Where a company quietly becomes a personal data operator
Federal Law No. 152-FZ concerns not only banks, medicine and government services. A company becomes an operator of personal data when it itself determines the purposes and methods of processing: accepts applications on the website, maintains a CRM, collects resumes, connects a personal account, records calls, stores the history of calls, launches mailings, uses behavior analytics, or transfers data to contractors.
Therefore, the page is useful for heads of IT, information security, legal functions, marketing, HR, e-commerce and product teams. The question is not whether the site has a personal data policy. The question is whether this policy matches the actual data path within the company.
What should become clear after checking
A good diagnosis of Federal Law No. 152-FZ should provide a management picture, and not just a set of amendments to documents. After verification, it should be clear what categories of personal data are collected, for what purposes, on what basis, in what systems they are stored, who has access, to whom the data is transferred, where there is cross-border transfer, how consent is recorded, how data is deleted and how the company responds to requests from subjects.
Data and Goals
What fields are collected in forms, CRM, HR, personal accounts, chats, calls, logs and analytics, and why the business really needs them.
Systems and access rights
Where is the data located: website, backend, CRM, 1C, service desk, BI, mail, clouds, backups, test environments and integrations.
Documents and consents
PD processing policy, consent forms, notifications, register of processes, roles of operator and processor, grounds for processing and provability of consent.
Control and operation
Retention periods, deletion, logging, access rights, incidents, subject requests, owner responsibilities and regular updating.
Why is this not just a legal task?
Lawyers can prepare correct formulations, but they do not see all the technical routes: where the frontend sends the application, what the backend writes in the logs, who reads the CRM, what data goes to the mailing service, what ends up in BI, where the Excel downloads are located and what fields are used in the AI assistant. IT and information security, in turn, do not always know what processing purposes and storage periods should be recorded in documents.
The practical outline of Federal Law No. 152-FZ appears at the intersection of law, architecture, development, operation and information security. RESTART is useful precisely in this place: we translate regulatory requirements into an understandable backlog for the site, backend, CRM, access rights, logs, documents, processes and vendor protections.
How RESTART assembles a practical environment Federal Law No. 152-FZ
| Layer | What are we working on? | What does the customer get? |
|---|---|---|
| Legal and procedural | Purposes of processing, grounds, consent, notification, requests of subjects, roles of owners, storage and deletion regulations. | Documents and processes that correspond to the actual operation of systems, rather than living separately from IT. |
| Architectural | Website, forms, API, CRM, HR, personal accounts, 1C, BI, integrations, storage, test environments and backups. | Data processing map and list of points where you need to change logic, access rights, storage or data transfer. |
| Information security | ISPDn, threat model, security levels, information security, CIPF, DLP, IAM/PAM, logging, monitoring and incident response. | A clear set of technical and organizational measures that can be defended to information security, audit and management. |
| AI and data | Use of personal data in RAG, chat bots, analytics, logging, training samples, anonymization and test sets. | The boundaries of the safe use of AI: what data can be used, how to mask it, who checks the answers and where human review remains. |
When technical measures are needed based on the results of the survey, the PD environment goes into implementation of information security: setting up access, logs, endpoint protection, configuration control, virtualization protection and operational regulations.
For ISPD, the endpoint layer is important where operators, administrators and service users work with personal data: RESTART connects protection of workstations and servers with access rights, logs, DLP, SIEM and operating regulations.
Data processing card
The first practical result is a PD processing map. It shows not only public forms, but also hidden routes: webhook from the site to CRM, email notifications to managers, lead export, telephony integration, HR services, attachments in applications, internal chats, application logs, backups and test environments.
Such a map helps a business make decisions without guesswork: which fields can be removed, where masking is needed, which access rights should be reviewed, which processors should be specified in documents, which processes should be transferred to regulations and which systems should be moved to a separate ISPD.
Terms without fog
PDn
Personal data is information that relates directly or indirectly to a specific person: name, phone number, email, position, resume, client ID, conversation record, call history and other bundles of characteristics.
PD operator
An organization that determines the purposes and methods of data processing. The contractor, CRM platform or cloud service often becomes processors in the operator’s environment.
ISPDn
Personal data information system: website, CRM, HR system, personal account or other IT environment where personal data is collected, stored, changed, transferred or deleted.
SZI and CIPF
Information security tools and cryptographic information protection tools: classes of solutions for access control, encryption, channel protection, control of actions and implementation of regulatory measures.
DLP, DBF/DAM
DLP reduces the risk of leaks through email, files and communication channels. DBF/DAM helps control database access, table operations, and suspicious queries.
DSAR/subject request
The global term DSAR refers to asking a person about their data. In the Russian environment, this is the process of receiving, checking, executing and recording requests from the subject of personal data.
Guidelines for Russian and global practice
In the Russian environment, the basic guidelines remain Federal Law No. 152-FZ “On Personal Data”, portal Roskomnadzor on personal data, FSTEC requirements for protection measures in ISPDn, including FSTEC order No. 21, as well as industry requirements for banks, telecoms, medicine, e-commerce and government systems.
World practice helps to look beyond formal compliance. NIST Privacy Framework views privacy as risk management at the enterprise level. ISO/IEC 27701 describes the privacy management system as an extension of the ISO/IEC 27001 approach. GDPR approach important for companies with international clients and cross-border processes. OWASP Top 10 Privacy Risks useful for checking web applications, personal accounts and client services.
How AI helps in the PD environment
AI does not replace a lawyer, CISO or person responsible for processing personal data, but it helps to quickly see what is usually lost in large contours. AI tools can find PD fields in forms and documents, classify uploads, compare policies with actual forms, look for inconsistencies in regulations, highlight risky logs, help with masking test data, and prepare draft test questions for audits.
For enterprise applications, it is important that such AI operates within a secure loop: with access rights, logging, restriction of sources, RAG on approved documents, human verification, and a ban on transferring sensitive data to external services without a separate solution. AI then becomes a tool for accelerating privacy work, rather than a new source of uncontrolled processing.
What does the business get?
Less regulatory uncertainty
It is clear which processes have already been closed, where there is a risk, what needs to be fixed quickly, and what can be included in the roadmap.
Launch digital services faster
Forms, personal accounts, CRM integrations, AI scripts and analytics receive requirements at the start, and not before the release.
Safer data for AI and BI
Rules for masking, accessing, logging, and using data in analytics, tests, and RAG scenarios appear.
Clear responsibility
Each process has an owner, a storage period, the basis for processing, technical measures and a route for responding to the subject’s request.
First step
It is rational to start with diagnostics for 10-15 working days. At this stage, RESTART looks at the site, forms, personal data policy, consents, CRM/HR/personal accounts, integrations, backend logs, access roles, application storage, cookies/trackers, AI scripts and data transfer to contractors.
The result of the first stage is a PD processing map, a risk register, a list of necessary documents and consents, requirements for frontend/backend, recommendations for information security, masking, access, storage, deletion and procedures for working with requests from subjects.
Frequently asked questions
Is it possible to limit ourselves to politics on the site?
Not if real forms, CRM, mailings, HR processes, personal accounts and integrations work differently. The document must reflect actual processing, otherwise it creates a false sense of control.
How does ISPD differ from regular CRM?
CRM can be part of the ISPD if personal data is processed in it. Then not only customer cards are important, but also access, logs, downloads, integrations, backups and operating regulations.
Can personal data be used in AI?
This is possible only after determining the purpose, basis, composition of the data, place of processing, access, logging and security measures. Many scenarios require masking, anonymization, RAG against approved sources, and human verification.
Does RESTART provide a legal guarantee of compliance with Federal Law No. 152-FZ?
We do not promise "full compliance" without auditing a specific environment. Our role is to find gaps between documents, systems and processes, prepare practical requirements and help implement them together with IT, information security and the customer’s lawyers.
Partner solutions for protecting personal data
In projects under Federal Law No. 152-FZ, RESTART can assemble a technological environment from solutions for protected workstations and servers, CIPF, firewalling, DLP, DBF/DAM, masking, access control and initial verification of public site parameters. Depending on the architecture, Security Code, AXIOMA AI, Confident, InfoTEX, UserGate, DAMASCUS, Garda, InDEED and Kaspersky are applicable.
Security code
regulatory information security, NGFW, VPN, endpoint, virtualization
AXIOMA AI
Federal Law No. 152-FZ Check, AXIOMA LAW, AI compliance and legal analytics
Confidential
NSD, trusted download, VI, WAF, regulatory projects
InfoTEX
CIPF, VPN, crypto gateways, HSM, PKI, CII
UserGate
NGFW, SUMMA, SIEM, LogAn, Client, SecaaS
DAMASCUS
masking, tokenization, dynamic data protection
Garda
DLP, DBF, Data Masking, NDR, WAF, Anti-DDoS
InDEED
Identity Security, IAM, PAM, ITDR, MFA, IdM
Kaspersky
endpoint, EDR/XDR, KATA, threat intelligence
Partners are listed as the technology backbone of the solution class. The specific composition of products, versions, licenses, certificates and delivery conditions are confirmed before the project.
Let's discuss your environment
Describe the task, current systems, constraints, and expected results. We will offer a practical first step: diagnostics, pilot, audit, roadmap or project team.
