Corporate compliance series | Part 2: Personal Information and Data Protection Compliance
In this article, we continue the overview of different types and aspects of corporate compliance. In our previous article, we discussed Intellectual property compliance and what steps should be taken from the company to start implementing it.
Topic and guest introduction
In China, e-commerce shopping festivals already became part of our lives, and shopping online is something very common. That is partly a reason for rising of e-commerce platforms and APPs, which now days tend to collect and analyze as much personal information of users as possible, in order to accurately create a user portrait, build a low-cost, highly accurate database of user groups, to obtain considerable commercial returns, however ensuring that all the personal information is collected through the platforms, APPs or other network channels in a legal way has also become a headache for the companies.
With the rapid development of Internet technology, the unprecedented ease of information exchange, and the threat to personal information security, how to legally and compliantly handle citizens’ personal information and maximize its benefits has become a challenge for every Internet enterprise to overcome.
To help you to avoid risks connected to personal information and data protection in this part we will continue our interview with Ms. Li from AllBright and discuss the importance of personal and data protection and steps to implement integrate it within the organization.
Personal Information and Data Protection Compliance
SONG: Ms. Li, thank you for joining us today, could you please tell what usually the main problems in the area of handling personal information and what could be the consequences for not taking the personal information of users in the right way?
Ms. Li: In the process of carrying out business activities through the Internet, enterprises may not be able to get around the collection and management of customer information, user profiling, WIFI probe, license plate recognition, wireless Bluetooth active monitoring, and other activities, and these activities are closely related to the personal rights associated with personal information.
If the enterprise uses personal information without customer consent, personal information record has errors, leakage of user’s personal information or improper marketing can cause issues in the following areas:
- civil matters, such as contract disputes, unfair competition disputes, personal rights infringement disputes, etc.
- administrative penalties, involving administrative liability for illegal use of personal information;
- criminal penalties, involving crimes of infringement of citizens’ personal information, infringement of copyright, fraud, illegal business crimes, refusal to fulfill network security management obligations
Solutions
SONG: Thank you for the overview, what would you say should be done to avoid this situation and mitigate the risks?
Ms. Li: I would suggest starting from the following steps:
1. Enhance overall data compliance
Enterprise data compliance can be divided into two parts: internal and external.
In terms of internal compliance, enterprises need to establish internal compliance mechanisms and clarify specific positions and their responsibilities under the collection, processing, transmission, sharing, storage, and destruction of personal information involved in the operation of the enterprise, as well as the corresponding personnel, to effectively resist external risks.
In terms of external compliance, enterprises should formulate complete user agreements and privacy policies according to the specific application scenarios of the information they collect. In terms of content, the user agreement should explain the rules of use of the information collected by the enterprise and clarify the rights and responsibilities between the operator and the user. The privacy policy needs to clarify the entire process from collection to use, storage, sharing, and exit of users’ personal information, and also protect the exercise of users’ rights to access, correct, and delete. In terms of form, it is necessary to ensure that the user agreement and privacy policy are written independently and that the user is prompted to read them in a prominent way (pop-up windows, embedded links, etc.) when the user first uses/opens the product, and that the user’s authorized consent to the user agreement and privacy policy is obtained by setting up clickable consent, checkbox settings, etc
2. Focus on inventorying enterprise data assets
Companies should strengthen the distinction between personal information and non-personal information, and consciously classify industry data and special sensitive data types. For example, the collection of sensitive personal information requires the user’s explicit consent, while general personal information can be collected with implied consent, and set up relevant privacy policy provisions and authorization buttons in accordance with this provision.
3. Improve data isolation and sharing mechanisms
Companies should focus on the issue of sharing data with their partners. If personal information is involved, consent should be obtained and the personal information subject should be informed of the purpose of sharing and transferring personal information, the type of data received and the possible consequences, and if not, the corresponding legal consequences are more serious, i.e., the responsibility for personal information security caused by third parties. Companies that rush into business and sign agreements without fully understanding network security and data compliance issues are very likely to touch the red line of legal responsibility.
4. Organize regular internal training sessions based on legal and regulatory guidelines
In recent years, there have been numerous laws and regulations on personal information protection, such as 《Cybersecurity Law》,《GB/T 35273-2020 Information security technology—Personal information security specification》,《Network Security Practice Guide—Required Information Specification for Basic Business Functions of Mobile Internet Applications》,《APP methods for determining the collection and use of personal information in violation of laws and regulations》,《Information Security Technology Mobile Internet Application (APP) Basic Rules for Collecting Personal Information (Draft for Comment)》, 《Comments Sought on the Personal Information Protection Law (Draft) 》and others.
All of the above laws and regulations are intended to bring the protection of citizens’ personal information into the rule of law and therefore serve as a guiding light for enterprises in terms of personal information compliance. Training sessions on the above-mentioned laws and regulations can be organized regularly within the enterprise to grasp and understand the ways and means of information compliance from the source and to assume the responsibility of protecting personal information in the enterprise.
SONG: Thank you Ms. Li for your suggestions and input.
In the next part, we will discuss employment compliance. If you have any questions and would like to learn more, feel free to contact us