The regulator monitors how companies comply with personal data law. But it does not do this alone - oversight is split among three agencies, and each is responsible for its own area: 1. RKN checks the legal side: notice of processing start, presence of a policy, and validity of consents. 2. FSTECassesses technical protection: whether the necessary software is in place, how the servers are configured, and whether the network is protected. 3. FSBapplies if you use encryption or work with biometrics.
If you have a complex IT system or collect sensitive data, be ready to work with several authorities. What exactly Roskomnadzor checks: the inspection often starts with website monitoring. Automated systems look for errors, for example, no privacy policy or a consent collection form that does not meet the requirements. Such violations can become grounds for a deeper inspection.
Inspectors assess: - Documents- whether there is a data processing policy, whether it is published on the website, and whether consents are properly completed. - Notice- whether it has been submitted to Roskomnadzor and whether the information in it is up to date. - Process organization- whether a personal data officer has been appointed, whether employees have been trained, and whether there is a process for handling individual requests. - Data transfer- whether contracts with contractors include terms on data protection and confidentiality.
Inspections can be scheduled (on schedule) and unscheduled - for example, due to a user complaint or a data breach. Unscheduled inspections are announced at least 24 hours in advance.
How often they inspect: risk categories. Roskomnadzor assigns companies to categories based on the potential harm from violations - it checks first those who: - process data of more than 100,000 people; - use biometrics or sensitive data (health, nationality, and others); - use foreign software to collect or store data; - transfer data abroad. The higher the risk, the more frequent the scheduled inspections: from once every 2 years to once every 6 years.
But even with a low risk category, unplanned inspections are possible. Penalties for violations - Failure to submit a notice to Roskomnadzor - up to 300,000 rubles. - Processing data without consent - up to 700,000 rubles. - Violating localization requirements - up to 6,000,000 rubles. - Causing a data leak - up to 15,000,000 rubles, and up to 500,000,000 rubles for repeat violations. How to reduce the risk: If you have not yet submitted the notice, do it now. It is a simple way to show that you operate by the rules.
Not being in the register is a clear violation that almost guarantees an unplanned inspection. Voluntary notification does not "draw attention"; on the contrary, it reduces risk. This is your first step toward lawful and secure work with personal data.
Discuss your challenge with an architect