3 tips on how to avoid monetary penalties for data localization in Russia
Recently, crucial changes to the Russian legislation on personal data commenced: the new version of the Federal Law of the Russian Federation ‘On Personal Data’ introduced a duty on all companies working with the personal data of Russian citizens to locate any databases containing their personal data in Russia.
According to Article 18 (5) of the Personal Data Law, a personal data operator is obliged to ensure recording, systematization, accumulation, storage, clarification (updating, modification), and extraction of the personal data of Russian citizens using databases located on the territory of the Russian Federation. This also covers cookies and spam, data processing by third parties, and the international transfer of data.
So, if any international company or its Russian office doesn’t obey the localization requirements on handling the Russian Data, the fines they get might cause an unpleasant surprise:
- First-time offense
- Repeated offense
- RUB 1 000 000 – 6 000 000 (approx. USD 16 000 – 94 000)
- RUB 6 000 000 – 18 000 000 (approx. USD 94 000 – 282 000)
- RUB 100 000 – 200 000 (approx. USD 1600 – 3 200)
- RUB 500 000 – 800 000 (approx. USD 8 000 – 12 500)
The new requirements have affected several international companies - Aliexpress, PayPal, Uber, and Booking. LinkedIn was officially blocked in Russia due to a violation of these requirements.
So why not learning from that negative experience? We’ve figured out for you 3 crucial tips on how to comply:
1. Ensure architecture compliance
Make sure the solution you use doesn’t need any additional alterations to fit the requirements. Your data is allocated properly between Russia and other operational countries. `Minimize part in Russia.` Analyze your applications carefully. If you have a web-based application – make sure all application components comply with personal data demands for Russian users, such as feedback forms, surveys, users profile pages, etc.
2. Choose the right hosting
You may use either private cloud, public cloud or take benefits of both solutions and switch to a multi-cloud environment. The fault-tolerant multi-cloud solution is way more effective for handling personal data and it has a set of necessary information protection tools. This will minimize the cost of maintenance and ensure total data protection and costs optimization.
3. Find a trusted `partner`
Make sure the partner company on the Russian side comply with all needed legal and technical requirements in terms of personal data operations. From the legal part, it should have all required licenses issued by Russian state authorities and must comply with all demands from Federal Law #152. If the partner operates as Datacenter provider, it should have licenses from FSTEK, FSB, and Roskomnadzor. From the technical part, your partner must comply with the data processing demands of the Russian Federation.
It is with mentioning that your partner may have international certifications, such as ISO and ISAE certificates and masters ITIL processes and complies with corporate, industrial, and national requirements.
If you are looking at modern multi-cloud solutions for your data or application hosting, your partner should have experience in building such multi-cloud environments to get all the benefits from private and public clouds. Not all applications are cloud-native or support microservices or serverless architecture, hence developing a proper multi-cloud architecture is crucial for application continuity, performance, and cost-efficiency. As a must, your partner should provide you 24/7 support services and architectural supervision during service implementation.
One of the common examples of possible issues related to personal data management is a web application – a website, representing a company’s product. Very simple page, without customer personal profile functionality or e-shop capabilities. The company is 100% sure that this page has nothing to do with personal data. However, this page is built with one of the common site content management platforms and has a default feature – asking users for feedback for page content. The pop-up appears after 20 seconds when users start reading the site content. And the pop-up requests for the user’s email and name – which is personal data and must be managed accordingly.
Another case is the personal data of the employees in large international companies. In this case, the personal data of Russian employees is combined with data of all employees, and it is very hard to separate it to comply with localization demands, as well as to replicate all global databases in Russia. In this case, the company should work very closely with the IT partner and develop a proper architecture solution for the personal data management for Russian employees.
So international companies doing business in Russia should carefully check their compliance with the localization requirement. It seems reasonable to make IT systems audit. The good news is that many companies have successfully developed and implemented their localization solutions since 2015 and we shall not disregard their experience.
Alexander Kolesov, head of Cloud & Infra, TietoEVRY Russia