Personal data: Top Five Internal Controls


The protection of personal data is one of the major challenges of today's world. Cases of data leaks to the general public are placed into attention focus of media and society. For companies such incidents can turn into reputational and financial losses, up to business closure. Recent changes in legislation show that regulators continue to pay attention to personal data protection. For example, from 23 December 2023, amendments came into force that toughen the liability for processing personal data without written consent. Now for the first violation, companies and their officials can be fined up to RUB 700,000 (EUR 7,000) and RUB 300,000 (EUR 3,000) correspondently.

One of the tools to mitigate such risks is an effective system of internal controls and internal audits, especially since the legislation directly obliges companies to implement and maintain such a system in the field of personal data protection (art. 18.1 of Federal Law No. 152-FZ "On Personal Data").

In order to build the internal controls system and organise secure work with personal data, we recommend starting with spot-checks on compliance with legal requirements. The result of the check can be a completed checklist with comments and identification of the areas of key risks for which it will be necessary to organise or optimise the internal controls system.

Five key components of the internal controls system over personal data:

  • Personal data administration policies, which should include rules on collection, storage, use, transfer and deletion of personal data
  • Segregation of access rights to personal data: persons with access rights and access levels
  • Personal data security: encryption, passwords, access control, tracking of critical operations and other information protection measures
  • Training of employees in handling personal data and rules of its protection
  • Regular internal audits of the internal controls and assessment of their effectiveness to identify weaknesses and develop remedial measures.

The administration of personal data processing requires a combination of competences in information security, IT, law, internal controls and audits.

SCHNEIDER GROUP team, fully possessing these competences and the necessary experience, can support both the development and implementation of an internal controls system for working with personal data and conduct regular internal audits in this area.

Download check-list