Preface

On December 20, 2021, the Guangzhou State owned Assets Supervision and Administration Commission released the "Guangzhou State owned Assets Supervision and Administration Commission Supervision Enterprise Data Security Compliance Management Guidelines" (Trial 2021 Edition), which is a major step for local state-owned asset supervision agencies in terms of data security and personal information protection. Afterwards, the State owned Assets Supervision and Administration Commission of the State Council released the "Action Plan for Digital Transformation of State owned Enterprises" in the same month, which clarified the specific goals that state-owned enterprises should achieve in digital transformation by 2025, namely the continuous optimization of management systems, significant improvement in data empowerment effects, and major breakthroughs in digital transformation in key areas.

A key issue commonly faced by state-owned enterprises in the process of digital transformation is insufficient data security protection capabilities, mainly reflected in the chaos of data storage and management, non standardization of data sharing and use, and lack of effective auditing of data transmission. These issues reflect the dual deficiencies of state-owned enterprises in terms of systems and means. Therefore, state-owned enterprises urgently need to rely on establishing a comprehensive data security management framework, formulating practical data security policies, and creating effective management standards to ensure the secure and stable operation of information systems, networks, personal terminals, and other data.

A complete data security compliance management system involves organizational structure, institutional construction, compliance requirements (covering data security, personal information protection, and partner management), technical applications, and responsibility supervision. This guide first integrates data security compliance management into the existing state-owned enterprise compliance management system and focuses on its construction as a key area, which not only utilizes the advantages of the existing system but also avoids overlapping institutional settings.

And the management strategies of "list management" and "triple one major" issues can be adopted to control major data compliance issues. Classify key data security compliance matters into the "three fold and one major" management category, and implement inventory management to precisely control data transactions, outputs, and sharing of national secrets, industrial planning, strategic layout, major projects, and core technologies.

In the compliance system of state-owned enterprises, the role of the "three lines of defense" is played. Specifically, departments responsible for data management, information systems, or IT technology, as well as business departments, form the first line of defense. The compliance management department serves as the second line of defense, while the discipline inspection and audit departments form the third line of defense, and their respective responsibilities and duties are clearly defined.

In the process of promoting the digital transformation of state-owned enterprises, in addition to implementing digital measures, it is also necessary to strictly comply with data compliance regulations, especially in the prevention and response to legal risks. Therefore, in the process of digital transformation, state-owned enterprises must strictly comply with relevant laws and regulations to ensure the legitimacy and compliance of the transformation.

1、 The pain and difficulty points of data security compliance management in state-owned enterprises

（1） Difficulties in managing core data

The data in state-owned enterprises is widely distributed in computers, mobile phones, laptops, business systems, and databases, including structured, semi-structured, and unstructured data. These data are difficult to identify and classify, making the determination and protection of core data complex; The lack of standardized definitions results in ineffective data classification and grading; Lack of comprehensive understanding of the distribution of core data in state-owned enterprises and risk assessment throughout their lifecycle collectively lead to unclear data security status.

（2） The contradiction between data security and business efficiency

Finding a balance between data security and work efficiency is difficult, with the goal of maximizing the value of security protection; Lack of effective classification and grading strategies for the mixed storage of office data and critical information; The mismatch between protection measures and data importance leads to low protection efficiency; The document permission management method that relies on user initiative can easily lead to the failure of security measures.

（3） Difficulties in controlling internal data leaks

Due to the lack of a complete data compliance management system, it is still difficult to achieve tight integration of overall data security protection. For example, frequent file exchange between units poses a risk of unlimited copying and abuse of files after they are distributed; The uncontrolled transmission of data (such as burning CDs, internal emails, etc.) increases the risk of data loss of control; In daily work, sensitive data is transmitted in various ways, making it difficult to effectively manage and prevent the spread of confidential files.

（4） The complexity of tracking leak incidents

The lack of effective monitoring and auditing of classified data during the circulation process makes responsibility tracing complex; Data can be easily carried out through mobile storage devices, and the use of dedicated storage media is difficult to restrict and trace; The lack of a comprehensive behavioral safety audit system has resulted in significant management difficulties and security risks due to the inability to provide timely alarm responses and locate the source of security incidents.