Business continuity and data protection: 152-FZ and leak fines

Why data is a continuity matter

The loss or leak of data can stop processes (nothing to work with) and carry legal consequences. So data protection is part of both cybersecurity and business continuity. The target for acceptable data loss (RPO) is set in the BIA and covered by backups (DRP).

What 152-FZ requires

Russia's Federal Law 152-FZ "On Personal Data" obliges operators to protect personal data, restrict access, respond to incidents and, in some cases, notify the regulator. Violations and leaks carry liability, and legislation is moving toward tougher rules and turnover-based fines (tied to revenue). This shifts the risk from "technical" to "money and owner liability".

Basic risk-reduction measures

• Minimisation: store only the data you need and restrict access.
• Backups, including isolated copies.
• An incident and breach response plan (see "cyberattack response").
• Staff training and basic cyber hygiene.

FAQ

What are the fines for a personal data leak?

Liability under 152-FZ is tightening, and turnover-based fines (tied to revenue) are being discussed and introduced. Specific amounts depend on the current edition of the law — check the law in force or with a lawyer.

How are data protection and business continuity linked?

Data loss stops processes and carries legal risk. Continuity sets the acceptable data loss (RPO) and ensures recovery from backups.

Evgeny Telenkov

Chief Risk Officer · PhD in Economics · "Best Risk Manager of Russia 2020"

20 years in risk management. Led risk management at Beeline, Nornickel, Rosneft and EY. Built business continuity plans for Nornickel, Rostec, NSD and DIA. Trained 300+ risk and BCM specialists.

More about the approach and expert →