Gartner: Prepare for the Russian Personal Data Law

Russia is set to implement a new personal data law (242-FZ Law) effective 1 September. The new law provides, among others, that  the personal data of Russian citizens be stored in Russia.

Research firm Gartner said the new law will have a major effect on Internet organizations, as well as online stores, online resources used for booking airline tickets and hotels, insurance companies and other organizations, as they will have to change the way they store information on Russian citizens.

“By the same date, all companies processing personal data of Russian citizens in databases located outside Russia need to make their systems compliant with the new requirements,” said Carsten Casper, managing vice president at Gartner. “This should be key priority for the chief data officer and the CIO.”

A Gartner survey conducted in April 2015 across seven countries (US, UK, Canada, Brazil, India, Australia and Germany), which surveyed 357 large organizations (at least $50 million in revenue, a minimum of 100 employees), found that 37 percent of respondents would like to obtain certification to comply with the new requirements – although such certification does not exist today.

A third of surveyed organizations will appoint a local IT provider to manage data storage and processing, while 28 percent will simply look to place a copy of the relevant data onto a local server in Russia.

Gartner noted that while those three options will incur additional costs for organizations, they may be the most effective way to comply at such short notice. Others are planning to withdraw business from Russia (19 percent) or expect to ignore the law until they are investigated by the local authorities (18 percent).

“Although more clarifications are needed around the law, we advise companies that process Russian citizens’ personal data to make their business executives aware of the upcoming legal and investment requirements,” said Petr Gorodetskiy, senior research analyst at Gartner. “They also need to seek clarification from Russian authorities, where possible, and prepare plans for moving data (or data centers) to Russian soil or find alternative ways to mitigate this compliance risk.”

Further information can be found at eGov Innovation.