At the end of 2016, territorial divisions of the Russian Data Protection Authority, Roskomnadzor, published their 2017 plans for conducting inspections of local companies’ compliance with Russian data privacy requirements, including data localization. The inspection plans contain a number of prominent multi-national and Russian companies.
For instance, the inspection plan of Roskomnadzor’s territorial division for the Russian Central Region includes Russian offices of multi-national and U.S.-headquartered electronics, pharmaceuticals, banking, and consulting firms.
As an example of how an inspection proceeds, Roskomnadzor conducted a planned inspection of Microsoft’s Russian affiliate in the Spring of 2016, issuing an inspection report requiring that Microsoft eliminate violations revealed by the inspection by October 2016. After Microsoft submitted its compliance report, Roskomnadzor in November 2016 issued a press release stating that it considered Microsoft in compliance with Russian privacy laws, including the data localization requirement, and closing the matter.
Companies operating in Russia can check the inspection plans in their respective regions (Central, North-West, South, North Caucasian, Privolzhsky, Uralian, Siberian, or Far Eastern) to determine whether they or their affiliates are subject to audits in the upcoming year.