5 minute read 20 May 2022

Ensuring effective data governance and data security is the prerequisite of fostering economic integration among the Greater Bay Area (GBA) as well as the cross-strait three regions.

smart city connection and concept

Technology and Data Connect: Digitization opportunities, security challenges and response strategies

By EY Greater China

Multidisciplinary professional services organization

5 minute read 20 May 2022
Related topics Greater Bay Area Technology

Ensuring effective data governance and data security is the prerequisite of fostering economic integration among the Greater Bay Area (GBA) as well as the cross-strait three regions.

Three challenges:

  • Different legal systems in Guangdong, Hong Kong and Macau create higher compliance challenges on enterprises
  • The current capability to comply is insufficient to cope with security challenges
  • Different internet, technical and security standards and users’ habits in Guangdong, Hong Kong and Macau lead to higher difficulty in security safeguards

China’s State Council formulated the Outline Development Plan for the Guangdong-Hong Kong-Macau Greater Bay Area (“Development Plan”), and it was stated that by 2035, the GBA should become an economic system with mode of development mainly supported by innovation. To be in line with the planning with digital as the development engine, the GBA already gradually laid down requirements in developing data governance and security and implementation initiatives concerned, providing strong support for accelerating the flow of data between governments and enterprises, among enterprises, and across borders. However, while enterprises enjoy convenience in the GBA, they at the same time face greater challenges.

First challenge

From a legal perspective, the GBA comprises three different jurisdictions, each of which have different laws and regulations on cybersecurity, privacy protection and cross-border data transfer. There are both similarities and differences. Enterprises in the GBA are therefore constantly facing challenges over data security compliance.

Privacy protection

  • Organizations need to integrate these provisions on three sides to build a unified system to collect, use and process personal information.
  • Develop privacy policies and statements applicable to three sides and make modifications based on regulatory differences and scopes of services.

Cross-border data

  • Establish standard contract terms for cross-border data flow, define the responsibilities, rights and obligations of senders and recipients, and develop relevant protection measures. 
  • Engage an independent third party to obtain Data protection certification.
  • Make clear laws and regulations on cross-border data flow and maintain close relationships with competent authorities.
  • Sort out data derived from operation and cross-border scenarios that may be involved.
  • Establish cross-border data transmission mechanism within the organization.
  • Improve internal control system for data security and make self-assessment.

Second challenge

Under the conflicting and complicated legal environment, many enterprises don’t have sufficient capability in compliance. Those capabilities include security compliance culture, organization structure, human resources, compliance management framework and execution mechanism and cybersecurity and privacy compliance capability, etc.

Organizations need to build up security management capacity to prevent and resolve security threats while considering compliance capability. 

Data security management

  • Identify important data within the organization and standardize the formats for important data description.
  • Develop classification and grading standards and build differentiated management requirements and technology-based protection strategy.
  • Evaluate security capability and establish data security management system to sustain standard management of data lifecycle. 

Cybersecurity management

  • Develop organization-wide security management system.
  • Stablish a compliance training mechanism for all employees and build an effective performance assessment mechanism.
  • Establish processes and mechanisms for reporting non-compliance and security breaches and ensure the mechanisms operate smoothly while processes are optimized and improved on an ongoing basis.

Third challenge

There are differences in the internet and other conditions in Guangdong, Hong Kong and Macau. Being exposed to complicated internet conditions, to protect information assets is challenging to enterprises.

Enterprises should enhance security protection and establish a good foundation for network resilience. As the most practical security standards, grade-based security protection system can help organizations improve security capability and demonstrate to regulators that their operations can meet China’s security obligations no matter where they are within the region. Apart from the grade-based security protection system 2.0, organizations can also refer to relevant international standards according to their specific situations to build a good foundation for network resilience and establish a security-oriented proactive defense and perception mechanism.

Summary

Only with early planning and thoughtful considerations can organizations achieve sustainable growth while enjoying favorable policies.

About this article

By EY Greater China

Multidisciplinary professional services organization

Related topics Greater Bay Area Technology