Negotiate the legal minefield in Russia and beyond with Linxdatacenter
Companies doing international business have always had to pay attention to variations in local preferences, laws and customs. In recent years, the need to recognize such differences has hit home in terms of data protection and the way organizations secure personal and personalized data (PD).
If the new medium of exchange is the internet, then safeguarding data according to the letter of the law is the same as protecting money.
Across the globe, a range of approaches to governance and limitations dictate local trading conditions. The penalties for violating them vary. In some cases, the very act of entering an overseas market is prohibited or restricted. The current issues of Huawei’s trade in the US are a case in point, as are the experiences of Amazon, Google and Apple in China.
Along the same lines, companies everywhere that wish to trade with people or businesses based in the European Union are subject to its General Data Protection Regulation (GDPR). Failure to comply with this regulation can cost three or four percent of annual turnover, potentially amounting to millions of dollars.
In Russia, companies must comply with several pieces of local legislation, presenting even more complications for outsiders to negotiate. Companies that wish to trade in Russia or with Russian individuals need to:
- Understand Federal Law no. 152-FZ “On personal data” setting the principles and general rules to be applied during personal data procession,
- “The requirements for the protection of personal data when they are processed in personal data information systems”, which were approved by the Decree of the Government of the Russian Federation of 01.11.2012 N 1119,
- Take on board, specifically, the 21st Order of the Federal Service for Technical and Export Control (FSTEC), which sets the precise list of technical measures the company shall comply with in order to neutralize threats in place for personal data that is being processed,
- Comply with the Roskomnadzor processes for inspecting the management of personal information by data operators.
Those are complex requirements. Is it worth the trouble for a Western company to do business in Russia?
In spite of the difficulties involved, working with Russian companies can be very advantageous. Beyond achieving meaningful trade ties with that country, trading through Russia opens up many more markets and opportunities. These potentially include China and other parts of Asia-Pacific, areas in South America, and significant populations from former member countries of the Soviet Union.
If a company wants to do business in Russia, where can it find help?
Here at TechHQ, we’ve spoken at length with Linxdatacenter, a Russian company that provides high-quality interconnectivity between the West, the Russian heartland, and its trading partners. The company is in a prime position to advise its many clients (and us, too) on the differences between the more-familiar GDPR and the regulations dictating trade with Russia. (We use GDPR as a benchmark because it’s a well-known piece of legislation already embedded in the working methods of international companies.)
Linxdatacenter offers help in the form of Secure Cloud 152-FZ, virtual infrastructure that’s compliant with Russian federal law on personal data. Linxdatacenter also offers a range of private access options to cloud providers, including Alibaba Cloud (via Express Connect), Google, Azure and AWS.
These unique offers mean Linxdatacenter can provide consultation and fully-compliant frameworks for businesses to operate in Russia, and for Russian companies to operate outside the country.
Protection by design and default: Russian legislation defines four Levels of data protection, from the least at Level 4 to the most at Level 1.
For example, the law requires encryption of Level 3 data at the storage point and in transit. It must also be protected physically by access controls and virtually by firewalls and/or other methods.
Oversight and proof: Russian governance here is similar to GDPR. Both Russia and the EU dictate that steps taken to protect information must be documented, but no physical tests need to be performed to validate companies’ claims. The laws assume that companies comply with the documentation they provide to the EU Data Protection Office or the Russian communications authority, Roskomnadzor.
Fines and attitudes: The fines imposed on companies that break those Russian laws are small: Facebook and Twitter have each been fined RUR3,000, or about US$45. Indeed, some Russian companies pay their fines and continue trading rather than comply. Although that’s clearly cheaper, those companies may find themselves facing much-higher penalties, including blockage of their access to the resources they need to manufacture their products.
It’s worth noting that Linxdatacenter, aware of its position as arbiter and gateway to Russia, complies fully with all local regulations under Federal Law no.152-FZ.
Local data: As a rule of thumb, any PD on a Russian citizen living anywhere in the world must physically reside on Russian soil. This contrasts with GDPR, which states that data on a European can reside anywhere, as long as the holder complies fully with EU legislation.
To some extent, companies that already comply with GDPR have an advantage. Russian companies may have to ramp up their processes to ensure a fully legal digital trading stance.
Any company anywhere in the world can use Linxdatacenter Secure Cloud 152-FZ and its private and public clouds based on Hyperflex and Flexpod platforms, located both inside and outside Russia.
Wherever you trade, to learn more about compliance with local governance in Russia, contact a Linxdatacenter representative who speaks your language.
23 March 2020