Olga Ermakova
Senior Legal and Compliance Officer Linxdatacenter
16.10.2020

Learning to live with Russian Federal Law 152: A guide for foreign companies in Russia

The Russian market holds major potential for foreign companies. But because of myths about the market and inaccurate views of the risks involved, they often hesitate to develop their businesses here

Olga Ermakova Senior Legal and Compliance Officer Linxdatacenter

The Russian market holds major potential for foreign companies. But because of myths about the market and inaccurate views of the risks involved, they often hesitate to develop their businesses here. In particular, they see compliance with local legislation on personal data – a challenge for any business concerned with reputation and future growth – as complicated and costly.

For foreign companies operating or considering operation in Russia, this article offers a brief guide to compliance with the regulations for Russian personal data protection. We hope it will remove some concerns about data processing in Russia and help businesses begin to live with Federal Law 152, the basis of data protection law in this country.

A bit of background

In addition to standard colocation solutions, nearly all commercial data centers offer their customers extensive connectivity. When a company places its IT infrastructure at a data center, it can access IT services from multiple operators all over the world. Synchronization across many systems of various technologies and standards is already complicated. Ensuring legal harmony adds another layer of complexity.

Although digital business began long ago to operate transborder and the number of companies working on the global scale continues to grow, the world is not yet a global village. This is largely because of differences in local legislation. Personal data protection is an area where significant differences demand close attention by outside companies entering the Russian market.

Russian Federal Law 152 (FL-152), various directives of the Russian government, and decrees of the regulators control the processing of the personal data of Russian citizens. In the European Union, the General Data Protection Regulation (GDPR) and local laws of the member countries play a similar role.

We predict that unification of the Russian FL-152 and the European GDPR (and eventually, similar legislation in other regions of the world) is only a matter of time. They already have some similarities but also important differences related to the ways the legislation and practice have developed.

Motivation by inspection and penalty

The penalties for failure to meet data protection requirements motivate companies to pay close attention to the regulations in Russia. The fine for the first violation ranges from $33,000 to $100,000, with repeat violations costing $100,000 to $300,000.

The penalties for failure to meet data protection requirements motivate companies to pay close attention to the regulations in Russia. The fine for the first violation ranges from $33,000 to $100,000, with repeat violations costing $100,000 to $300,000.

Personal data operators receive three days’ notice before scheduled inspections and 24 hours’ before surprise inspections.

A scheduled inspection can last no longer than 20 days and a surprise inspection no longer than 10.

Legal entities and individual entrepreneurs will not be inspected for the first three years after their registration. This gives a newly founded company the time to ensure compliance of its processes and to prepare for inspections.

The frequency of inspections depends on what data is being processed and how. For most companies, inspections will happen only once every three years.

Companies working with special categories of data (such as biometrics) and operators transferring data to foreign states, companies, and citizens, can be inspected every two years.

Two scenarios

A foreign company collecting data of Russian citizens in the territory of the Russian Federation (RF) has two ways to ensure data protection under the law:

Scenario No.1: A foreign company registers as a subsidiary firm, branch, or representative office in Russia.

In this case, the procedure is relatively simple. In fact, if the company complies with the GDPR in Europe, it is not difficult to adapt its processes to the FL-152. Both standards focus most of their requirements for business on organizational measures: policies, processes, and supporting documentation.

The only challenge is technical support for personal data protection: the infrastructure and encryption tools. A company must appoint an information-security specialist who will ensure technical compliance of the infrastructure with FL-152 directives.

This specialist must have training and experience in the application of certain guidelines of the Federal Service for Technical and Export Control of Russia (FSTEK) and Federal Security Service of Russia (FSB).

Because a company just entering the Russian market is unlikely to possess such expertise, it may need outside assistance. Local providers offer FL-152-compliance “turnkey” service and create secure zones for personal data processing on their own infrastructure.

Local infrastructure for processing the personal data of Russian citizens is a requirement. It is critically important for any foreign company processing personal data in Russia. Failure to take it into account presents a major risk.

Scenario No.2: A foreign company has no registered representation in Russia, but it processes personal data of Russian citizens.

In this situation, it is highly unlikely that Roskomnadzor will inspect the company’s business processes, but it can inquire about the location of its IT infrastructure and its policy on data processing. The company must be ready to provide the regulator with answers and related documents on request.

Even if they are not physically present in the country, companies doing business in Russia should not overlook Russian legal requirements. A failed inspection will cause the authorities to block Russian users from the digital resources and services of the company. This may have a strong impact on the business. The penalties for violation are also unpleasant, and the company’s reputation is likely to suffer because such stories always appear in the mass media.

What does FL-152 support look like?

So, what happens when a foreign company needing assistance with FL-152 compliance comes to a Russian service provider for help?

The first step is to decide whether the company needs a full FL-152 compliance service: a complete set of organizational measures. This would include analysis of business processes, preparation of internal documentation, training of personnel, etc. The service here is a made-to-measure project to meet the specific needs of the customer’s business.

Or the company may need only the technical solution: location of infrastructure in the Russian Federation in line with regulations. Technical compliance of the infrastructure usually means a standard, package solution offered by most large service providers. For each customer, the service provider creates a dedicated segment in its own IT infrastructure, within a secure network that meets the demands of FSTEK and FSB.

Don’t panic

When up and running, a foreign company can avoid unscheduled, surprise Roskomnadzor inspections by clearly and publicly posting its policy on personal data in Russian and English on its website. These policy statements must contain detailed descriptions of all scenarios for data processing: data of EU citizens processed according to the GDPR, data of RF citizens processed according to FL-152, etc.

If an inspection is inevitable, it is important to remember this: in all likelihood, only Roskomnadzor will do it, and the regulator’s attention will focus mostly on business processes and their documentation (a “documentary inspection”). The regulator will also be interested in the location of the infrastructure in the Russian Federation and its compliance with the law.

In theory, FSB and FSTEK may have questions regarding technical details of personal data processing and security systems, but it is not likely. Even if they do, there is no reason for concern because providers create a detailed and transparent description of the final architecture of the IT infrastructure (including documents, diagrams, certificates).

Service providers perform their services in the strictest compliance with their licenses. Otherwise they risk drawing the attention of the supervising authorities to their own processes.

FL-152 advantages over GDPR?

Any European company will inevitably consider the effort necessary to ensure compliance with the GDPR in Europe and the FL-152 in Russia. If we analyze the benefits and shortcomings of current personal data legislation in the EU and in the RF, we notice certain advantages of Russian law.

The FL-152 says “meet these requirements by undertaking these specific steps”. The GDPR says “achieve this result” (protection of individuals’ rights to their personal data).

On one hand, the European approach gives the company more freedom. On the other, the absence of a clear, step-by-step manual increases the company’s responsibility and its risk of failure.

In our view, it is easier to ensure FL-152 compliance: we see the laws, decrees, and instructions as a toolkit or template that a company can use to ensure compliance.

The GDPR offers no such kit. The key is the end goal: protection of the individuals’ rights. The impact of company policy on these rights shows the effectiveness of its approach, and the inspector decides whether the company meets the requirements.

So, the GDPR approach is far more difficult. With no templates, it takes more effort and a deeper understanding of tasks and processes to ensure compliance.

Fines for violation in Russia have increased but remain lower than in Europe: the GDPR demands much stricter punishment for potential leaks of personal data. Look, for example, at the operator of a legal-news website that was penalized €15,000 because its privacy statement was only available in English, though it also addressed Dutch- and French-speaking audiences. To make matters worse, the first version of its privacy statement was not easy to find and did not mention the legal basis for data processing under the GDPR.

In another example, the regulator fined German company Deutsche Wohnen SE €14.5 million for archiving customers’ personal data without asking their permission and for failing to provide an option to remove data that was no longer needed.

Немецкая компания Deutsche Wohnen SE была оштрафована на 14,5 миллионов евро в 2019 г. за хранение персональных данных клиентов без необходимости, в том числе по окончании договорных отношений с клиентами, а также без предоставления клиентам опции удаления такой информации.

Where to begin?

A company must define in detail every stage of a personal data protection project, especially the first step, auditing. Here it lays the foundation for an effective future solution and assigns roles of the people who will be responsible for developing and maintaining it.

Later on, the company must ensure the continuity of personal data handling within its business processes. Any changes in these processes – to the security protocols, access system, personnel structure, and software, among others – must include update of the related policies, processes, architecture, threat models, etc. It is vitally important to remember this.

In conclusion

Compliance with Russian personal data law requires careful study and preparation, but it is an attainable goal. The expectations of the Russian authorities are understandable and reasonable.

Nevertheless, meeting them does demand effort and experience. For a company aiming to use its time and financial resources efficiently, the best approach is to find a reliable local partner with expertise in the field.

*Updated with the Protocol CETS No. 223 dated 18th May 2018, a week prior to the GDPR coming into effect.

Biography

Olga Ermakova is the Senior Legal and Compliance Officer at Linxdatacenter. Her work experience of more than 15 years includes comprehensive legal practice in consulting and IT solutions. A graduate of the legal faculty of the St. Petersburg State University, she is certified as a GDPR Data Privacy Professional (GDPR DPP) and holds an ICA Certificate in Compliance.

Olga’s professional achievements at Linxdatacenter include involvement in the creation of its personal data protection system, support for the licensing process for information security (FSTEK, FSB), staff training on personal data processing, and construction of the compliance management system.

 

News and publications

Article
09.08.2022
IS in scarcity: a big transition strategy
News
01.08.2022
Linxdatacenter is in the TOP10 of the largest DC service providers
News
25.07.2022
Linxdatacenter launches its own PaaS tools
News
20.07.2022
St. Petersburg cloud Linxdatacenter passed the certification on ...
Article
30.06.2022
How we optimized customer data center management
News
27.06.2022
Linxdatacenter: Russian Cloud Market to Grow in 2022...
News
26.05.2022
Anna Malmi has been appointed the regional director of Linxdatacenter...
Article
20.05.2022
Cloud Edge: What's Happening in the Russian Market - Linxdatacenter
News
13.05.2022
The new CEO of Linxdatacenter is Andrei...
Article
03.05.2022
Unit per monoblock: the modular UPS revolution in data centers

You may also be interested in

Linx Outsourcing
Audit, upgrade and optimize your server capacities
read more
Data-center management outsourcing
Linx Network
Ensure network resiliency and uptime
read more
Network services
Linx DraaS
Protect your IT systems today!
read more
Disaster Recovery as a Service

Write to us

How we optimized customer data center management

Data center is a complex IT and engineering object, which requires professionalism at all levels of management: from managers to technical specialists and executors of maintenance works. Here's how we helped our client put operational management in corporate data centers in order.
 

Taras Chirkov, Head of Data Center in St. Petersburg  in St. Petersburg 

Konstantin Nagorny, chief engineer of data center in St. Petersburg.  in St. Petersburg 

Data center is a complex IT and engineering object, which requires professionalism at all levels of management: from managers to technical specialists and executors of maintenance works. Here's how we helped our client put operational management in corporate data centers in order.  

Management is in the lead 

The most advanced and expensive IT equipment will not bring the expected economic benefits if proper processes of engineering systems operation in the data center, where it is located, are not established.  

The role of reliable and productive data centers in today's economy is constantly growing along with the requirements for their uninterrupted operation. However, there is a big systemic problem on this front.  

A high level of "uptime" - failure-free operation of a data center without downtime - depends very much on the engineering team that manages the site. And there is no single formalized school of data center management.  

And there is no single formalized school of data center management.    

Nationwide  

In practice, the situation with the operation of data centers in Russia is as follows.  

Data centers in the commercial segment usually have certificates confirming their management competence. Not all of them do, but the very specifics of the business model, when a provider is responsible to the client for the quality of service, money and reputation in the market, obligates them to own the subject. 

The segment of corporate data centers that serve companies' own needs lags far behind commercial data centers in terms of operational quality. The internal customer is not treated as carefully as the external customer, not every company understands the potential of well-configured management processes. 

Finally, government departmental data centers - in this regard, they are often unknown territory due to their closed nature. An international audit of such facilities is understandably impossible. Russian state standards are just being developed.  

This all translates into a "who knows what" situation. "Diverse" composition of operation teams composed of specialists with different backgrounds, different approaches to the organization of corporate architecture, different views and requirements to IT departments.  

There are many factors that lead to this state of affairs, one of the most important is the lack of systematic documentation of operational processes. There are a couple of introductory articles by Uptime Institute which give an idea of the problem and how to overcome it. But then it's necessary to build the system by your own efforts. And not every business has enough resources and competence for that.  ⠀⠀  

Meanwhile, even a small systematization of management processes according to industry best practices always yields excellent results in terms of improving the resilience of engineering and IT systems.  

Case: through thorns to the relative order 

Let's illustrate by the example of an implemented project. A large international company with its own data center network approached us. The request was for help to optimize the management processes at three sites where IT systems and business-critical applications are deployed.  

The company had recently undergone an audit of its headquarters and received a list of inconsistencies with corporate standards with orders to eliminate them. We were brought in as a consultant for this as a bearer of industry competence: we have been developing our own data center management system and have been educating on the role of quality in operational processes for several years.  

Communication with the client's team began. The specialists wanted to get a well-established system of data center engineering systems operation, documented on the processes of monitoring, maintenance and troubleshooting. All this had to ensure optimization of the infrastructure component in terms of IT equipment continuity.  

And here began the most interesting part.  

Know thyself 

To assess the level of data centers in terms of compliance with standards, you need to know the exact requirements of the business to IT systems: what is the level of internal SLA, the allowable period of equipment downtime, etc.  

It became clear right away that the IT department did not know exactly what the business wanted. There were no internal criteria of service quality, no understanding of the logic of their own infrastructure.  

Colleagues simply had no idea what the permissible downtime for IT-related operations was, what the optimal system recovery time in case of a disaster was, or how the architecture of their own applications was structured. For example, we had to figure out whether a "crash" of one of the data centers would be critical to the application, or if there were no components affecting the application.  

Without knowing such things, it is impossible to calculate any specific operational requirements. The client recognized the problem and increased coordination between IT and the business to develop internal requirements and establish relationships to align operations.  

Once an understanding of the IT systems architecture was achieved, the team was able to summarize the requirements for operations, contractors, and equipment reliability levels.  

Improvements in the process 

Our specialists traveled to sites to assess infrastructure, read existing documentation, and checked the level of compliance of data center projects with actual implementation.  

Interviews with the responsible employees and their managers became a separate area of focus. They told what and how they do in different work situations, how the key processes of engineering systems' operation are arranged.  

After starting the work and getting acquainted with the specifics of the task the client "gave up" a little: we heard the request "just to write all the necessary documentation", quickly and without deep diving into the processes.  

However, proper optimization of data center "engineering" management implies the task to teach people to properly assess the processes and write unique documentation for them based on the specifics of the object.  

It is impossible to come up with a working document for a specific maintenance area manager - unless you work with him at the site continuously for several months. Therefore this approach was rejected: We found local leaders who were willing to learn themselves and lead their subordinates.  

Having explained the algorithm of documents creation, requirements to their contents and principles of instructions ecosystem organization, for the next six months we controlled the process of detailed writing of documentation and step-by-step transition of the personnel to work in a new way. 

This was followed by a phase of initial support for work on the updated regulations, which lasted one year in a remote format. Then we moved on to training and drills - the only way to put the new material into practice.  

What's been done 

In the process, we were able to resolve several serious issues.  

First of all, we avoided double documentation, which the client's employees feared. To this end, we combined in the new regulations the regulatory requirements applied to various engineering systems as standard (electrics, cooling, access control), with industry best practices, creating a transparent documentation structure with simple and logical navigation.   

The principle of "easy to find, easy to understand, easy to remember" was complemented by the fact that the new information was linked to the old experience and knowledge of the employees. 

Next, we reshuffled the staff of service engineers: several people turned out to be completely unprepared for the change. The resistance of some was successfully overcome in the course of the project through the demonstration of benefits, but a certain percentage of employees turned out to be untrained and unresponsive to new things.  

But we were surprised by the company's frivolous attitude to its IT infrastructure: from the lack of redundancy of critical systems to the chaos in the structure and management.  

In 1.5 years the engineering systems management processes have been pumped up to the level that allowed the company's specialists to successfully report "for quality" to the auditors from the headquarters.  

With the support of the operating component development pace the company will be able to pass any existing certification of data centers from leading international agencies.  

Summary 

In general, the prospects of consulting in the field of operational management of data centers, in our opinion, are the brightest.  

The process of digitalization of the economy and the public sector is in full swing. Yes, there will be a lot of adjustments in the launch of new projects and plans for the development of old ones, but this will not change the essence - the operation should be improved at least to improve the efficiency of already built sites.  

The main problem here: many managers do not understand what thin ice they are walking on, not paying proper attention to this point. The human factor is still the main source of the most unpleasant accidents and failures. And it needs to be explained.  

Government data center projects are also becoming more relevant now and require increased attention in terms of operations: the scope of government IT systems is growing. Here, too, the development and introduction of a system of standardization and certification of sites will be required.  

When the requirements to public data centers in Russia at the level of legislation will be reduced to a standard, it can be applied to commercial data centers, including for the placement of public IT resources.  

The work in this area is ongoing, we are participating in this process in consultation with the Ministry of Digital and by building competencies for teaching courses on data center operation at the ANO Data Center. There is not much experience on such tasks in Russia, and we believe that we should share it with colleagues and clients. 

Learning to live with Russian Federal Law 152: A guide for foreign companies in Russia

BEST, money transfer and payments operator

business challenge

The customer faced a technical issue with a persistent BGP session flag with Linxdatacenter hardware. We examined the problem and found out that one of customer’s hosts was under a DDoS attack.

Because of the distributed nature of the attack, traffic couldn’t be filtered effectively, and disconnecting the host from the external network wasn’t an option. The attack stopped after changes in the server configuration, but resumed the day after. A 5.5 Gbps attack overloaded the junctions with internet providers, affecting other Linx Cloud users. To mitigate the effects of the attack, we employed a dedicated DDoS protection service.

Solution

To ensure the continuous availability of resources hosted in Linx Cloud, we rerouted all the customer’s traffic through StormWall Anti-DDoS system. The attack was stopped within half an hour. To prevent future cyberattacks, we organized all connections to the customer’s resources through the StormWall network.

client:

BEST, money transfer and payments operator

business challenge

The customer faced a technical issue with a persistent BGP session flag with Linxdatacenter hardware. We examined the problem and found out that one of customer’s hosts was under a DDoS attack.

Because of the distributed nature of the attack, traffic couldn’t be filtered effectively, and disconnecting the host from the external network wasn’t an option. The attack stopped after changes in the server configuration, but resumed the day after. A 5.5 Gbps attack overloaded the junctions with internet providers, affecting other Linx Cloud users. To mitigate the effects of the attack, we employed a dedicated DDoS protection service.

Solution

To ensure the continuous availability of resources hosted in Linx Cloud, we rerouted all the customer’s traffic through StormWall Anti-DDoS system. The attack was stopped within half an hour. To prevent future cyberattacks, we organized all connections to the customer’s resources through the StormWall network.

Thank you for your inquiry, we will get back to you shortly!