The document details the processing of personal data in Russia, highlighting the importance of identifying data types at risk due to recent legislation. It outlines necessary actions for companies, including analyzing IT infrastructure and ensuring compliance with data localization requirements. It also suggests practical steps for managing personal data, such as deleting or substituting data and understanding backup policies.

1. Processing Personal Data in Russia:
IT Technical Details

2. Do you know where your data go?

3. What is a server and database?

4. Company

5. Company Somewhere

6. What is “Russian” server and database?

7. Russia Finland

8. Russia Finland

9. Russia Finland

10. Russia Finland

11. IP Address 1
IP Address 2

12. Lab here

13. Suggested Immediate Actions
Identify the list of the data that is used in your company and is
(or can be) a subject of Personal Data Processing processes,
related to recent legislation
Analyze existing IT landscape and
infrastructure to locate processing sites
outside Russia that might
summon risks
Based on the results of analysis,
develop strategy and action plan,
define budgets for changes if
needed

14. What is under risk?
• HR and Payroll data
• IT security data (Active Directory; access
software; registration of employees)
• Accounting data
• Clients'/suppliers agreements and contacts
• CRM data
• …
• Any business data is under risk

15. When analyzing IT infrastructure:
• Define where personal data is collected, processed and
stored in your company, who is responsible for that
• Identify how the flow of data is organized in your company;
you might not even be aware how it migrates; use DLP
software for analysis
• Distinguish between internal IT server capacity and third-party
server capacity – some part of your data can be hosted
in third-party data centers
• Ensure that you understand how your backup and restore
policy is organized and where the backups are stored
• What software do you use to collect, process and store
personal data

16. What can you do next?
• Define that some data in reality does not relate to Personal Data
Processing process
• Delete personal data from the system
• Substitute the data with just IDs and process them separately,
storing the data itself inside Russian Federation
• Transfer the database without re-hosting of the application
• Transfer the whole system
• Change the system
• Terminate the process

17. Potential transfer to Russia:
• Authentication and authorization catalogues
• Catalogues synchronization systems
• Controlling systems of common access
• Portal solutions
• Mail systems
• Instant messaging

18. “Hacking” tools
• Remote Desktops
• VPN channels
• Proxy Servers
• Mirror servers
• …

19. Thank you!
info@awaraitsolutions.ru
www.awaraitsolutions.ru