Personal data information system: how to classify a PDIS, choose a security level, and comply with GDPR

A guide to personal data information systems: data classification, security levels, protection requirements, and steps to comply with GDPR.

  • What is a personal data system
  • What data counts as personal
  • Duties of a PDIS operator
  • PDIS security levels: how to determine them without mistakes

CIS businesses pay multimillion-ruble fines every year for violating personal data processing requirements. Most incidents stem from a lack of understanding of what a personal data information system (PDIS) is and how to protect it properly. Let's break down what a PDIS includes, how to classify it, what security levels exist, and what consequences businesses face for violations.

What is a personal data system

Any organization that stores data on employees, clients or partners is a personal data operator. Personal Data Information System (PDIS) - is a company's automated system that handles personal information. It covers CRM, databases, HR software and any other tool that collects, stores or processes personal information. Put simply, if your business uses computers and software to handle customer or employee data, you have a PDIS.

What data counts as personal: 4 categories by sensitivity level

Types of PDIS

Cross-functional

They process data on different categories of people - for example, clients, employees and partners. Large companies build them to optimize business processes and cut costs. For instance, a bank may use a single platform to score borrowers and calculate salaries.

Functional

They handle specific tasks in individual company departments. These are CRM platforms for the sales team, HR systems in the HR department, or marketing platforms for analytics.

Accounting and management systems

They automate internal processes - track working hours, calculate vacation and sick leave, manage access to premises.

Information and reference

They provide information to a limited group of users. For example, a counterparty verification system in the legal department or a loyalty database in a retail chain.

Duties of a PDIS operator

To avoid overpaying for security and breaking the law, a business must classify its personal data system correctly. The operator is responsible for personal data security at all times — from the moment data is collected until it is deleted. The business must implement protection system, capable of effectively countering current threats.

Specific requirements for building such a system are set by _GDPR and Government Decree No. 1119._ Law GDPR sets the basic rules: what is allowed, what is not, and who is responsible for it. Decree No. 1119 indicates which security measures to use and in what situation. It is what establishes _4 protection levels (PL)_ for the system, depending on which data you process and how many clients or employees you have.

What to do in practice: 1. Determine the protection level (PL) - exactly what data you store (standard or sensitive). This determines which protection tools you will need. 2. Choose licensed information protection tools (IPT) - FSTEC and FSB approve the list of permitted software and hardware solutions. You cannot use any tools you like - they must be approved by the regulators.

3. Assemble a package of internal documents - a data processing policy, staff regulations and a process register so you pass inspection without questions. 4. Notify Roskomnadzor - as soon as you start collecting personal data, you must notify the supervisory authority. 5. Sign proper contracts with contractors - if you outsource data handling (for example, to the cloud), the contract must require the contractor to protect the data exactly as you do.

Compliance with these requirements is monitored by: - Roskomnadzor - checks how you collect data and respond to citizens' requests. - FSTEC - assesses how you have organized technical information protection. - FSB - oversees the use of encryption (cryptography). The law requires businesses not merely to have documents, but to maintain active, continuousinformation protection.

Get the data category wrong or overlook requirements - and you risk a fine of up to 15 million rubles.

Discuss your challenge with an architect

PDIS security levels: how to determine them without mistakes

Choosing the right protection level determines how much you spend on security systems and which measures you implement. A mistake leads _to two risks:_ you overpay for unnecessary protection or leave data vulnerable, which risks leaks and fines.

To understand how to protect the system, you need to consider 4 key aspects

The legislation divides threats into three categories

How the protection level affects business risks and costs

SLThreat typeWhat to doPractical business benefits
SL-1Type 1 threats (OS and DBMS vulnerabilities)Deploy the maximum set of protection tools, including data leak prevention (DLP) systems and strong encryption. Obtain a compliance certificate.Pass Roskomnadzor and FSTEC inspections with confidence. Build greater trust with major partners.
SL-2Type 2 threats (application software vulnerabilities)Install a firewall, antivirus protection and access control software.You effectively protect the most vulnerable data while minimizing reputational risks.
SL-3Type 3 threats (human factor, insiders)Implement a password policy, segregate employee access rights, and maintain activity logs.You comply with the law at minimal cost, focusing on basic but reliable protection.
SL-4Type 3 threats in limited formAdopt an internal data processing policy and obtain consent from data subjects.Run marketing legally without overspending on complex security systems.

Let's look at an example. A plant with 5,000 employees processes passport data and medical clearance certificates for work admission, and uses an access control system with fingerprint identification. - _What data is involved_ - other (passports), special (medical certificates), and biometric (fingerprints). - _Protection level_ - the presence of biometric and special data automatically requires PL-2 for these systems. - _Threat type_ - a system storing passports and medical certificates is characterized by type 2 threats (vulnerabilities in HR software), while a fingerprint system faces type 1 threats (attacks on the server's operating system).

Protection and PDIS organization requirements

Once you have determined the PL, you can start designing the protection system. Specific requirements for personal data protection are set by _FSTEC Order No. 21._ Organizational measures - are the basis on which you will be checked in the event of a complaint or audit. They require developing and approving mandatory documents that govern how data is handled, access rights, incident response procedures and employees' individual responsibility.

You need to prepare

Technical protection measures include the following tools

Companies that have deployed secure PDIS not only avoid fines but also demonstrate their reliability to clients and partners.

Step-by-step PDIS protection plan: from audit to system certification

Companies that have deployed secure PDIS not only avoid fines but also gain a real competitive advantage by demonstrating their reliability to clients and partners. Follow the plan — a clear step-by-step algorithm will help minimize costs and build your security system consistently and soundly. ###

Step 1: Audit and classify the system

Compile a complete register of all processes and storage locations for personal data. Record where and how you process data: in CRM, HR departments, accounting. Precisely define the data categories - standard (full name, phone numbers) or special (health status). Based on this information, classify the PDIS by security levels. ###

Step 2: Prepare organizational and administrative documentation

You need to create a package of internal policies that will serve as the foundation for all processes (described above). Such documents prove to the auditing authority that you run an orderly operation, not chaos. ###

Step 3: Deploy technical protection measures

Once you have determined the protection level, select and deploy certified information security tools. A contractor can help you - system integrator, which will select certified information security tools matching the protection level, test and deploy solutions in pilot zones before a full-scale rollout. The contractor will also configure integration of the security tools with your IT infrastructure and develop technical documentation for the protection system. ###

Step 4: Train staff and certify the system

Train your team: run briefings on using protective mechanisms and following procedures. Put all developed documents into effect and obtain a _compliance certificate_ (issued for 3 years and serving as strong proof of your good faith).

Financial risks

As of May 30, 2025, penalties for legal entities have risen significantly, and repeat violations now carry _turnover-based penalties_ calculated as a percentage of company revenue rather than as a fixed sum.

Direct impact on business metrics

Reduced operating profit

Fines of 1–3% of revenue can "swallow" a significant part of a mid-sized business's quarterly profit.

Blocked growth

Funds earmarked for marketing, procurement, or upgrades will have to be redirected to paying penalties.

Loss of investment appeal

A company with a "violator" reputation and the risk of suspended operations becomes less attractive to investors and partners.

Penalties for legal entities for personal data breaches

ViolationFine
Data compromise affecting 1,000-10,000 people3-5 million rubles
Disclosure of data on 10,000-100,000 individuals5-10 million rubles
Violation involving the processing of over 100,000 records10-15 million rubles
Disclosure of special categories of data (health status, beliefs)10-15 million rubles
Compromise of biometric data15-20 million rubles
Repeat violation of protection requirementsTurnover-based fine of 1-3% of annual revenue (floor: 20-25 million rubles; ceiling: 500 million rubles)

A real case of a personal data information system and the consequences of weak protection

  1. Successful protection system upgrade at an insurance company

  2. A large insurance company launched _a major upgrade of its personal data protection system_ for processing voluntary medical insurance (VMI) policies.

  3. The company processed special categories of health data for _500,000+_ clients, which required compliance with _PL-2._

  4. In the first stage, the expert team conducted IT infrastructure audit, which identified risk areas in the company's IT systems.

  5. Based on the audit results, the specialists deployed a comprehensive security system: - configured a DLP system; - encrypted data transfer channels between branches; - segregated access to medical information among insurance agents, medical institutions and accounting.

  6. After installation incident monitoring systems the business began responding to threats in 15 minutes instead of a full day.

Results after 6 months

Legal consequences of weak data protection at a microfinance organization

Consider another example - how a weak security system and identification leads to direct financial and reputational losses. A microfinance organization faced a lawsuit from a citizen who claimed he had never signed a loan agreement or consented to the use of his personal data.

During the court proceedings, it emerged that the contract had been concluded _remotely via the website using an_ _SMS code_ sent to a number registered to a different person.

The court found that the company lacked a reliable client identification system, which led to unauthorized data processing and the conclusion of a contract. Result: the court ordered the company to delete the plaintiff's personal data and stop processing it, confirming a direct link between flaws in the protection system and financial losses.

FAQ

FAQ

What is a personal data system (PDIS)?

A personal data information system is any software or database where you store and process the data of clients, employees, or partners: CRM, HR systems, and even Excel spreadsheets with clients' phone numbers and emails.

Which companies need to protect personal data?

Everyone. If you store data on employees, clients, or counterparties, you are a personal data operator. This applies even to small companies with a client base in Excel.

Is registering a PDIS mandatory?

Yes, but not the system itself — rather the fact that confidential information is being processed. The law requires organizations to notify Roskomnadzor before they begin working with personal data. Exceptions apply when:

- you process only employee data;

- you collect contacts for one-time passes;

- you obtained the data from publicly available sources.

How to determine how well protected a PDIS is?

To understand how well a system is protected, you must establish its security level. The SL depends on the data category and the number of people whose information you store. The higher the level, the more serious the protection measures must be — from passwords to encryption and specialized software.

What happens if you don't protect your personal data system?

Businesses face penalties: from 3 to 20 million rubles, and for a repeat offense - up to 3% of revenue. Beyond money, you lose clients, partners and reputation.

{{cta}}

Discuss the article: Personal data system: how…

Send via: