Establishing a hierarchical classification system for cyber data is the initial step towards achieving data compliance in enterprises, as it enables them to manage their data with varying levels of protection and costs.
Data Security Law of the People's Republic of China establishes China's data classification and protection system, while relevant regulations and guidelines provide the main framework and principles for data categorization. Based on various dimensions, data can be classified as "personal information" or "non-personal information," "public data" or "social data," and "public communication information" or "non-public communication information." Industry-specific rules may also classify data according to sectors such as industrial, telecommunications, financial, natural resources, etc. Enterprise-generated information can be categorized into user data, business data, management data, and security-related data. Network-based datasets are further divided into three categories: core-data sets that have a significant impact on operations; important datasets that support critical functions; general datasets that are subdivided into levels 1-4.
As a participant and advisor in the development of legislation and standards in this field, V&V can accurately grasp the specific standards and implementation process of data classification and grading, and assist enterprises in accurately completing the data classification and grading, as well as advising on the data asset protection measures that should be in place for different data categories and grades, and providing enterprises with the maximum best practices in data compliance.
For multinational corporations and organizations, the cross-border flow of data is a necessary part of business operations. Whether based on cross-border supply chain, personnel management, or business operations, it is unavoidable for corporate headquarters located outside of China to access data in China. However, unexamined or overly permissive cross-border data flows may result in a violation of the Data Security Law and other regulations governing approval for such flows. On the other hand, excessively conservative approaches may prevent foreign headquarters from gaining a complete and timely understanding of their operations in China.
After the implementation of Measures for the Security Assessment of Outbound Data Transfer, a six-month rectification period was established, which concluded on February 28, 2023. V&V has acquired substantial practical expertise in determining whether specific cross-border data transfers require declaration and can offer companies a pre-assessment that closely aligns with regulatory standards, thereby enhancing certainty regarding the regulatory requirements for individual data pieces' cross-border processing.
Moreover, as of July 2023, the success rate for thousands of complete outbound filings nationwide stands at a mere 1%, with the majority of applications still undergoing review or awaiting approval. V&V's partners, who have participated in and advised on successful approvals, can offer companies compliance advice for preliminary reviews and increasing the likelihood of approval, significantly enhancing the success rate of their filings.
In recent years, information security has become a top regulatory priority for the Chinese authorities. A well-known U.S. storage company was prohibited from entering the supply chain of a Critical Information Infrastructure (CII) operator due to its failure in an information security audit. For foreign technology and information companies operating in China, ensuring compliance with information security requirements is one of their key challenges as it directly impacts their supply chains, sales, and operations within the country. Achieving compliance not only necessitates implementing high-standard compliance programs but also requires extending these measures to upstream suppliers. V&V has extensive experience in dealing with information security and can assist organizations in conducting due diligence on their own information security protection compliance, as well as that of their supply chain and even their customers. This ensures alignment with legal, regulatory, and supervisory standards to mitigate risks and minimize the impact of enforcement actions on upstream, downstream, and internal operations.
The improper collection and use of personal information not only violates citizens' privacy as a tort, but also constitutes an offense that can result in administrative and criminal penalties for disrupting the digital economy. Similar to most countries, China's laws and regulations on personal information protection establish a set of rules centered around "Informed-Consent" which include individuals' rights and interests such as the right to be informed, make decisions, and data deletion. Companies are obligated to fulfill their responsibilities by ensuring the security and protection of personal information through processing, auditing, and evaluation. China's regulators are proactively addressing complaints and reports of personal information violations, as well as actively investigating and enforcing laws and regulations against businesses potentially involved in such violations. Personal information is widely utilized in areas pertaining to consumer rights, trade secrets, data security, e-commerce, and cross-border transfers. Businesses found to be in violation of personal information protection laws and regulations face substantial civil damages, administrative penalties, criminal sanctions, as well as predictable reputational harm. As a consultancy specializing in relevant legislation, V&V can assist businesses in proactively planning and implementing data privacy compliance programs that adhere to regulatory standards. V&V, as an advisory body on relevant legislation, can help companies to be proactive and develop a data privacy compliance program that meets regulatory standards. V&V is also capable to provide negotiation, defence and voluntary disclosure to regulatory authorities in any legal proceedings and investigation.
- In-depth knowledge of regulatory requirements of data security and cybersecurity processing;
- Formation of Internal Compliance Program regarding data classification and rating, cross-border transfer in different industries;
- Review and application of multinational corporations’ cross-border data transfer request
- Due diligence of multinational corporations’ data privacy protection and cybersecurity;
- Advisory opinions, interpretations, license applications, exception, and knowledge of regulatory exceptions and limitations
- Negotiation, voluntary disclosures, and defense of enforcement proceedings
VISION & VIEW
版权© 2023 VISION & VIEW -保留所有权利。
Vision & View Law Firm