Today any company operating in Russia is required to collect, store, and process personal data in accordance with the Russian law “On Personal Data” (amended last September). Roskomnadzor (the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications) can inspect any legal entity to monitor compliance with the law.
In 2016, the Service is paying greater attention to foreign companies compared with past years and a number of major international companies, including software companies, internet stores, network trade companies and top international banks are scheduled to undergo inspections this year. The focus is on companies, which process large amounts of personal data for commercial purposes.
As a service provider, we noticed growing demand from foreign companies for placement of IT systems and data migration services from late 2015. However, the demand was lower than market expectations. This reflects certain challenges associated with data transfer.
Quirks of the Russian market
Moscow International Business Center at night
Source: Thinkstock / scaliger
Firstly, in order to comply with legal requirements, global international companies with centralized IT systems have to transfer supporting systems as well as the data itself to Russia, since it is extremely hard to alter the initial architecture of an information system (unless it has been created in distributed form with numerous data processing centres). The substantial investments, associated with such system transfer, have dissuaded some foreign companies from carrying out or from completing data transfer: these businesses have opted to live with legal risk and are awaiting the results of inspections and law enforcement practice.
Many companies avoid building their own physical infrastructure in Russia by transferring their information exclusively to a virtual environment. Use of the cloud environment requires much lower investments than purchase of equipment and assembly of racks in Russia, particularly since most Russian cloud providers have not adjusted their prices to reflect recent exchange rate changes, making local prices 20–30% lower than in Europe. The current tough economic environment has forced Russian infrastructure companies to offer their clients attractive terms for data localization in Russia.
Another challenge for companies that need to transfer their data arises directly from the actual process of data migration from one system to another. The process involves special risks, including breakdowns in communication, business processes, and processes dependent on automated systems, as well as other technical failures, which may threaten service standards. The ability of a provider to ensure continuity of business processes is of crucial importance and customers have a strong incentive to select reliable and proven solutions, offered by operators with substantial experience in migration of information systems.
The final challenge is related to risks of failure to comply with Russian information security requirements. On western markets, a company chooses independently what method it will use to protect personal data, and liability only arises in case of unlawful actions following leakage of such data. In Russia, however, failure to comply with established information security requirements already entails liability.
Regulators impose specific requirements for technical protection of confidential information and suitable systems (intruder detection, protection analysis, antivirus protection, etc.) can be installed directly in the virtualized environment in order to ensure adequate security for personal data storage. Foreign companies, which are transferring their data to the cloud environment, require the operator to present documentary evidence of compliance with all requirements related to information protection. So the provider must hold all of the relevant licenses and certifications of ability.
Russian cloud market players now offer foreign companies a broad choice of virtualization systems, with a range of pricing and data protection solutions, and the possibility to connect Russian and Western infrastructures. We have connected our cloud with the Equinix sites in Frankfurt and Amsterdam, enabling international customers to allocate resources in Russian infrastructure and unify them with existing capacities in Equinix data centres around the world. This has made the Russian market accessible for many companies that never had presence here before.
Vladimir Lebedev is a business development director at Stack Group, a company that operates data centers in Moscow.