Russia’s new data privacy “localisation” law commences on 1 September 2015.
The law will require that all personal data of Russian citizens, for businesses operating in the Russian market, must be collected and updated via a database set up in Russia. In other words, it will no longer be possible for the personal data of Russian citizens to be collected, stored and updated in a foreign (non-Russian) database alone.
It will still be possible to transfer Russian personal data outside of Russia, subject to compliance with the existing data export requirements, but the primary point of collection and storage must be in Russia itself.
In the HR world, this will mean (for example) that it will no longer be possible to enter employee personal data directly to HR systems in (for example) the Unites States, unless the data has already been collected and stored in a local Russian database. It can be transferred to the US database, or re-entered into the US database, but it must first exist in Russia.
Businesses who breach the law may face penalties ranging from public “naming and shaming”, to administrative fines and, in some cases, the somewhat draconian sanction of the Russian data protection watchdog (Roscomnadzor) shutting down a local website or blocking Russian access to a foreign one.
If you have staff in Russia and have not revised your HR systems to take account of the new “localisation” law, now is the time to do so.