Four ways businesses outside of Russia need to adapt to the new data protection ruling

Uncertainty still surrounds changes to Russia’s data protection laws – legislation that came into effect on September 1st 2015. The legislation, signed by President Vladimir Putin in July last year, adopts a new set of amendments to Federal Laws on Information Technology and Personal Data, and will require organisations to hold personal data on Russian citizens within databases located within the territory of the Russian Federation.

For organisations, this legislation could mean anything from storing a copy of Russian customer data in a Russian cloud to moving their entire infrastructure to Russia with the support of a systems integrator or cloud provider.

The implications will be widespread, particularly for Russian and multi-national companies that process and store Russian customer data outside of the country.

Roskomnadzor, Russia’s IT, telecom and media regulator, estimates that some 2.6 million organisations of differing sizes handle Russian consumer data. Any that fall foul of the new laws could face severe fines and have their websites, and therefore their revenue streams in the region, blocked.

International businesses operating online who procure and process data from customers across the world, such as travel companies and social networks, will be hit hardest.

As an alert from global law firm DLA Piper highlights, without a subsidiary or presence in Russia, these types of online businesses will be required to separate the data relating to Russian individuals and then store it in Russia. It’s also possible that many home grown organisations could also be at risk – many make use of cloud applications which are physically hosted outside the country.

For some organisations, compliance might be simple and it may appear to merely be a case of adding some extra local technology infrastructure. The reality for most, however, will likely be far more complex.

Organisations that were previously able to do business in Russia without actually needing to commit to a local technology infrastructure will need to invest in network services and systems, acquire the space to host them, and engage local experts to run it for them.

Significantly, the laws of supply and demand for data centre space are likely to kick in very quickly:  Moscow has one thousandth of the space available in London.

> See also: How concerned should international companies be about the changes to Russian data laws?

This means firms which fail to act fast could find themselves with no physical home for their infrastructure in Russia.

With the legislation now in effect, organisations that have not already taken action will now face an uphill battle to get their houses in order. Facebook has told regulators it will not be ready to comply immediately, and they will certainly not be alone.

And a Russian government poll of businesses found only half believed they were ready to implement the law.  The vast majority of organisations indicated they were unsure just what to do.

New reports suggest that companies might have a little more time than first thought: Russian regulators have told the likes of Facebook, Twitter and Google that they don’t plan to check until January 2016 whether they are in compliance. While this might provide some organisations with a chance to catch their breath, it is a very brief hiatus given the steps organisations will need to take.

Based on consultancy provided by Baker McKenzie to NTT Communications about its business activities in the region, we’ve outlined four considerations and some practical advice about how to operate in Russia.

Consider what data needs to be replicated and what systems need to be deployed to replicate it

This is a particularly complex issue. As stated by Baker McKenzie in a memorandum for NTT Com: The key requirement of this law is that organisations must store the personal data of their Russian employees and customers, including those collected from the Internet, in databases located within Russia.

The issue then arises around exposure of personal data to the internet and how this is defined by organisations – this is tough to determine and the legislation is still rather open-ended. For example, while the legislation states that data must be processed in Russia, there are no guidelines on whether the data stored outside Russia should be destroyed.

With this all in mind, the main points that organisations should consider are:

Clear communication with customers around how their data will be processed at the point of transaction. This could take the form of an acknowledgement from the customer, much like term and agreement consent forms that consumers are so familiar with.

When cross-border data transfer takes place, organisations need to be sure that the transfer of data corresponds to the goal. Only internet resources with the help of which, a person intends to make some activity directed to Russia, are defined to comply with the Law.

Know the Russian market – or find a partner who does

Owing to cultural differences experienced when doing business in Russia, a different mode of selection is required when choosing a partner. Language, in particular, will play an important role and could make a massive difference.

This is because the majority of Russian systems integrators and internet service providers work for Russian companies who do not communicate in a high level of English. Organisations therefore need an international partner – one that works with both Russian and international companies – to act as mediator for when they encounter any local obstacles.

Given how much speculation there still is about the legislation and how it is interpreted, local representatives that are able to engage with Roskomnadzor and local lawyers in Russian will be highly beneficial.

Set up comprehensive telecommunications links

Many of our customers have a genuinely 24/7/365 operation and depend on moving around very large amounts of data.  Many of them who are looking to mitigate the risks from this new legislation have told us they are conducting exhaustive due diligence into telecommunications links into and out of the country.

Russia is a long way away from many other major markets, and ensuring quality of service at great distance could require heavy investment. Depending on the quality of service required for certain types of network traffic, organisations will need to determine just how critical it is for them to invest in an expensive network channel, or whether a cheaper channel that integrates load-balancers or WAN optimization is a more realistic option.

Plan ahead for any hardware requirements

Depending on the size of infrastructure, operation timings, and SLA levels, there are a number of ways in which affected organisations can scale their IT infrastructure in Russia without building an entirely new data centre.

The first is to rent some colocation space and equip it with their hardware. This would require the organisation to physically manage the site, perhaps supported by remote hands who would tackle basic trouble shooting, scheduled maintenance and installation.

Secondly, organisations could rent both – space and hardware. This approach allows greater flexibility, especially when an organisation’s data storage needs could change or the business grows.

Given the uncertainty around the legislation as it stands, this option would stem costs and prevent the upheaval of adding in-house hardware or more IT staff if things changed. Organisations could simply request more space.

Finally, organisations could rent cloud capacity – web services that provide expandable computing capabilities.

All three options result in different timelines, depending on the type and quantity of equipment needed. Whatever path is chosen by organisations, they will need the help of experts who have a breadth of experience in dealing with global international customers.

As with any significant legislative development, the changes it mandates only become real once it is put to the test in the courts, a process which could take years, or the market starts to change its behaviour on its own.

Nonetheless, some believe a ‘wait and see’ approach would be ill-advised, especially given the shortage in data centre space and technical skills. Firms eying growth opportunities in the world’s 10th largest economy should act sooner rather than later.

Sourced from Vera Kiseleva, Channel Sales Manager, NTT Communications in Russia

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Data Protection
Russia