With the rapid growth of the digital economy and significant attention from investors, effective legal due diligence is crucial in data sector decisions

Unlike traditional sectors, investments in the data field require a keen focus on four interconnected aspects: business, data, applications, and technology. These elements play a pivotal role in determining an enterprise’s potential for robust development, as well as its overall investment value and associated risks.

Within the context of legal due diligence in the data sector, it is essential to investigate five primary areas of concern: data sources, data content, data storage, data processing procedures, and entities with access to the data. This will expose the following common legal risks.

Data sources

With implementation of the Data Security Law, Personal Information Protection Law and other regulations, the responsibility of enterprises to legally collect, use and store data has been significantly increased.

Failing to demonstrate the lawful collection and use of data could potentially have a substantial impact on an enterprise’s critical products or hinder its ongoing operations, financing, listing and trading activities. Consequently, it is crucial to thoroughly investigate the origins of the enterprise’s data and express opinions on its legal compliance.

Bai Yusi, W&H Law Firm
Bai Yusi
Partner
W&H Law Firm
Tel: +86 133 0111 0217
E-mail: baiyusi@weihenglaw.com

When dealing with the collection of personal information, it is essential to obtain legal and valid authorisation from individuals based on a full disclosure obligation of the company, adhering to the provisions of the Personal Information Protection Law.

A more meticulous examination is needed for sensitive categories like biometric data, medical records, financial accounts, tracking data, and personal information of minors under 14 years of age.

Besides personal information, if an enterprise has data-crawled through open channels, attention must be given to whether there is an intrusion or unlawful control of other computer information systems, and to ensure that data acquisition procedures are lawful.

In cases where data is purchased, a rigorous investigation should be carried out on the data content, including a thorough examination of relevant agreements, to assess its legality and compliance.

In instances where data is generated from the enterprise itself during production and operational processes, evaluation criteria should encompass construction and maintenance system logs, the number and operation status of intelligent devices, sensors, and the average daily collection scale.

Data classification, control

The Data Security Law stipulates the establishment of a data classification system and the implementation of appropriate technical measures and other necessary actions to ensure data security.

This not only constitutes a crucial data compliance obligation for enterprises, but also serves as a methodology for achieving both security and economic benefits. Treating all data, regardless of its importance, with the same level of protection may lead to inadequate security for sensitive information and excessive protection for ordinary data.

To foster a win-win for enterprise growth and data security, develop a compliant and rational data classification system that applies distinct control measures, considering different business contexts and data, while factoring in development and cost considerations. Whether the investee company has a classification system and corresponding control measures will have an impact on the transaction plan, progress and valuation, and should be the focus of legal due diligence.

At the heart of data security lies resource access control, protecting against tampering and leaks. This section requires an investigation into the enterprise’s identity, access management procedures, and technology-based or other control measures related to I+AAA (identification + authentication, authorisation and accountability), including scrutinising the nature of the identification used, the security of information release processes, archival practices, the adoption of two-factor or three-factor authentication, the legality and compliance of identity management techniques, and access rules, authorisation and accountability mechanisms.

Management and operation

The Data Security Law necessitates that relevant enterprises uphold compliance obligations throughout the data lifecycle, ensuring effective data protection and lawful utilisation while guaranteeing a continual state of security. In investment and financing business, all parties should focus on the following key aspects of enterprise data management and operation:

  • Regarding data management: the enterprise’s data security organisational structure, responsibility mechanism, and reporting mechanism; the security strategy, standards, baselines, guidelines, procedures and other security-related documents, along with the corresponding management processes; the security awareness promotion and training for employees of enterprises, and personnel management mechanisms such as duty segregation, job rotation, mandatory vacations, and personnel departure management; the co-operation mechanisms and the current status of rights and responsibilities between the enterprise and its major IT suppliers; the enterprise’s response mechanisms for security incidents and accidents; the business continuity planning; and previous audit results.
  • Regarding data operation: the law mandates attention to compliance and security at various stages encompassing data collection, storage, use, processing, transmission, provision, disclosure and destruction. In the investigation process, lawyers must scrutinise the status of data at rest, data in motion, and data in use without overlooking any detail, ensuring that media used for storing sensitive data are encrypted, data transmission is securely encrypted, interventions are authenticated, and relevant records are retained (for example, cloud providers must obtain authorisation from cloud tenants before uploading, accessing or using their business data and key data). Measures such as demagnetisation, media destruction, and encryption of application data stored in the cloud should be adopted based in specific circumstances. Focus should be given to investigating the enterprise’s network, business, and content monitoring and warning capabilities both presently and over a specified time period in the past.

Bai Yusi is a partner at W&H Law Firm. She can be contacted at or by e-mail at baiyusi@weihenglaw.com

W&H Law Firm

16F, Tower A
China Technology Trading Building
66 North Fourth Ring West Road
Haidian District, Beijing 100190, China

Tel: +86 10 6268 4688
www.weihenglaw.com