to comply with personal data localization requirements. Let's compare the fines for noncompliance with Federal Law No. 152:

ViolationFine Amount for Legal Entities
Processing Data Without ConsentRUB 150,000-300,000
Failure to comply with data localization requirementsRUB 1,000,000-6,000,000
Failure to notify Roskomnadzor of a leak (new offense)RUB 1,000,000-3,000,000
Breach Involving Data of More Than 100,000 Data Subjects (New Offense)RUB 10,000,000-15,000,000
Biometric Data Breach (New Offense)RUB 15,000,000-20,000,000
Repeated Data Breach (Any Category)1-3% of annual revenue (from RUB 20-25 million to RUB 500 million)

Discuss your challenge with an architect

Implementation Strategy: Building a Personal Data Protection System the Right Way

Implementation costs protection systems many times lower than the size of potential fines and reputational losses from a single leak. We have prepared a concrete plan that you can implement in your company.

Conduct a data audit

Compile an exact list of all information you process. Identify where the data is stored: in CRM, on file servers, in email, or in cloud services. Find out which employees have access to this information and on what basis. This will help you understand the true scope of processing and identify weak points.

Prepare the required documents

Prepare the required set of personal data protection documents described above. Also create an instruction manual for specialists who work with confidential information on a regular basis.

Set up proper consent management

Review your data processing consent forms: make sure they comply with legal requirements, especially those published on the company website. Use a qualified electronic signature for online consent collection. Obtain separate consent for processing special categories of data, such as health information.

Implement technical protection

To ensure the technical security of personal data, it is advisable to involve integrator with experience in information security. This way you can quickly get the expertise you need without expanding your headcount. Specialists can help set up employee access rights according to job responsibilities and implement systems for monitoring information leaks (DLP) and data encryption tools.

When choosing a contractor, look for _FSTEC and FSB licenses_ as well as experience successfully delivering similar projects.

Train employees on data handling rules

Conduct mandatory training for everyone who has access to personal data. Explain how to handle information correctly, create strong passwords, and recognize phishing emails. Employees must respond promptly to suspicious situations and report possible incidents.

Prepare for a possible Roskomnadzor audit

If all documents are prepared in advance, you will pass the inspection quickly and avoid having your website or department suspended. You should have an approved action plan for an unplanned inspection. Assign an employee to work with inspectors and provide the required documents. If processes change but the documents stay outdated, that is grounds for a fine during an inspection.

Update them in advance. These simple steps will help you build a resilientinformation security system, meeting all legal requirements and reducing business risks.

Ensuring data security in educational institutions of the Orenburg Region

Task:13 schools and lyceums were supposed to connect to the federal information system _(FIS FRDO)_, but they did not have an active personal data protection system, which made the transfer of information illegal. Solution: the contractor installed and configured certified protection tools (CIP) - _Secret Net Studio and ViPNet Client,_ and also prepared the full set of required documents and assessed the effectiveness of the implemented measures. Results: - Educational institutions brought information processing into strict compliance with personal data law requirements. - Ensured secure transmission of information to FIS FRDO without the risk of fines. - Received an official conclusion on the effectiveness of protection measures, valid for 3 years.

How Vector-Retail implemented personal data protection and avoided fines during an inspection

The large retail chain Vector-Retail faced the risk of losing customer data (card numbers, purchase histories) and employee data.

The company decided to proactively implement a comprehensive protection system before a Roskomnadzor inspection. Task: protect personal information to prevent data compromise, avoid large fines, and preserve your business reputation. Solution: the expert team implemented a multi-layered personal data security system, following a clear plan: - Identified the objectives.

We identified that protecting online payment data and customer account portals was critical. - We defined unacceptable events. We banned sending unencrypted databases by email and access to them by employees without a business need. - We prepared a strategy. We developed procedures that separated data access for HR, marketing, and accounting. - We integrated protection into processes.

Within 2 weeks, we implemented a DLP system to monitor leaks, configured encryption for data transfer channels, and updated access rules for the CRM and document storage systems. Results: - Reduced unauthorized access attempts by 95%. - Cut potential incident detection time from several weeks to 1 hour. - Achieved full compliance of workflows with GDPR requirements and avoided fines during a scheduled inspection.

Personal data protection as a competitive advantage

Investments in personal data protection is often seen only as a cost of complying with legal requirements.

A reliable security system also becomes a powerful marketing tool and increases company valuation. Research confirms: brands that manage customer data transparently increase loyalty and attract more customers willing to pay for trust.

How personal data protection increases business value: - Attracting Investors and Buyers - serious investors and legal teams conduct due diligence before a transaction, carefully reviewing compliance with personal data laws.

If personal data is in order, the deal gets approved faster and on better terms. - Lower Cyber Risk Insurance Costs - insurance companies offer lower cyber insurance rates to organizations that can prove they have deployed certified security tools and put the necessary organizational measures in place. - Higher Sales Conversion - when customers see on the website not a formal but a detailed and clear privacy policy explaining how their data is protected, they are more likely to place orders and share contact details. - Lower operating costs - when you set up personal data processes correctly from the start, you do not need to keep revising documents, urgently fixing mistakes, or pulling employees into unscheduled corrections.

You spend fewer resources on administration, and your specialists focus on core tasks instead of dealing with the consequences of chaotic data management. - Faster Entry into International Markets - having a working personal data protection system that meets CIS standards becomes a solid basis for adapting to GDPR or other foreign requirements, saving months of work and hundreds of thousands of rubles at the start of expansion.

Interestingly, companies that _publicly disclose information leak incidents and transparently fix mistakes_ often strengthen their reputation in the long run. According to expert estimates, transparent risk management builds an image of a trustworthy partner for customers, one that is ready to take responsibility. Personal Data Protection- it is no more difficult than accounting or HR work.

To avoid fines and losing customer data, it is important to get organized in time: determine what information you collect, who has access to it, and which documents need to be prepared. Inspections are taking place across the country, and Roskomnadzor requests specific data - it is better to be prepared in advance.

Discuss your challenge with an architect

Discuss the article: Personal Data Protection under GDPR

Send via: