Lesson 1. Personal Data: What You Need to Know#
Goal: understand basic requirements for working with personal data so you don't break the law or lose customer trust.
What Is Personal Data#
Personal data (PD) is any information that allows a person to be identified:
- Obvious: name, email, phone, passport details, address
- Indirect: IP address, geolocation, cookies, purchase history, medical data
If your agent works with such data — you must protect it.
Personal Data Laws#
In Russia:
- Federal Law 152 "On Personal Data" (2006, amended)
- Requires: consent for processing, data protection, notification to Roskomnadzor (for large databases)
In Europe:
- GDPR (General Data Protection Regulation) (2018)
- Requires: explicit consent, right to erasure, right to data portability, fines up to €20 million or 4% of revenue
Worldwide:
- Similar laws in the US (CCPA), Canada, Australia, and other countries
What this means for you:
If your agent serves customers in Russia or Europe — you need to comply with these requirements (at least at a basic level).
Basic Principles for Working with Personal Data#
1. Data Minimization
Collect only the data you actually need for the agent to work.
Bad:
"Fill out the form: name, date of birth, address, passport details, tax ID..." (when the agent just answers product questions).
Good:
"What's your name and what email should we send the response to?" (minimum for contact).
2. Consent
Obtain explicit user consent for data processing.
Example:
☑️ "I consent to the processing of my personal data (name, email) to receive a response from the bot. Privacy Policy"
3. Secure Storage
Store data in secure systems:
- use HTTPS for data transmission
- store data in trusted services (Google Sheets with restricted access, Airtable, CRM with encryption)
- don't store data in open spreadsheets or files
4. Right to Erasure
Users can request deletion of their data. You must be able to do this.
Example:
User writes: "Delete my data from your database." You remove their record from Google Sheets / CRM.
5. Breach Notification
If a data breach occurs — you must notify users and the regulator (in Russia — within 24 hours).
Common Personal Data Mistakes#
| Mistake | Why It's a Problem | How to Fix |
|---|---|---|
| Storing passwords in plain text | Easy to steal, legal violation | Never store passwords; use OAuth |
| Customer table shared via public link | Anyone can download the database | Restrict access (only you + service account) |
| Transmitting data over HTTP (not HTTPS) | Data sent in the clear | Use HTTPS only |
| No privacy policy | GDPR violation, users don't know what you do with their data | Add a link to your privacy policy |
| No way to delete data | GDPR violation (right to be forgotten) | Add a form or email for deletion requests |
"Personal Data Security" Checklist#
- I collect only necessary data (minimization)
- I obtain consent for processing (checkbox, explicit confirmation)
- I store data in a secure place (HTTPS, restricted access)
- I have a privacy policy (available via link)
- I can delete data upon request
- I don't share data with third parties without consent
- I don't store passwords or payment data (I use OAuth, Stripe)
Practical Example: Lead Qualification Bot#
Data we collect:
Name, email, phone, company name, task (text).
What we do:
- Minimization: we don't ask for address, tax ID, passport details (not needed for qualification)
- Consent: we add a checkbox "I consent to data processing"
- Storage: data is saved to Google Sheets with access only for the owner + service account
- Policy: we add a "Privacy Policy" link (page on the website)
- Deletion: in the policy we specify an email for deletion requests (e.g., privacy@example.com)
Result: the agent operates legally and securely.