The main components of China’s data security legal framework include laws such as the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. Addressing cross-border data flow, China has also introduced regulatory documents such as the Measures for Security Assessment of Cross-Border Data Transfer, Provisions on Standard Contracts for Cross-Border Transfer of Personal Information, and relevant guidelines. These collectively establish a regulatory mechanism for overseeing data outbound from China.
Data Compliance Challenges for Foreign Companies in China
Navigating data compliance consistently presents a major legal challenge for foreign-backed businesses in China. These challenges have become even more pronounced in today’s complex global socio-political and economic environment.
Many foreign entities encounter compliance complexities due to the distinct landscape of China’s data regulations and oversight. This includes:
-
Inability to ascertain compliance with data regulations;
-
Lack of understanding regarding the types of data being collected and processed, particularly the concept of “important data”;
-
Uncertainty about regulatory agencies, requirements, methods, and standards for data governance;
-
Absence of documentation, systems, and procedures for data management;
-
Confusion regarding cross-border data processing;
-
Uncertainty about efficiently and cost-effectively conducting compliance management, particularly for small and medium-sized enterprises.
Prior to engaging our services, the client lacked a foundation in data compliance, impeding their ability to accurately gauge potential risks. Their concerns extended to discerning data categories processed by the company, verifying the presence of critical data, formulating internal data protection frameworks, and ensuring the lawfulness and compliance of ongoing data processing activities.
Integra Provides Data Compliance Solutions
Upon receiving the client’s commission, Integra’s compliance task force swiftly acclimated to the client’s requirements, leveraging internationally recognized data governance methodologies. Key tasks include:
-
Comprehensive due diligence to comprehend the company’s operations and requisites
-
Systematic data categorization and inventory management, facilitating structured data lists
-
Cultivating employee compliance awareness through training sessions and addressing pertinent queries
-
Development and implementation of robust data compliance systems and protocols
-
Preparation of detailed data compliance reports
-
Provision of recommendations for corrective measures and continued guidance
This successful case marks a new step for Integra Group in the field of data compliance, enabling the provision of more comprehensive services and protection for foreign-funded enterprises in China as well as Chinese clients.
Introduction to Integra Data Protection Officer (DPO) Services
As a response to client demands, Integra will act as the Data Compliance Officer (DPO), offering ongoing compliance services and aiding clients in adapting to the intricate and ever-evolving regulatory landscape. Our services include:
-
Serving as the designated data protection officer in alignment with the Personal Information Protection
-
Development, implementation, and periodic revision of privacy policies, procedures, and frameworks
-
Holistic data security management encompassing internal and external domains
-
Coordination and execution of data protection impact assessments
-
Handling complaints and appeals related to personal information
-
Assisting in the management of data security incidents
-
Conducting awareness training sessions for internal staff
-
Facilitating communication channels with regulatory bodies
成功案例 | 协曈集团助力德资客户在中国市场实现数据合规
近日,协曈集团(“协曈”)协助一家德资企业成功完成中国数据合规项目。该项目有效化解了客户在中国市场的合规风险,增强了员工的合规意识,并为公司持续稳定的运营奠定了坚实基础,获得了客户的好评。
中国的数据安全法律体系,主要由《网络安全法》、《数据安全法》和《个人信息保护法》等组成。针对数据的跨境流动,中国还陆续出台了《数据出境安全评估办法》、《个人信息出境标准合同规定》及相关指南等规范性文件,搭建起了中国数据出境监管的机制。
解决数据合规风险,一直是在华外资企业面临的主要法律挑战之一。在当前特殊的国际政治经济环境下,外资企业对数据合规的担忧显得更加突出。由于中国数据立法及监管的特殊性,不少外资企业正在普遍面临合规方面的困扰,包括:
-
无法判断自身是否满足数据合规要求;
-
不了解正在收集及处理的数据类型,对“重要数据”难以理解;
-
不清楚数据监管的机构、要求、方式及尺度;
-
缺乏数据管理的文件、制度及流程;
-
对跨境数据处理感到迷茫;
-
不知如何开展高效的、成本可控的合规管理,特别是对中小型企业而言。
在服务前,客户对数据合规没有基础,无法准确评估自身的风险。客户对于公司处理了哪些类别的数据,是否包含重要数据,内部数据保护制度的制订以及当前数据处理活动是否合法合规等问题感到十分担忧。
接受客户委托后,协曈的合规项目小组,迅速了解并理解客户需求,采用了国际通行的数据治理方法,重点开展了以下几项工作:
-
尽职调查,了解公司业务及需求
-
数据梳理及盘点,制作数据清单
-
员工合规意识培训,答疑解惑
-
订立数据合规制度及流程
-
形成数据合规报告
-
提供整改建议和后续指导
这一成功案例,标志着协曈在数据合规领域迈出了新的一步,能够为在华外资企业以及中国客户提供更全面的服务和保障。
为了满足客户在数据合规方面更多需求,协曈将作为数据合规官(DPO),提供日常合规服务,协助客户适应复杂的、不断变化的监管环境。我们的DPO服务内容包括:
-
按照《个人信息保护法》等要求,担任公司指定的数据保护负责人
-
制定、实施和定期更新隐私政策、流程和程序
-
监控组织内外的数据安全管理
-
组织和开展数据保护影响评估
-
处理与个人信息相关的投诉和申诉
-
协助管理数据安全事件
-
为内部员工提供意识培训
-
与监管机构进行沟通
本文作者
Kelvin Lou
Director,One Compliance Consulting
Integra Group is a fully licensed asia-focused accounting, taxation, and business advisory firm – with dedicated offices in Shanghai, Beijing, Singapore and Taipei. We’ve helped companies ranging from Fortune 500 companies to small to medium sized businesses establish and grow their presence in Asia.
