When abstract data flow rapidly through large organisations, risks arise. With increasingly active data-related legislation and supervision, and with the advancement of digital transformation across industries, data compliance is a growing priority for large enterprises. However, compared with the traditional compliance field, data compliance brings about many new issues, mainly arising from new technologies and business models. In the process of providing data compliance services to large enterprises, we have encountered many challenges, some of which are unique to the market in China.
The primary challenge encountered in data compliance is the lack of synchronisation of information between multiple business units within a company.
For most large companies, there are multiple departments involved in the collection and use of data, at least including marketing, procurement, IT, human resources, customer service and compliance departments. As for large companies in industries such as healthcare and education, there might be separate departments in charge of communicating with doctors, teachers or other professionals.
Some companies also set up cross-departmental organisations to lead the process of digital transformation. For data compliance, it is necessary to figure out the “what” and “why” before proposing the “how”. However, as data processing activities are highly technical, there might be many departments dealing with data.
Due to various scenarios, each department has limited knowledge of the whole picture of data activities. For example, the department that uses the data is not clear about the source of data, or the department responsible for data collection is not clear about whether the data collected would be used for other purposes. In the above-mentioned context, data mapping has gradually become the premise of promoting data compliance in large enterprises. Through data mapping, companies can distinguish the data practices in need of improvement and adjustment from the data practices that cannot be changed in the current business model.
Another challenge that data compliance encounters in large companies is dividing compliance obligations and embedding them into the management process.
Currently, data-related rules in China are very complex. The forms of those rules include laws, statutes, regulations, normative documents and national standards. Among these, some rules are frequently quoted by regulators for enforcement activities.
In addition, a large number of judicial cases and public opinion events can form some rules that deserve attention in terms of compliance. For large companies, it becomes a difficult task to break down so many multi-layered rules and embed them into internal policies, standard operating procedures, or other management documents.
It should especially be taken into consideration that laws and regulations keep changing, along with various risk. For example, facial recognition and software development kits have become important regulatory concerns, and relevant rules have been introduced one after another.
Sorting out these rules might not be as difficult as matching them with companies’ internal policies and procedures. Some multinational companies are likely to have complex organisational structures, and it may not be feasible to make major adjustments to current policies due to every slight change to data protection rules.
The last challenge of data compliance is the priority determination of each system.
The laws and regulations related to personal information and data security have put forward many specific institutional requirements for enterprises, such as data security risk assessments, personal information protection officers, and personal information disclosure notifications.
When combining these with the features of corresponding industries, these standards of process have to be refined, such as with employee personal information protection, biometric information protection, and digital marketing data protection. In the case of limited company resources, the priority of each system construction may have an influence on the effect of compliance. A bad choice on priorities can lead to impediments to compliance, and chaos in the company.
In addition to the above-mentioned difficulties, the data compliance of large companies may involve different, or even conflicting, requirements of domestic and foreign rules, different enforcement requirements of central and local regulators, and numerous suppliers with different levels of data security, etc.
Despite this, the degree of difficulty may be considerably reduced if the causes can be fully recognised. The most important part of compliance is still identifying and managing the risks arising in an organisation, and the worst situation is that there is no overall understanding of the generation and transmission of risks.
Data compliance is a new business in China, but it has been in operation for many years in other countries, and a lot of experience has been accumulated. At the same time, other compliance practices such as anti-corruption and anti-monopoly can be a good reference for data compliance business.
Many large multinational companies, especially those headquartered in Europe, have gone through the baptism of GDPR (General Data Protection regulation) compliance, and have developed some methodologies and compliance tools that may be very enlightening for solving the above-mentioned difficulties. Of course, given the richness of China’s digital economy and different emphases of regulatory requirements, the applicable methodologies and tools will also need to be carefully scrutinised.
Raymond Wang is a senior partner at Anli Partners. He can be contacted on +86 150 1047 1897 or by email at firstname.lastname@example.org
Alex Luo is a senior partner at Anli Partners. He can be contacted on +86 131 2676 4504 or by email at email@example.com