cancel
Clear records
history record
Clear records
history record
Establish a dedicated data compliance management department, clearly define its responsibilities, or integrate data compliance management functions into the existing corporate compliance management system. It is not recommended for the legal department to perform compliance management functions.
Example: In the field of data compliance, there are professional qualifications and certifications such as CIPP, CIPM, and CIPT. When forming a data compliance team, companies can consider hiring qualified personnel to enhance the team's professionalism.
Develop and continuously improve data compliance plans.
Example: Data compliance plans should be developed based on various factors such as the company's business scope, industry characteristics, regulatory policies, and risk identification, and should be continuously adjusted based on changes in the internal and external environment of the company.
Chapter 2: Data Risk Identification
Recommendations for companies:
Accurately identify data risks.
Example: Common data risks include unauthorized access, data misuse, data leaks, and other risks that exist throughout the data lifecycle. It also includes criminal risks such as infringement of personal information, illegal acquisition of computer information system data, dissemination of illegal information, infringement of intellectual property rights, and illegal cross-border data provision.
Standardize the use of third-party software development toolkits.
Example: When using third-party software development toolkits, the data security responsibilities and obligations of the third party should be clearly defined through contracts or other means. Use open-source software development toolkits that have been reviewed and verified for compliance by relevant departments for program development activities.
Chapter 3: Data Risk Assessment and Disposal
Recommendations for companies:
Establish a data risk assessment mechanism.
Example: Based on the identification of data risks, companies should analyze and assess the sources of data risks, the likelihood of their occurrence, the severity of their consequences, etc. Data risks should be classified, and different levels of management and employees should be alerted to the risks, aiming to achieve proactive prevention.
Establish a sound data security incident emergency plan and risk disposal mechanism.
Example: In the event of data leaks, unauthorized modifications, loss of personal information, etc., data handlers should take immediate remedial measures and notify the local data regulatory authorities. If the security incident involves suspected criminal activities, it should be promptly reported to the public security organs.
Establish convenient channels for data security complaints and reports.
Example: Allow employees to report data compliance violations through the internal system, either anonymously or with their real names. Strictly protect the identities of the reporters, both real name and anonymous, from retaliation and reprisals, especially safeguarding the personal information of anonymous reporters. This measure can mobilize employees to participate in the supervision of data compliance and minimize loopholes and blind spots in self-supervision by the company.
Operation and safeguarding of data compliance.
a) Establish a consultation mechanism for data compliance.
Example: Managers and employees from various departments can consult the data compliance management department on data compliance issues. The data compliance management department should continuously learn and improve its compliance management level and can collaborate with external organizations for data compliance consultations.
b) Establish a detection mechanism.
Example: Employ daily process monitoring, internal audits, targeted inspections, and regular reviews to detect violations by the company and employees. Take timely measures for disposition according to the compliance plan. The data compliance management department should regularly report the data compliance management status to the compliance officer. When significant data compliance risks occur due to violations, it should be promptly reported to the compliance officer along with corresponding solutions.
c) Establish an assessment mechanism.
Example: The results of data compliance assessments serve as important criteria for performance evaluations, employee recognition, job appointments and promotions, and salary benefits.
d) Establish a training mechanism.
Example: The data compliance management department should regularly provide training on data compliance for managers and employees, ensuring they have a comprehensive understanding of data regulations, data compliance plans, and their role and responsibilities. Encourage company management and other employees to make explicit and public commitments to data compliance, which mainly involve awareness and willingness to comply with the data compliance plan and accept the consequences of violating data compliance commitments.
The "Guidelines" also provide specific warnings about data criminal risks. Data handlers may face criminal liability for certain behaviors during data processing activities, including crimes such as infringement of citizens' personal information, destruction of computer information systems, and illegal intrusion into computer information systems.
For more details on the "Enterprise Data Compliance Guidelines," you can click on the original link to view: www.shyangpu.jcy.gov.cn/ypjc/jcdt/79471.jhtml
Related News