- Alexander Ermakov
- July 30, 2015
According to the amendments to the federal law on personal data, which will enter into force on September 01, 2015, personal data operators will be required to keep personal data of Russian citizens in Russia. These amendments have given rise to many practical issues directly affecting IT companies, as well as their clients using cloud technology for data storage.
Below we answer the most common questions on this topic.
What data are personal data?
Personal data refer to any information which allows identifying a person, including:
- Email address if it includes surname and company name;
- Bank card number and CVC in certain cases; and
- In some cases, mobile phone number (classified as “sensitive” personal data).
email@example.com = personal data
firstname.lastname@example.org not personal data
It should be noted that even if data do not allow definite identification, such data could still be classified as personal data under certain circumstances.
Roskomnadzor (regulatory agency) is currently working on a definition of personal data by developing criteria for personal data1.
Which companies will be subject to the new requirements of the law?
- Russian companies registered in Russia; and
- Foreign companies with representative offices and branches in Russia;
- Other foreign companies if the performance of their activities is related to Russia and/or involves personal data of Russian nationals.
If a Russian national employed by a Russian representative office is able to view and post information about him/herself in the career opportunities internal system of a global company and the server in which his/her personal data are stored is abroad, this company will in such case be in breach of personal data localization requirements in Russia.
Can “depersonalizing” personal data be used as a tool to meet the requirements for personal data localization in Russia?
If a company uses personal data encryption methods allowing to transfer only encrypted personal data abroad (depersonalized personal data), which under no circumstances can be decrypted in the receiving server, then the requirement for personal data localization in Russia will not apply to this company, as, in this case, there is no cross-border transfer of personal data abroad.
What actions need to be taken to comply with the new requirements of the law?
- Conduct IT audit in order to:
- Determine where personal data is collected, processed and stored in your company and who is responsible for data processing;
- Using DLP software for analysis, identify how the flow of data is organized in your company to be fully aware of its migration;
- Distinguish between internal IT server capacity and third-party server capacity as some data can be hosted in third-party data centers;
- Ensure that you understand how your backup and restore policy is organized and where backups are stored;
- Determine what software is used to collect, process and store personal data.
- Identify the data used in your company which is (or can be) subject to personal data processing (especially HR and payroll data, IT security data, accounting data, CRM data, clients’ agreements);
- Analyze existing IT landscape and infrastructure to locate processing sites outside Russia;
- Assess risks;
- Based on the analysis results, develop a strategy and action plan, as well as set budgets for changes, if necessary.
The following steps should also be taken to initiate personal data protection.
To localize the personal data of Russian citizens in Russia, it will be necessary to:
- Conduct a legal audit of processed data to determine whether it is personal data or non-personal data or whether these personal data fall under the types of data that need to be localized in Russia;
- Amend internal documents in connection with the changed procedure for processing and storage of personal data of Russian nationals (employees and third parties):
- Personal data policy or other internal document regulating how personal data should be processed;
- Text of consent to personal data processing;
- Other documents specifying how personal data should be processed.
- Submit to employees for review and signature the amended internal documents regulating how personal data should be processed and obtain employees’ consent on new form.
- Indicate in the notice to the regulatory agency of personal data processing the location of the databases containing the personal data of Russian nationals.
Liability for failure to comply with the law
An administrative fine from RUB 5,000 to RUB 10,000 will be imposed on legal entities and corporate officers (for example, Data Privacy Officer or General Director) if they fail to comply with the new requirements of the law. Please note that if general directors or Data Privacy Officers being a foreign national are brought to administrative liability repeatedly (2 or more times) under Russian law for committing any administrative offense in Russia over a period of 3 years from the date of entry into force of the last administrative liability decision, such foreign nationals will be prohibited from entering Russia.
The State Duma has already passed the first reading of a bill increasing this fine up to RUB 50,000 for failing to comply with personal data processing requirements. Moreover, according to this very same bill, a fine of up to RUB 300,000 could be imposed for unlawful personal data processing.
The law also allows Roskomnadzor to restrict access to information processed through the internet in breach of Russian laws on personal data, but it takes time and several stages to put in place such access restrictions. However, since the law does not restrict blocking the information of a certain category of personal data operators or personal data processing certain resources, it is possible from a legal standpoint to apply such procedure to internal system of a global company (Intranet) for employee personal data storage and processing.
Partner, Awara Group
Partner, Awara IT Solutions
– Originally published at www.software-russia.com