The article of the Administrative Code “Violation of the legislation of the Russian Federation in the field of personal data” does not actually provide for punishment for the leakage of PD, Alexey Karyagin, a leading consultant at the center of competencies for information security of Technoserv, told RSpectr. For example, in the European Union, a fine for violation can reach up to 20 million euros or 4% of the violator’s turnover according to the PD protection Regulation (GDPR).

Makar Kolyada, “Castorama RUS”:

– In Russia, the fine for leaking PD is 30 thousand rubles. Since no one complains, it means that no operator is afraid of a fine. If it grows to 500 thousand rubles for each violation, the approach will change instantly. Responsibility also needs to be personalized. It is important to provide it for everyone who works with personal data.


It turns out that there are a lot of intermediaries among IT companies that do not interact directly with either PD owners or data operators. These are various aggregators of aggregators, subcontractors of subcontractors. M. Kolyada says that it is impossible to hold these intermediate links accountable now – there is no evidence. Because the subject of personal data simply does not know who his data got to.

“It is difficult for Roskomnadzor to find a real source of personal data leakage. To solve this problem, it is possible, as in the EU, to introduce a new subject of responsibility into the law – the controller of personal data, or issue explanatory acts at the level of Roskomnadzor or the Ministry of Finance, which will indicate how to conduct an investigation and who to involve. Or it can be a ruling of the Supreme Court, which will create a practice, since this mechanism really works in Russia,” M. Kolyada believes.

  1. Parfentiev proposes to make clear amendments to the law. “The regulatory documents contain detailed measures to protect PD. In the same No. 152-FZ there are references to the requirements of the FSTEC, and they, in turn, provide for almost all protection options, depending on the field of data processing and threats relevant to it. The problem is that business does not understand these requirements. Few people will follow the links from the law and delve into the multivolume prescriptions of the FSTEC,” explains A. Parfentiev.

This is especially true for small businesses that store personalized customer information in CRM.