By organizing sales through D2C channels, brands naturally collect personal information from customers. Of course, the people who provide this information rely on the fact that data will be protected and never fall into the wrong hands.
Considering the importance of this issue, local governments take it seriously. Every brand entering local markets must comply with local privacy laws. Regulatory documents can be confusing, so the help of a partner who is well versed in the specifics and requirements of a particular country can be very helpful.
Let’s explore what the requirements in this area exist for brands wishing to work in Russia. Back in 2006, the federal law “On Personal Data” was adopted. It applies to all organizations, without exception, that customer’s personal data: such as name, surname, age, region of residence. A brand or company store that intends to use this information, such as sending advertising offers or even conducting analytics, immediately becomes the personal data operator and receives many responsibilities.
The first is registration with Federal Service for Supervision of Communications, Information Technology, and Mass Media. Then it is necessary to create internal documentation for working with personal data, which describes the entire process of handling them. And most importantly, a secure information environment must ensure reliable storage and processing of information. Databases should be in isolated networks under constant monitoring with anti-virus protection and servers accessed through encrypted communication channels.
Requirements for documentation and technical means of protecting confidentiality are regulated by federal law and Federal Service for Supervision of Communications instructions and instructions from the Federal Security Service and the Federal Service for Technical and Export Control. Already proceeding from this, you can imagine the complexity of the whole process. To organize the collection and processing of users’ personal data, the brand will have to develop competencies in information protection or outsource it.
The risks are also quite significant. The first is the Federal Service’s Supervision of Communications inspections, which issue substantial fines for any violations. Fines for organizations reach $7,000, and Russian citizens’ data on servers outside Russia can reach $254,000.
With all the regulatory complexities involved, the original purpose of collecting personal data should not be forgotten. This information is valuable not only for the brand but also for its competitors. Therefore, another threat is a theft of the customer database, which could be done by a disgruntled employee. At least 60% of leaks are due to deliberate actions of employees. Hackers can also pose a threat; information can get to competitors or the public after their attacks. There are also leaks from the simple negligence of employees.
The massive publication or sale of customer data on the black market becomes immediately known. It carries reputational risks for the company. People are susceptible to personal information leakage, especially when talking about such vital data as logins and passwords, payment, health, and financial details. A brand that has allowed disclosure of such information will inevitably be subject to public condemnation.
Thus, information and personnel security services are necessary to ensure the security of personal data and the brand that collects it, well-coordinated legal department’s work. However, it is almost impossible to refuse the collection and processing of personal data in current conditions; this would mean giving up most of the analytical work of the marketing department. In most cases, CRM systems that store such data become the basis for building relationships with customers. D2C sales models would be dysfunctional without collecting detailed customer information.
Therefore, brands cannot afford to comply with all legal requirements and turn a blind eye to the shortcomings of the control system, exposing themselves to significant financial risks.
The solution may be to outsource this activity to a partner already registered with the Federal Service for Supervision of Communications as an operator. Syntes can become such a partner for you. One of the Syntes Data Management platform features is storing various types of data in multiple locations. The storage of personal data is part of the brand’s online store located in the same place. Thus, as required by law, the personal data of Russian customers are located at data centers within Russia. More than twenty years of experience in creating and implementing Internet solutions allows us to ensure the security of the collected information. And of course, our division in Russia is a personal data operator registered with the Federal Service for Supervision of Communications.
Partnering with us will allow you to minimize the regulatory and commercial risks of personal data processing without giving up the collection and analysis of marketing information.
Syntes, an international company, develops a next-generation MDM (Master Data Management) and PIM (Product Information Management) cloud platform and provides brands and manufacturers with services for creating, managing and automating D2C (Direct-to-Customer) sales and marketing channels. Syntes solutions and services are used by the world’s leading brands and manufacturers of consumer and business products such as Razer, Scarlett, Pantone, X-Rite, AVerMedia and others. Syntes is a registered trademark of Syntes, Inc.
Mentioned trademarks and company names are registered trademarks of their respective owners.
© Copyright Syntes, Inc. Copying, reprinting, and any reproduction is permitted only with the written permission from Syntes, Inc.