Data Protection – Russia’s solution to a global problem
As communications professionals we’re taking a keen interest in the EU General Data Protection Regulation which looks set to be put in place by the end of the year. After all it has significant implications for how we process and store our customers’ personal data.
However, in the interim Russia has adopted its own new Data Localisation Law that went live on 1 September. If you work for an international business with a physical presence in Russia, or have websites “directed at” Russian users, then you need to take heed of it.
Here’s a brief summary of what you need to know.
The legislation at a glance
The rules state that when you collect data about Russian citizens you must store it on a database in Russia. This doesn’t have to be the exclusive location for processing it. It is sufficient that the Russian database is your primary or “entry-level” database.
You can export the data outside Russia subject to compliance with the usual data protection export rules which will require individual consents and transfer agreements.
How is it enforced?
The Russian data protection authority Roskomnadzor can impose penalties for non-compliance, though the fines are relatively low.
However, more significantly it can — punish those failing to comply by blocking the websites used to collect or process Russian citizens’ data.
It therefore has the potential to cause significant disruption to any business that relies on a strong online presence.
How should you respond?
- Act now to ensure you are not caught out. Big international companies such as Ebay, PayPal, Lenovo, Samsung, Booking.com and Uber have already moved their Russian users’ databases to Russian locations.
- Consult your IT team to ensure your database architecture can be changed to fit within the new regulation.
- Map the way in which you collect and store data about Russian citizens as well as the location of relevant databases. That way you’ll be prepared if you are ever called on to demonstrate compliance.
National or even Europe-wide regulation will always struggle to keep up with the pace of technological change. It could also be argued that it is impossible to apply a regional solution to global data protection issues.
However, it’s important to take the new regulations seriously as attitudes to data protection are hardening and there could be serious consequences for failing to comply.
Written by Mayya H.