Complying with Russia's New Privacy Law

November 05, 2019

Contributor: Laurence Goasduff

The majority of CIOs say the law will likely increase IT infrastructure costs.

As of September 1, organizations operating in Russia must comply with amendments to the privacy law to store personal data on local citizens in Russia. This legislation, which some have speculated could be a precursor to clamping down on foreign social networks, significantly effects a range of companies, and executives must be aware of its legal and financial implications.

CIOs Are Concerned but Confident

In the third quarter of 2015, Gartner conducted a survey of large foreign companies operating in Russia, which found that 42 percent of CIOs were unsure whether or not they could comply with the amendment on time. Some were also unclear on its provisions.

However, Russia's federal executive body, Roskomnadzor, which is responsible for the field of communications, IT and mass media, provided guidance to businesses face-to-face and online. Roskomnadzor officials also stated that companies must have a master database of local citizen's records stored in the country, but they are permitted to replicate this to data centers abroad.

“The survey found that almost a third of CIOs said the new law would negatively impact their business, due to higher costs for IT infrastructure, as well as a feared increase in audits and associated penalties for noncompliance,” said Petr Gorodetskiy, senior research analyst at Gartner. “However, the majority of CIOs expected no changes to their business in Russia. The consensus was that major business processes would at least remain unaffected.”

CIO's expectation and impact of the law on their business

Overall, CIOs were confident that they knew how to tackle the issue of compliance. The most common options planned by CIOs of foreign companies were:

  • Relocating infrastructure into their own data center in Russia, or expanding existing facilities (31 percent)
  • Providing additional analysis and consulting (29 percent)
  • Relocating servers into a local commercial data center (16 percent)

Others said they either were pursuing integration projects, already had sufficient local infrastructure, or weren't doing anything at all.

CIOs Cooperation with TSPs

“Instead of investing significantly into creating competences of products and services around the law, CIOs should consider partnering with technology and service providers (TSPs) and experts in privacy issues,” Mr. Gorodetskiy said.

Just over half of CIOs said they would disclose plans to work with third-party TSPs, while a third planned to involve them as consultants. Sixty percent said they would like to receive information about TSPs' data protection expertise. Some CIOs claimed that potential contractors offering such services do not sufficiently understand the specifics of the legislation.

Latest Developments

While we are currently in a period of uncertainty following the law's implementation, Roskomnadzor doesn’t plan to carry out all the audits until the end of 2015, which is giving time for some companies to undertake the necessary measures.

“The law is still unclear for the large international vendors and TSPs,” Mr. Gorodetskiy said. “If international vendors such as Facebook, Salesforce, Google, Amazon and others decide not to comply, their refusals may result in a significant change in the local ICT marketplace. It may also negatively impact local and international companies operating in Russia, which may have to plan for additional projects and resources to introduce the ‘outlaw’ solutions, or may consider leaving the Russian market.” 

Experience Information Technology conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.