Blog post

Data Residency and Russia

By Andrew Walls | October 03, 2014 | 1 Comment

Numerous media outlets have reported on the recent move by Russia’s Duma to expand data protection regulations (see , These regulatory changes have generated a fair amount of angst as organizations providing services via the internet to citizens and residents of Russia have scrambled to figure out what they need to do to comply and still make a profit.
This is not a simple question to resolve. Interpretations of the law vary and there is no pattern of enforcement upon which to base decisions. The law may, or may not, require internet-based providers to store data about Russian customers on infrastructure within the borders of Russia.
While the practical impact of the regulations is sorted out what should providers do?
1. Get your legal counsel involved. They need to get the ball rolling on figuring out whether the regulation might apply and what the regulation means.
2. Develop a contingency plan with your business leaders. Assume the worst: all data about Russian customers might have to remain in Russia. Which business processes currently use that data? How are those processes supported by infrastructure? How would he infrastructure have to change to enable data residency in Russia? How would business processes have to change? Is the cost of compliance compensated sufficiently by your business plan?
3. Wait, watch and be ready to implement the plan.

Russia is the latest jurisdiction to enact more stringent regulations about data protection and privacy for residents and citizens. Regardless of the motives for this regulation (some claim the recent changes are politically motivated), claiming a need for data residency is increasingly common. Organizations that work with customers in various legal jurisdictions need to keep contingency plans ready for similar actions in other locations. There is no need to panic. Work with your business stakeholders to build a flexible approach to infrastructure deployment and business process design. Anticipate regular changes in the regulatory climate in all jurisdictions and plan accordingly!

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed

1 Comment

  • Andrew – Thanks for the timely Blog. We are seeing this as well. There has definitely been an increase in interest in our solution, which Gartner calls a Cloud Data Protection Gateway (within its Cloud Access Security Broker landscape), out of Russia as a result of the new legislation. For organizations looking to adopt clouds based outside of the Russian Federation, a Gateway (run either on-premise or within a managed service within Russia) can be used to tokenize regulated data before it crosses the border in order to maintain compliance with current (and anticipated) legal requirements. Perspecsys’ solution maintains the functionality of SaaS clouds like Salesforce,com and ServiceNow, so users can still do things like Search and Report on data that has been tokenized. As you say, these Data Residency/Sovereignty requirements are becoming more common (e.g. Germany, Australia, Canada, Switzerland, China, etc…) and we expect to see it more and more.