Qiyuan Law Talks | In Depth Interpretation: Standard Process for State owned Enterprises to Achieve Data Security Compliance (Part 1)
Time:2024-07-18
Return

Introduction

Driven by the current wave of digitalization, enterprise data security and compliance have become the cornerstone of stable operations for many enterprises. As an intern lawyer, I was fortunate enough to provide a comprehensive state-owned enterprise data security compliance project for a state-owned retailer under the leadership of Lawyer Zeng Li and Lawyer Fu Yangchun. This project is not only comprehensive, but also in-depth, covering almost all the elements required by state-owned enterprises in terms of data security compliance.

The project covers data security compliance risk assessment, establishment of internal data compliance system, drafting and revision of relevant business texts, and specialized compliance of apps and mini programs. For this project, our team has issued written documents such as a data security compliance risk assessment report, a mini program personal information collection compliance testing report, UI interface optimization suggestions, privacy policy, user agreement, and data delegation processing agreement.

图片1

Although the project content is diverse and seemingly scattered, they are actually an organic whole, interrelated. In the process of implementing the project, we always focus on the three core steps of risk investigation, risk identification and analysis, and the formulation and implementation of rectification plans. This method helps us quickly grasp the main thread and main contradictions, ensuring the efficiency and systematicity of compliance work.

The writing logic of this article follows the main line logic of the project implementation mentioned above, aiming to provide reference and ideas for other state-owned or non-state-owned enterprises to achieve data compliance by sharing our experience in this project.

Part One: Risk Investigation

1、 Due diligence: the starting point of risk assessment

As a lawyer affiliated with an external third-party organization of the enterprise, it is necessary to collect and analyze a large amount of information to comprehensively understand the operational status of the enterprise and conduct in-depth analysis of potential risks. Lawyers generally conduct due diligence through methods such as questionnaire surveys and personnel interviews, which often come from various departments and links of the enterprise. The original information presents a scattered and disordered state. These pieces of information come from various departments of the enterprise, such as the Information Department, Comprehensive Department, Product Department, and Operations Department. The collected information is sometimes one-sided and fragmented, making it impossible to connect all the correlations of the information; Sometimes it is too complicated, for example, during the due diligence process, the author received a 106 page computer system construction plan, which was mixed with a large number of computer terms, involving five major categories and dozens of subcategories such as system overview, overall planning, installation and deployment, and system security protection level determination. As a legal practitioner who has not received any computer science education, receiving such high-density computer parameter information in a short period of time can easily lead to confusion in thinking. Therefore, how to effectively sort out this information has become the key to risk investigation, and it is also the focus of this section.

图片2

2、 Information sorting: from macro, meso, and micro perspectives

To effectively sort out the diverse and chaotic information, lawyers can start from three perspectives: macro, meso, and micro: (1) external industry models; (2) Internal environment of the enterprise; (3) The entire lifecycle of data. These three perspectives are not independent of each other, but interconnected.

图片3

(1) Macro perspective: Insight into different role positioning through external industry models

Data is the mapping of the industrial chain of the material world to the information world, and the transmission of data always has transmission and reception points. Therefore, lawyers can quickly grasp from a macro perspective by observing the industry model in the company's reality:

Who are the other entities involved in data processing activities with the company?

What is the relationship between the two/multiple parties?

What is the role of the company in the data chain?

图片4

A simple example:

The company mainly operates B2C e-commerce websites, and its industry model can be roughly summarized as follows:

Third party merchants sell their products or services to end-users through B2C e-commerce websites operated by the company.

图片5

Figure 1: Industrial Model

Correspondingly, the following information can be obtained:

(1) Other entities involved in data processing activities with the company must include third-party merchants and C-end customers.

(2) The relationship between multiple parties:

Customers provide address, contact information, name, and other data to B2C e-commerce websites. B2C e-commerce websites then provide this information to third-party merchants, who in turn provide this information to logistics companies to complete shipping and distribution.

图片6

Figure 2: Transmission chain of C-end customer address, contact information, and name data

(3) The company's role positioning is mainly as a data recipient, involving data processing activities such as data collection, use, storage, transmission, and possibly processing.

(2) Mid level perspective: Insight into data management processes through the internal environment of the enterprise

In the internal environment of enterprises, the flow and interaction of data run through various operational links. Whether it is data transmission from the parent company to its subsidiaries, data exchange between the parent company and its subsidiaries, or even data sharing between different departments within the company, these data flows are an indispensable part of enterprise operations. They not only affect the operational efficiency of enterprises, but more importantly, they directly involve the data security and compliance standards of enterprises.

By carefully sorting and optimizing the internal business processes of the company, it is possible to clearly identify the data producers, users, regulators, and responsible parties. This process is crucial as it lays a solid foundation for the development of subsequent data compliance improvement plans, the construction or improvement of data compliance systems. This in-depth understanding and effective management of internal data flow is a key step in ensuring enterprise data compliance, maintaining data security, and promoting efficient business operations.

图片7

(3) Micro perspective: Revealing the full picture of data processing activities through the entire lifecycle of data

The full lifecycle of data refers to the evolution process of various forms of existence, including data generation, data collection, data transmission, data storage, data usage (including computation, analysis, visualization, etc.), data exchange, and data destruction. The systematic sorting of this continuous process is a key step in revealing the overall picture of enterprise data processing activities and establishing a comprehensive risk management foundation.

Taking shopping apps as an example, their data processing activities can be divided into the following stages:

1. Data collection stage: The shopping app needs to legally collect personal information (such as address, name, phone number, etc.) and shopping preferences with the user's consent, ensuring the legality of the collection and the protection of user privacy.

2. Data storage stage: The collected data must be securely stored on the APP's server through encryption and access control measures to prevent data leakage or unauthorized access.

3. Data usage stage: The APP analyzes and processes user data to provide personalized recommendations and customized marketing strategies, while ensuring transparency in data processing activities and respect for user rights.

4. Data transmission stage: When interacting with third-party partners (such as logistics companies, mobile payment software, etc.), it is necessary to ensure the security of data transmission and clarify the responsibilities and obligations of data sharing through legal means such as contracts.

5. Data destruction stage: When a user cancels their account, in order to prevent data recovery and abuse, the enterprise needs to take effective measures to completely delete the data that is no longer needed and ensure that the destruction process complies with legal and regulatory requirements.

图片8

Data mapping analysis: comprehensively examine and organize the processing activities of personal information from multiple perspectives

After completing the sorting of the entire lifecycle process of data, we have a clear understanding of each stage of enterprise data from birth to extinction. Now, we need to translate these understandings into specific steps for data processing and create a detailed data list and easy to understand mapping graph.

At this stage, we need to achieve the following:

Closely integrated with practical scenarios: Analyze the actual situation of personal information processing, including where it is collected, how it is stored and used, and how it is shared and deleted.

Comprehensive research: From the collection to deletion of personal information, we need to have a deep understanding of every step, including why this information is collected, what methods are used to process it, and how to protect it.

● Fully consider the relevant resources and stakeholders involved in the information processing process: it is necessary to consider which systems, tools, and stakeholders are involved in information processing, such as internal systems of the company, external service providers, cloud service providers, platform operators, etc.

Special circumstances: In the research, some special circumstances should also be considered, such as system shutdown, system data consolidation, company merger or acquisition, etc.

Specifically, it can be listed in the following table:

图片9

Figure 3: Source from GB/T39335-2020 "Guidelines for Personal Information Security Impact Assessment of Information Security Technologies"

When organizing and analyzing the results of data mapping, we need to:

Classification of personal information processing activities: Personal information processing activities are classified into different categories based on factors such as the type of information, sensitivity, where it is collected, and how it is processed.

● Detailed description of each category: Provide a detailed description of each type of personal information processing activity so that we can better understand and assess potential risks.

Specifically, it can be listed in the following table:

图片10

Figure 3: Source from GB/T39335-2020 "Guidelines for Personal Information Security Impact Assessment of Information Security Technologies"

To be continued

Prev:Qiyuan Law Talks | In Depth Interpretation: Standard Process for State owned Enterprises to Achieve Data Security Compliance (Part 2)
 Prev:
Qiyuan Party Building | Leading Party Building and Respecting the Elderly - Our Second Party Branch and Youth League Branch Carry out Public Welfare and Legal Education Activities
Prev:Qiyuan Party Building | Leading Party Building and Respecting the Elderly - Our Second Party Branch and Youth League Branch Carry out Public Welfare and Legal Education Activities
Prev:Qiyuan Performance | From 0 to 1, the data security management system is here—— Our data compliance team has established a data compliance and security management system for a state-owned enterprise
Prev:Qiyuan News | Our lawyers hold a special lecture on the revision of the new Company Law for large state-owned enterprises
Prev:Qiyuan Law Talks | Data Compliance Series Articles - Pain and Difficulty Identification and Construction Guidelines for State owned Enterprise Data Security Compliance Management System (Part 2)
Prev:Qiyuan Party Building | Party Building Leads the Law and Heart to the Party - The First and Third Party Branches of Our Institute Carry out Theme Party Day Activities
Prev:Qiyuan Law Talks | Data Compliance Series Articles - Pain and Difficulty Identification and Construction Guidelines for State owned Enterprise Data Security Compliance Management System (Part 1)
Prev:Good news from Qiyuan | Lawyers Li Guohong, Lin Zhuoxin, and Fu Yangchun from our firm have been selected as the leading talents of foreign-related lawyers in Guangzhou City
Prev:Qiyuan Party Building | Consolidate Heart and Cast Soul, Rule Heart towards the Party - Qiyuan Party Branch Holds the 2023 Work Summary Conference
Prev:Forty Years of Forge and Progress, Continuing the Past and Opening Up the Future to Write a New Chapter - The Management Team of Guangdong Qiyuan Law Firm Successfully Changes
Prev:Qiyuan Party Building | Qiyuan Institute Party Branch and Guangzhou Urban Renewal Group Carry out the "Red Alliance Co construction Empowering Development" Theme Party Day Activity
Prev:Qiyuan Dynamics | Qiyuan Institute and Zhongtong Service Construction Company Carry out "Youth League Building Wing Alliance" Exchange Activity
Prev:Qiyuan News | President Li Haojiang and his delegation from Suzhou Lawyers Association visited our firm for discussion and exchange
Prev:Qiyuan Party Building | The Second Party Branch of Qiyuan Station and the Public Transport Station Management Company Carry out Party Building Co construction and "Constitution Propaganda Week" Activities
Prev:Qiyuan News | Investigation conducted by the Judicial Bureau of Huanggang City, Hubei Province at our institute
Prev:Reading Ten Thousand Books and Traveling Ten Thousand Miles - Qiyuan Institute's 2023 Team Building: Malaysia Chapter
Prev:Good news from Qiyuan | Qiyuan Party Branch has been awarded the "Top 10 Party Building Brand Projects" in the Guangzhou Lawyer Industry
Prev:Good news from Qiyuan | Our senior partner Fan Linjun has been awarded the honor of "Gold Medal Mediator" in labor disputes
Next:Qiyuan Law Talks | In Depth Interpretation: Standard Process for State owned Enterprises to Achieve Data Security Compliance (Part 2)
Next:Qiyuan Law Talks | In Depth Interpretation: Standard Process for State owned Enterprises to Achieve Data Security Compliance (Part 1)
Next:Qiyuan Party Building | Leading Party Building and Respecting the Elderly - Our Second Party Branch and Youth League Branch Carry out Public Welfare and Legal Education Activities
Next:Qiyuan Performance | From 0 to 1, the data security management system is here—— Our data compliance team has established a data compliance and security management system for a state-owned enterprise
Next:Qiyuan News | Our lawyers hold a special lecture on the revision of the new Company Law for large state-owned enterprises
Next:Qiyuan Law Talks | Data Compliance Series Articles - Pain and Difficulty Identification and Construction Guidelines for State owned Enterprise Data Security Compliance Management System (Part 2)
Next:Qiyuan Party Building | Party Building Leads the Law and Heart to the Party - The First and Third Party Branches of Our Institute Carry out Theme Party Day Activities
Next:Qiyuan Law Talks | Data Compliance Series Articles - Pain and Difficulty Identification and Construction Guidelines for State owned Enterprise Data Security Compliance Management System (Part 1)
Next:Good news from Qiyuan | Lawyers Li Guohong, Lin Zhuoxin, and Fu Yangchun from our firm have been selected as the leading talents of foreign-related lawyers in Guangzhou City
Next:Qiyuan Party Building | Consolidate Heart and Cast Soul, Rule Heart towards the Party - Qiyuan Party Branch Holds the 2023 Work Summary Conference
Next:Forty Years of Forge and Progress, Continuing the Past and Opening Up the Future to Write a New Chapter - The Management Team of Guangdong Qiyuan Law Firm Successfully Changes
Next:Qiyuan Party Building | Qiyuan Institute Party Branch and Guangzhou Urban Renewal Group Carry out the "Red Alliance Co construction Empowering Development" Theme Party Day Activity
Next:Qiyuan Dynamics | Qiyuan Institute and Zhongtong Service Construction Company Carry out "Youth League Building Wing Alliance" Exchange Activity
Next:Qiyuan News | President Li Haojiang and his delegation from Suzhou Lawyers Association visited our firm for discussion and exchange
Next:Qiyuan Party Building | The Second Party Branch of Qiyuan Station and the Public Transport Station Management Company Carry out Party Building Co construction and "Constitution Propaganda Week" Activities
Next:Qiyuan News | Investigation conducted by the Judicial Bureau of Huanggang City, Hubei Province at our institute
Next:Reading Ten Thousand Books and Traveling Ten Thousand Miles - Qiyuan Institute's 2023 Team Building: Malaysia Chapter
Next:Good news from Qiyuan | Qiyuan Party Branch has been awarded the "Top 10 Party Building Brand Projects" in the Guangzhou Lawyer Industry
Next:Good news from Qiyuan | Our senior partner Fan Linjun has been awarded the honor of "Gold Medal Mediator" in labor disputes
Tel:
020-38312188
Email:
gdqiyuanlaw@163.com
Address:
Floor 42, Block H, Gaode Land Winter Plaza, No. 12, the Pearl River East Road, Tianhe District, Guangzhou
官网二维码
Mobile official website
公众号二维码
WeChat official account
粤ICP备17074046号
© Copyright 2023 Guangdong Qiyuan Law Firm