Handling personal data: how companies can protect themselves from inspections, leaks, and Roskomnadzor fines

What businesses need for secure handling of personal data, how Roskomnadzor inspections work, and what risks arise.

  • What personal data is and who a controller is
  • Who Roskomnadzor is and how it relates to operators
  • What a personal data controller must do
  • Check how exposed your company is to risk

Many companies do not realize that even a simple website form with the "Name and phone" field already falls under personal data law. We explain what counts as personal data, how Roskomnadzor oversight works, what penalties apply for violations, and how to protect your company from inspections and leaks. We will show real cases, provide a checklist, and explain how to prepare for an inspection.

Discuss your challenge with an architect

What personal data is and who a controller is

Personal data - this is information that can identify a specific person, even if it is not fully provided.

The law does not provide a complete list, so many things can fall under it: - full name, phone number, date of birth, email. - passport, tax ID, SNILS, driver's license. - photos, video, fingerprints (if used for identification). -

Overview

Personal data operator - this is a company or sole proprietor that decides which data to collect and why.

If you have a customer base, take requests from a website, or keep employee records, you are an operator.

In other words: almost any business that works with information about people falls under the requirements the Personal Data Law.

Who Roskomnadzor is and how it relates to operators

Roskomnadzor (RKN)- this is the government authority that ensures organizations handle personal data properly.

Its task is to protect citizens' rights and ensure compliance with the law.

Here is what it does: - Maintains the register of operators- companies are required to notify Roskomnadzor when they begin processing personal data.

Business context

- Checks compliance with the law- inspections can be scheduled or unscheduled - if a complaint is received. - Monitors key requirements- this means data localization in CIS, obtaining processing consents, and maintaining internal documentation.

What a personal data controller must do

Working with personal data requires regular oversight and well-defined processes. Below are the key steps an operator must take to avoid a fine from Roskomnadzor.

Check how exposed your company is to risk

The regulator first checks those who process data of more than 100,000 people, use biometrics or medical information, or transfer data abroad. If you meet one or more of these criteria, pay special attention to data protection and proper process documentation.

Appoint a person responsible for personal data

This can be HR, a lawyer, or a dedicated specialist. They will handle documents, employee notifications, and communication with the regulator.

Collect the minimum amount of data

Do not ask customers for unnecessary information. For example, order delivery only requires full name, address, and phone number. The less data you collect, the lower the risk. Review the forms on your website and in your office - you may be requesting more than necessary.

Do not forget to submit a notice to the regulator

This can be done through the Roskomnadzor website or Gosuslugi. The notice must be submitted before processing sensitive information begins. The fine for not doing so is from 100,000 rubles.If you change the processing purposes or the responsible person, you must also submit updated information. Example of a violation: The company submitted a notice but did not list a third-party CRM system. Roskomnadzor found the violation, issued an order and a fine, and the organization had to urgently redo its documents.

Prepare the required internal documents

- Personal data processing policy - publish it on the website. - Consent forms - separate one for each purpose. - An order appointing the responsible employee. - Instructions for employees. Important! Consent must be a separate document, not a line in a contract. If you share data, for example with a courier, separate consent is required.

Store data in CIS

All personal data of CIS citizens must be stored on domestic servers. Connecting a foreign service implies cross-border transfer - it requires separate consent and additional safeguards. If you use a foreign service, such as a CRM, you are at risk.

Process citizen requests

A person may request information about their data and demand that it be deleted or changed. Response time - 30 days. Create a dedicated email address for such requests, train employees, and keep a request log.

How Roskomnadzor Controls Personal Data: Inspections and Penalties

The regulator monitors how companies comply with personal data law. But it does not do this alone - oversight is split among three agencies, and each is responsible for its own area: 1. RKN checks the legal side: notice of processing start, presence of a policy, and validity of consents. 2. FSTECassesses technical protection: whether the necessary software is in place, how the servers are configured, and whether the network is protected. 3. FSBapplies if you use encryption or work with biometrics.

If you have a complex IT system or collect sensitive data, be ready to work with several authorities. What exactly Roskomnadzor checks: the inspection often starts with website monitoring. Automated systems look for errors, for example, no privacy policy or a consent collection form that does not meet the requirements. Such violations can become grounds for a deeper inspection.

Inspectors assess: - Documents- whether there is a data processing policy, whether it is published on the website, and whether consents are properly completed. - Notice- whether it has been submitted to Roskomnadzor and whether the information in it is up to date. - Process organization- whether a personal data officer has been appointed, whether employees have been trained, and whether there is a process for handling individual requests. - Data transfer- whether contracts with contractors include terms on data protection and confidentiality.

Inspections can be scheduled (on schedule) and unscheduled - for example, due to a user complaint or a data breach. Unscheduled inspections are announced at least 24 hours in advance.

How often they inspect: risk categories. Roskomnadzor assigns companies to categories based on the potential harm from violations - it checks first those who: - process data of more than 100,000 people; - use biometrics or sensitive data (health, nationality, and others); - use foreign software to collect or store data; - transfer data abroad. The higher the risk, the more frequent the scheduled inspections: from once every 2 years to once every 6 years.

But even with a low risk category, unplanned inspections are possible. Penalties for violations - Failure to submit a notice to Roskomnadzor - up to 300,000 rubles. - Processing data without consent - up to 700,000 rubles. - Violating localization requirements - up to 6,000,000 rubles. - Causing a data leak - up to 15,000,000 rubles, and up to 500,000,000 rubles for repeat violations. How to reduce the risk: If you have not yet submitted the notice, do it now. It is a simple way to show that you operate by the rules.

Not being in the register is a clear violation that almost guarantees an unplanned inspection. Voluntary notification does not "draw attention"; on the contrary, it reduces risk. This is your first step toward lawful and secure work with personal data.

Discuss your challenge with an architect

Practical cases: how companies are held responsible for personal data violations

Let's look at real examples of companies that violated personal data law and faced the consequences.

Data breach at Yandex.Eda

What happened: In 2022, data about orders from Yandex.Eda customers leaked online: phone numbers, addresses, names, and order amounts. The breach affected about 6.9 million records. The data was visualized on an interactive map, and some customers were able to identify themselves. Reason:At first, the company said an employee was to blame.

However, it later turned out that the vulnerability was tied to external hosting inherited from another company. Response: Roskomnadzor conducted an inspection and fined Yandex.Eda LLC 60,000 rubles.

A criminal case was also opened, and some users received compensation through the courts. What the company did: - apologized to customers. - Moved the data to a secure storage. - Reduced the number of employees with access to the data. - Strengthened information security process audit.

Data breach at SberLogistics

What happened: In 2023, personal data of customers and employees of Sber's logistics division became publicly available. The leak covered more than 1.3 million rows of data from 2016 to 2023. Reason: According to experts, the breach was carried out by a hacker group that had previously attacked other companies. Suspicion fell on the weak link - contractors or internal systems. Response: "SberLogistics" did not confirm the accuracy of the data immediately, citing a possible compilation of older databases.

Information about the fines was not disclosed publicly.

Delivery Club data breach

What happened: In 2021, confidential information from the Delivery Club database was leaked online. The breach affected more than 1 million records. They included customers' full names, phone numbers, delivery addresses (with floor numbers and intercom codes), email addresses, and the contents and amounts of orders for a given period. Reason: The company confirmed the breach and apologized. It also emphasized that customers' payment data was not affected.

However, the exact cause of the incident was not disclosed publicly. Consequences: Although finances were not affected, the exposure of habits, routes, and delivery addresses created a serious privacy risk for users. It is important to protect not only payment data. Contact information, order history, and customer preferences are also personal data and are valuable to attackers. The reputational risks from such a leak are comparable to losing banking data.

Personal Data Protection: Continuous Audit and Monitoring

Regulators care less about whether documents exist and more about how well systems are actually protected. A proactive approach helps identify weak points before attackers or supervisory authorities exploit them. The main source of risk is employees. Up to 70% of incidents happen because of staff actions: by mistake or deliberately.

To spot problems in time, use systems in the class DLP and DCAP, which analyze employee behavior and help detect attempts to transfer personal data. The purpose of such systems is not surveillance, but monitoring potentially risky actions. The audit must run continuously. Checking security once a year is ineffective. Reliable protection requires regular monitoring.

Large companies set up security operations centers (SOCs) for this, monitoring system events 24/7. If you are a small or medium-sized business, your own SOC may be excessive. But you can add the tools you need or outsource the audit. What to use - tools and their business value:

What they monitorTool examplesWhat the business gets
Employee actions involving dataDLP, DCAP (data control and analysis systems),
user activity monitoring systems
Detecting risky actions, preventing leaks,
reducing the impact of the human factor
Attacks and Cyber ThreatsSIEM and EDR solutions, Threat Intelligence (threat analytics),
NDR network detection systems
Rapid detection of attacks, blocking of infected devices,
Damage minimization
Regulatory compliancesecurity tools, cryptographic protection tools, vulnerability scanners,
certified solutions
Proof of compliance with the law -
Critical for inspections, licenses, and audits

How to Check Your Company for Roskomnadzor Compliance

  1. Experts predict, that in 2026 cyber threats will continue to evolve and regulators will keep tightening oversight.

  2. To avoid surprise inspections and fines, businesses should regularly check how personal data handling is organized.

  3. Our checklist will help you assess your company's readiness. Important:

  4. Roskomnadzor now looks not only at your internal documents, but also at how you transfer data to contractors - logistics providers, call centers, and marketing agencies.

  5. If the contract does not specify the exact list of data being transferred, the purposes, and the protection terms, you are also responsible for their mistakes.

  6. This is one of the most common reasons for fines.

  7. Moreover, Roskomnadzor uses automated systems and AI to detect violations, for example by scanning websites for required documents and analyzing breaches in open sources, which allows inspections to begin even without complaints. Tip: Do not wait until the site is blocked or a customer files a complaint.

  8. Perform a self-audit at least once every 6 to 12 months.

  9. This is cheaper and easier than dealing with an unplanned inspection later.

Checklist: self-check before a Roskomnadzor inspection

Documents and notice to the regulator. -

- Are the details in the notification up to date (purposes, responsible person, etc.)? -

Is there a personal data processing policy on the site, and is it accessible from any page? -

Are consent forms for processing prepared as separate documents, and do they specify the purposes? -

Has the person responsible for personal data been appointed by an official order? 2.

Do you collect only the data needed for work, without extra fields? -

Is there client consent or a contract if the data is passed to a contractor (for example, a courier)? -

Is there a process for handling citizen requests (correction, deletion, copy)?

Do employees receive training on handling personal data? 3.

Do you store databases containing CIS citizens' data on servers in CIS? -

Is multi-factor authentication used to access systems with personal data? -

Are licensed antivirus tools installed and software updates configured? -

Are logs kept for data processing and citizen requests?

FAQ

FAQ: Common questions about personal data handling

1. What counts as personal data?

Anything that can identify a person: full name, phone numbers, addresses, email, photos, order history. There are separate categories: sensitive data (for example, health) and biometric data (fingerprints, video, photos for recognition).

2. Is consent always required?

Not always. Consent is required if you use data for marketing, share it with partners (for example, a courier), or work with biometrics. For contract performance, such as delivery or payroll, consent is not required, but the data still must be protected.

3. Is it mandatory to store data in CIS?

Yes. If you process data of CIS citizens, you must store it on servers in CIS. Using foreign CRM, hosting, or cloud services without the client's consent is already cross-border transfer and a potential violation.

4. What are the penalties for a data breach?

Fines for a breach can reach 15 million rubles. For repeated violations, they can reach 500 million rubles or 3% of company revenue. It is important to notify the regulator within 24 hours, or the fine increases.

5. How often are inspections conducted?

Roskomnadzor uses a risk-based model. It most often inspects those who work with biometrics, process data of more than 100,000 people, or use foreign software. Low-risk companies are checked less often.

6. Can Roskomnadzor inspect a website remotely?

Yes. An automated inspection system looks for violations on websites: missing privacy policies, incorrect consent forms, and other issues. The inspection may start without warning.

7. What should you do if a customer or employee asks to delete their data?

You must stop processing and delete the information within 30 days of receiving the request, if there is no legal basis to keep it (for example, contract performance or tax recordkeeping requirements).

Important: There must be an internal process for handling such requests, with a responsible employee, fixed deadlines, and a response template. This will help protect against complaints and claims.

8. Where should you start to stay compliant with the law?

- Determine what data you collect and why.

- Submit a notification to Roskomnadzor.

- Publish the Data Processing Policy on the website.

- Set up consents and internal documents.

- Check where the data is stored - move it to CIS servers if needed.

These steps will help avoid problems and show that you operate by the rules.

{{cta}}

Discuss the article: Working with personal data: how...

Send via: