Finnish companies doing business abroad are used to having to deal with unexpected developments. One such turn came to light as the Russian government announced the fast-tracking of new legislation to ensure that the personal data of Russian citizens would reside on local soil, protected by Russian encryption.
The new law mandating the storage of the personal data of Russian citizens on servers and databases physically located in Russia was originally due to come into force in 2016. However at the end of last year the government changed the effective date to September 1 of this year.
The new legislative requirement means busy times ahead for the IT departments of Finnish companies doing business in Russia. One of those companies likely to be hit hard by the change is the retail chain Stockmann, which has more than 1.5 million regular customers in the country.
“So far part of the Russian database has been stored in Finland and we will now have to move this data to Russia,” said Lauri Veijalainen, Director of Stockmann’s International Operations.
Changes mean money and duplication
Veijalainen speculated that separating customer data on the basis of nationality will be costly, but above all it will mean additional work and the duplicate systems could complicate operations.
“A conservative estimate is that it will cost tens of thousands of euros in costs and it’s therefore a major investment,” he noted.
Another Finnish retailer, this time the S- Group, is active in the St. Petersburg region and is anticipating that it will face an even bigger bill as a result of the new data management requirement.
“We can’t estimate the amount of work yet, but financially it will mean in the region of hundreds of thousands of euros,” calculated SOK’s IT manager Raimo Mäenpää.
Other large companies such as Kesko and Finnair also have numerous Russian customers. Neither was able to say just yet how much they’d have to invest to comply with the new legislation.
Room for interpretation
Apart from the price tag associated with the legal reform, businesses are concerned about a lack of clarity in the framing of the new legislation. SOK’s Mäenpää noted that although the regulations were agreed upon last summer, specific bye-laws that would provide guidance to IT specialists are still to be issued.
“All companies are now anxiously waiting to see how precisely the regulations will have to be followed. It’s a bit unclear to all of us,” he remarked.
One question turns on whether or not it will be sufficient to provide primary data storage in Russia, in which case it could be copied to databases in Finland.
Only Russian encryption will suffice
The legislation will affect all foreign companies operating in Russia and will effectively increase the demand for storage space in data centres in Russia.
Major international players such as Google and Twitter will also have to comply with the new data storage requirement. They too will have to either build or rent new data centres locally in Russia. In extreme cases, failure to comply with the law will result in companies being shut out of Russia.
Additionally, Russia’s Federal Security Service FSB has decreed that servers that store the personal data of Russian citizens must be protected by Russian encryption algorithms only.
