Are you ready for Russia's new data protection law?

Russia is one of the world’s economic powerhouses, home to many multinational corporations (MNCs) and set to enact a new, very specific data management law this year. From September 1st 2015, law #242 will come into force, affecting existing laws #149, #152 and #294 respectively, all of which focus on data, information and its protection and confidentiality in telecommunications networks.

The new law stipulates that all processing of personal data must be done with the use of databases residing on servers and in data centers located in Russia and not outside of the country. So how does technology now help organizations achieve compliance with the new law? The cloud service from Orange called Flexible Computing Advanced (FCA) can be the answer. Join our webinar in August and September to find out more.

Changing times for data protection laws

Russia’s plan to implement a dedicated, local data protection law is not the first time it has been attempted. In 2014 Brazil tailored new regulation within its “Marco Civil da Internet”, designed to require global internet companies to store data on servers inside Brazil, only to drop the rule at the eleventh hour. The reason for this was pressure from internet companies complaining the rule would increase costs and create barriers in one of the world’s biggest online markets.

The European Union (EU) also enacted strong data protection regulation, requiring that, where data pertaining to EU businesses or citizens is stored outside the EU, data protection regulation at the other end of that transfer must be at least as rigorous as the EU’s own.

Organizations under pressure

Russia has, however, moved fast on the issue. Law #242 was originally scheduled for implementation in September 2016, but the Russian government brought the deadline forward a year – placing increased pressure on organizations to be ready in time. This means both Russian businesses and multinational corporations (MNCs) that either have a presence in or online business that takes place in Russia must comply – meaning a ‘local’ data center capability. So any foreign social media, e-commerce or any other type of website that receives or carries information about Russian citizens must have a storage location inside Russia.

The penalties for non-compliance can be severe; punishments currently include hefty fines for both individuals and companies, while businesses can also risk having their operations suspended and websites blocked.

Ensuring interpretation is correct

That said, there are still some unclear areas to Russia’s new legislation. Both Russian and international companies asking for more clarity on the law’s guidelines and definitions; what is meant by ‘personal data’ and ‘database’ within the terms of the regulation, for example.

Further clarification has been requested on interpretation, as elements of the law can be construed in differing ways. For example, the conservative and literal reading of the regulation implies that storing a single copy of a personal data database on a server outside of Russia is completely prohibited, but informally, authorities are supporting a more liberal view that storing a back-up copy of that same database overseas is permitted so long as the primary database is located within Russia.

Andrei  Zorin, Senior Legal Counsel for Russia & CIS at Orange Business commented, “Organizations are asking the government for assistance on the issue to help ensure compliance, and government is being as cooperative as it can, assisting with guidelines and will continue doing so from September 1st. It is in everybody’s interests that they can meet the new regulatory requirements as quickly as possible”.

How can organizations address the issue?

With so much concern around the safety and security of sensitive data married to the need for regulatory compliance, organizations need the right storage solutions in place. Many companies have turned to private cloud technologies to help them address international data storage and security and compliance issues. Using a private cloud setup for backend data processing can deliver the necessary ‘local’ presence that regulation like Russia’s demands while allowing data to be controlled and managed appropriately.

“It’s about having the right systems and technologies in place but also about working with the right people. Organizations need a partner with the proper public sector experience, international network and the expertise in managing this kind of cross-border legality,” said Richard van Wageningen, CEO Orange Business Russia.

“Private cloud and also shared cloud solutions can deliver the necessary functionality – at Orange we are set up to provide shared or private, on-site or off-site, semi or fully-automated, tailored Cloud solutions and our data centers based in Russia ensure compliance.  So our customers can rely on us to support them immediately from September 1st,” he concluded

About Orange Business Russia

  • Only international telecoms and service integration provider with own infrastructure and countrywide license
  • Operations in Russia since 1958 with partner SITA
  • Provides 5,000+ customers with full suite of voice and data services
  • Over 1000 employees in 36 cities
  • More than 1,300 POPs
  • Data center and local cloud platform in Moscow
  • Anti-corruption certification for compliance policy
  • CIS offices in Ukraine, Kazakhstan and Belarus

To find out more about Orange Cloud solution provision in Russia and globally, click here. To register for our forthcoming webinar on Russia’s new data protection law please click here.