With the rapid development of technology, the scale of data processed by enterprises has been growing exponentially. Consequently, data compliance has garnered increasing attention from audit departments during the assessment of domestic listings. This article discusses data compliance practices within the context of enterprise listings in the domestic markets.
Stricter compliance audit
In the current domestic listing audit, there has been a significant increase in the frequency and depth of data compliance questions, mainly because:
(1) For enterprises with business that heavily involves data processing, questions on data compliance run through the whole process of the audit.
Partner
Grandway Law Offices
(2) With gradual improvements in legislation, the laws and regulations corresponding to audit questions have been gradually extended from the Civil Code, the Data Security Law and the Personal Information Protection Law to departmental regulations, normative documents and industry standards. In the case of Mucang Technology, the audit department required the issuer to analyse the compliance of the relevant business practices against the regulations in the Provisions on the Administration of Internet Information Service Algorithmic Recommendation and the Notice on Launching Further Special Rectification Campaign on the Infringement of User Rights and Interests by Apps and other provisions, in addition to the above-mentioned laws.
(3) A comprehensive audit of an issuer’s data compliance covers all aspects of the collection, storage, use, processing, transmission, provision and disclosure of personal information. In some cases, the audit department may have already conducted targeted questioning in conjunction with the issuer’s business model.
Companies that fail to handle data compliance matters in a standardised manner will face varying degrees of legal obstacles in the listing process.
Typical compliance issues
Companies to be listed often encounter several typical problems in data compliance.
Limited understanding of the boundaries. Some companies still mistakenly believe that data compliance only applies to specific industries. They assume that, if their business does not involve online tools like apps or mini-programs, they are exempt from data regulations.
However, after the enactment of laws such as the Personal Information Protection Law and the Data Security Law, it is evident that personal information refers to information recorded electronically or by other means relating to identified or identifiable individuals, and data refers to any record of information electronically or by other means.
Associate
Grandway Law Offices
Handling personal information and data includes collection, storage, use, processing, transmission, provision, disclosure and deletion. Even if companies collect data and personal information through offline forms or solely use and process third-party data, they are still engaged in data processing activities.
For instance, in the case of Shanghai Union Networks and Information, the audit department scrutinised the issuer’s offline collection and packaging of paper medical records, while in the case of Dataway, the audit department requested additional disclosure from the issuer regarding measures taken to ensure the reliability and effectiveness of externally procured data.
Insufficient understanding of data compliance subjects and the boundaries of acceptable behaviour leads to blind spots in data compliance for some companies, potentially impacting the compliance assessment during the listing process.
Lack of systematic organisation. Under the existing legal framework and regulatory requirements, data processing involves numerous links and rich connotations that demand a high level of control from enterprises themselves.
However, since data compliance does not directly generate productivity, some enterprises lack a systematic approach to ensuring data compliance, resulting in excessive collection of personal information, misleading users into downloading, non-compliant acquisition of personal information through software development kits, unauthorised sharing of data and personal information with third parties, and failure to comply with proper reporting procedures for data export. These issues pose legal obstacles to enterprises’ listing.
Superficial implementation of data compliance internal controls. Taking a project observed by the authors as an example, a company primarily engaged in providing outsourcing services to a large-scale internet platform encountered a significant amount of user personal information collected by the platform during its business operations.
Within their internal control system, the company explicitly outlined the requirement that “no more than three authorised personnel should have access to customer data and, without the approval of department heads, other employees are prohibited from accessing or copying user data, with access activities being recorded…”
However, in practice, due to a superficial implementation of the system, an employee illicitly copied a large quantity of personal information and sold it for personal gain. This action led to the immediate termination of the company’s business partnership with the internet platform.
Compliance recommendations
Data compliance is an ongoing, systematic and dynamic endeavour for enterprises. In the context of preparing for the listing process, the author suggests the following:
(1) Enterprises should foster a proper understanding of data compliance and establish effective collaboration between the company, external institutions and various internal departments. This collaborative effort should result in the development of tailored data internal control systems that align with regulatory requirements, operational needs, and are feasible to implement. Such systems will effectively mitigate data compliance risks.
(2) Companies to be listed should promptly undergo a thorough due diligence investigation by external institutions. This process helps identify and ensure the company possesses the necessary qualifications for handling data information. Any compliance issues should be promptly addressed and rectified, with a strong emphasis on maintaining a clear trail of evidence. This proactive approach ensures that the company can provide ample evidence and present well-defined conclusions when responding to audits and verifications by intermediary agencies and during the listing process.
(3) During the listing audit process, seeking third-party evidential support for corporate data compliance is advisable. For instance, in the case of Shanghai Union Networks and Information, the issuer engaged a qualified third-party organisation to conduct assessments and offer conclusive opinions on the data protection measures implemented in the company’s products and services. Similarly, in the case of Ririshun, the company obtained compliance certificates issued by municipal authorities, verifying adherence to regulations concerning personal information protection and other relevant areas during the reporting period. These measures significantly bolstered the company’s listing audit by providing robust evidence of compliance.
Wang Yan is a partner and Fu Mengyang is an associate at Grandway Law Offices
Grandway Law Offices
7-8/F News Plaza
No. 26, Jianguomennei Avenue
Beijing, 100005, China
Tel: +86 10 8800 4488
Fax: +86 10 6609 0016
E-mail:
