The personal information protection law was formally reviewed and passed. What issues should enterprises pay attention to?

8 month 20 Japan ,《 Personal information protection law of the people's Republic of China 》（ hereinafter referred to as “ Personal information protection law ”） By a formal vote , And will 2021 year 11 month 1 The effective date . This bill , Make clear provisions on a number of information security issues generally concerned by the industry , It is a milestone in the development process of national network security . From the hot debate not long ago 《 Data security law 》 To 《 Personal information protection law 》, The introduction of a series of legal combinations , It means that the digital economy has bid farewell to the past “ Extensive type ” Management mode of , Into standardization 、 Fine operation stage .

Based on this , We specially invite Zhang Yaojiang, founder of Anzhe new media 、 Wang Jianxia, deputy director of Deloitte risk consulting 、 Liu Haiyang, data security expert of Tencent security Yunding laboratory , focusing 《 Personal information protection law 》 The problems that Chinese enterprises should focus on are interpreted and discussed , Provide reference for enterprises .

Q1： On the whole ,《 Personal information protection law 》 What is the significance of the introduction to the development of network security industry ？

Wang Jianxia ： I think it can be mainly from five aspects .

One 、 Legal significance

For a long time , China lacks a special legislation for personal information protection .《 Personal information protection law 》 The introduction of , It's very good news for network security practitioners , We finally have a standardized and mandatory legal basis in our daily work .

Two 、 International significance

In the past, enterprise compliance was based on the EU GDPR Standards and guidelines ,《 Personal information protection law 》 The introduction of , It can greatly enhance the recognition and confidence of China's personal information protection in the international field .

3、 ... and 、 Enterprise significance

《 Personal information protection law 》11 month 1 It came into force on the th , therefore , Enterprises need to conduct self inspection on whether their business is compliant , If there is a risk , stay 11 Relevant risks need to be remedied as soon as possible before the month . relatively speaking , More business data for large enterprises 、 Business types are more complex , So the risk will be greater .

Four 、 Cross border protection of personal information

Whether Chinese enterprises go abroad 、 Or foreign enterprises entering China ,《 Personal information protection law 》 Will put forward relatively clear requirements for key information technology facility enterprises .

5、 ... and 、 Establishment of organizational structure for personal information protection

In addition to compliance ,《 Personal information protection law 》 It will also have an impact on the enterprise's digital related business . therefore , The enterprise is in 《 Personal information protection law 》 Carry out relevant product and business construction under the premise of , In the long term , It can effectively enhance the competitiveness of enterprises in the whole industry .

Liuhaiyang ： On the basis of President Wang's sharing , I would like to add the following three aspects ：

One 、 Restrictions on data services provided by overseas enterprises

Cross border communication is required when there are problems with personal information and responsibilities in the provision of services by overseas institutions , Very inefficient ,《 Personal information protection law 》 After the launch , When an overseas enterprise provides services in China , Relevant institutions and representatives must be established . Relevant issues can be negotiated within the territory , It is very helpful for data rights protection .

Two 、 Reciprocal reaction

Discriminatory prohibition against China 、 Restrictions or other similar measures , Measures can be taken against the country or region according to the actual situation .

3、 ... and 、 Clarify individual rights and obligations

《 Personal information protection law 》 Clarify the data rights of natural persons , At the same time, it puts forward the obligations that personal information processors should undertake . The responsibilities of relevant subjects were further clarified .

From a positive point of view ,《 Personal information protection law 》 For data security practitioners, it must be “ Positive signals ”. In the field of data security , There has been a lack of standard evaluation system , After the promulgation of this law , Believe in the near future , The evaluation system of data security will also be built .

Q2： Compared with the second review , What changes have been made to the third draft ？ Where is the main controversy ？

Wang Jianxia ：（ As of the salon ） The full text of the personal information protection law has not been officially released , According to the recent explanation of Mr. Zang Tiewei, member of the Standing Committee of the National People's Congress ,（ We can learn from the side ） The content of the third instance has mainly been adjusted in the following aspects .

One 、 increase “ according to 《 The constitution 》 To enact this law ” Clause . This clause directly promotes the legal status of the law .

Two 、 in the light of APP Excessive collection of personal data 、 Make a clear response to social hot issues such as big data ripening .

3、 ... and 、 take “ discontent 14 Age group ” Information as sensitive information .

Four 、 The rules for cross-border provision of personal data have been improved .

5、 ... and 、 Added personal data “ Portability ” The provisions of the .

before , China has made some explorations , For example, the Ministry of industry and information technology 2019 in “ Number portability ” Service for , as well as 《 Personal information security code 》 It sets forth the right of individuals to obtain copies of information , And the information can be transmitted to a third party when the technology is feasible .

6、 ... and 、 Clarify how to complain about personal information protection 、 Working mechanism of reporting .

7、 ... and 、 clear “ Automated decision making ” The definition of , Enterprises shall not refuse to provide products or services on the grounds of personal disagreement , And explain the specific logic of decision-making to users , And the user has the right to reject decisions made through automated decisions .

Q3： A lot of people say 《 Personal information protection 》 It is one of the most stringent data security laws in history ,“ Strictly ” Where is it embodied ？

Wang Jianxia ： The European Union GDPR In effect , There are also various statements on the Internet , As a “ The most strict in history ”. In our view ,《 Personal information protection law 》 Compared with GDPR Strict place , There are also places that are slightly looser than it .

One 、 From the perspective of legal provisions

Although it has not yet been implemented , However, according to the characteristics of Chinese law, it can be seen that ：《 Personal information protection law 》 The law is harsh , They will be punished for public security administration according to law , Serious cases will be investigated for criminal responsibility . The maximum fine is less than 50 million , Or last year's turnover 5% The fine . And the EU GDPR First gear is 2%、 First gear is 4%, Whether from fines or personal accountability ,《 Personal information protection law 》 Are relatively harsh .

In terms of the role of the enterprise ,《 Personal information protection law 》 I mentioned “ Enterprises are just processors of personal information ”. And the EU GDPR Regulations “ Enterprises are data controllers and processors ”, The obligation of the controller is greater than that of the processor . The processor of personal security law is equivalent to GDPR Controller .

Two 、 From the perspective of law enforcement

《 Personal information protection law 》11 Effective month , At present, there are many such as “ Net action ” And so on , These actions will be checked APP Whether there are violations related to data collection and use . Before that , When we use EU law enforcement cases for analysis, we find that , From a personal point of view GDPR To sue a business , The intermediate process is complicated . Compare from this point of view , China's law enforcement will be higher .

Liuhaiyang ： Personal protection method for “ Personal information processor ” The obligations to be performed are clearly stated , It can be summarized into nine items , Including the obligation to ensure the security of personal information 、 The situation needs to be informed in time 、 Active delete 、 Periodic audit 、 Make an assessment in advance 、 Guarantee of exercise and other provisions , These are the obligations of personal information processors .

《 Personal information protection law 》 in , There are seven scenarios in which a personal information processor needs to obtain the user's authorization . In these seven scenarios , The user's consent must be obtained , Otherwise, it is illegal for enterprises to carry out handling activities .《 Personal information protection law 》 There are also eight scenarios that require the personal information processor to inform the user . this “ Seven agree ” and “ Eight notifications ” The workload of solving problems in the process of combing business is extremely huge .

Q4：《 Personal information protection law 》 How to stipulate the responsibility of enterprise subject ？

Liuhaiyang ： Different according to institutional characteristics , Some enterprises ask a third party to be responsible , Some of them are from IT Personnel responsible . And from 《 Personal information protection law 》 It can be seen that , Division of responsibility belongs to “ Who deals with 、 Who is responsible for ”. If the enterprise entrusts data and personal information to a third party , Enterprises need to bear the responsibility of supervision . According to the state regulations , When personal information reaches a certain amount , It is necessary to appoint a responsible person to exercise supervision , Help the national department performing the responsibility of personal information security to implement supervision .

When enterprises carry out personal information protection , I summarized five principles to follow , For your reference ：

One 、 Principle of good faith

Do not obtain information by inducement or fraud .

Two 、 Minimum range

If you can, you'd better not , Information is either in hand or wealth . Taking too much may be a burden , Just meet the business needs .

3、 ... and 、 Open and transparent

Whether doing big data analysis 、 Aid decision making 、 Marketing , Try to be open and transparent , The enterprise's decision on data can be made transparent through the media or the official website .

Four 、 Accuracy and immediacy

Information and data are not taken over and no longer responsible , It shall be updated regularly to ensure the accuracy and integrity of the information .

5、 ... and 、 Minimum time principle

After collecting and processing the information , To actively delete now .

Q5： What are the internal businesses of the enterprise / Department and 《 Personal information protection law 》 Is closely linked ？ How to deal with it ？

Wang Jianxia ： On the whole , Personal information is related to most business lines of the enterprise , Include HR、 marketing 、 After sales and so on . Enterprises first need to sort out basic personal data , Analyze information types and application scenarios , We can start from the following dimensions ：

One 、 Product dimension

You can sort out all data related processing scenarios involved in the product .

Two 、 Enterprise level

At present, most enterprises belong to stock business , Large amount of data 、 Scene is complicated , It is suggested to focus on the large and let go of the small , Start with high risk . For example, it involves biological information 、 The scene list of sensitive data such as minor information shall be carried out for key processing .

After risk assessment , The management needs to make personal information protection decisions in time , For example, risk tolerance , Relevant landing strategies need decision-making and landing .

Q6： For enterprises , Is it necessary to consider from the perspective of systematic construction ？ How to avoid in the process “ Step on the pit ”？

Wang Jianxia ： The original intention of the system is good , But in practice , We have also observed that in many cases it plays a limited role . Therefore, when enterprises do system construction , Be sure to go down one more layer .

The difficulty of the project system lies in the implementation , During the project , Strategy of each enterprise 、 Business model 、 Business Ecology 、 Organizational structure 、 Maturity and technical capability are different , There is no ready-made methodology that can be used directly . therefore , Every enterprise should interpret the legal requirements into specific landing requirements , For example, how to design privacy functions in enterprise products , How to implement the framework of privacy policy and user authorization , Specific scenarios are required 、 make a concrete analysis .

Besides , Another difficulty involves cross-border , For example, when enterprises go to sea or overseas enterprises enter China , Not just to obey a law , There are many other laws to follow . that , We need the most stringent requirements 、 Or do you just need to meet local requirements to make decisions , This is also what enterprises need to pay attention to .

Liuhaiyang ：“ Step on the pit ” This point is often asked when we provide services , No one wants to step on the pit . So I've summed up some things you might step on “ pit ”.

First , When dealing with public information , Some personal information is public , We can also see it on the Internet , But you can't be unscrupulous in dealing with this information , It's not open to use , As an information processor , When it is necessary to operate data, it must also be approved by the information individual .

​ There's more , Data personal information processors are obliged to actively delete data , When the conditions are met, it should be deleted actively . In some cases, the enterprise cannot delete , It does not mean that the enterprise can evade the obligation of actively deleting , The law will not force enterprises to break through the bottleneck and delete , However, personal information processing activities need to be stopped .

Q7： At present, what tools and products can help enterprises improve compliance efficiency in all links ？

Liuhaiyang ： from 《 Personal information protection law 》 in , We can see that compliance work is divided into seven businesses 、 Three points of technology . In the face of complex business compliance workload , Data security practitioners need to consider integration as much as possible 、 Lightweight solutions . At present, we are the main push of Tencent security CASB product , It can help enterprises play a certain role in carrying out compliance work ：

One 、 Safety capability

Fusion will audit 、 desensitization （ Anonymous algorithm ）、 encryption 、 Integrated integration of access control and other security capabilities , Equivalent to an integration , Multiple use , Help enterprises quickly promote compliance implementation .

Two 、 Automation AIDS

It can assist in carrying out business compliance work , Such as automatic classification 、 Data assets sorting 、 Access relationship sorting 、 Data authority sorting, etc .

Besides , Sensitive personal information in personal information is also a top priority ,CASB Technical automation can be used , Help enterprises find their distribution , And access , Which users have permissions , Which users operate …… Both can pass CASB To assist .

Q8： Attribution of data achievements based on legal acquisition ,《 Personal information protection law 》 Are there relevant provisions in the ？

Wang Jianxia ： First from the EU GDPR From the logical point of view , The following three types of personal information data , All belong to the user's personal data ：

One 、 Data directly provided by users . That is, the account number or ID number that the user initiatively enters. .

Two 、 Data generated during enterprise service . For example, the user's web browsing record 、 music APP Listening to music records, etc .

3、 ... and 、 Enterprise achievements . For example, user portraits of enterprises , Non enterprise provided and generated , But some new data based on the enterprise's algorithm or its own technology .

and 《 Personal information protection law 》 in , For legally obtained and authorized data , The enterprise has certain intellectual property rights . From the perspective of data ownership , Does the data belong to enterprises or individuals ？ The answer is complicated . According to the requirements of the current personal security law , Such personal data can be used with full notification and user consent .

Liuhaiyang ：《 Personal information protection law 》 There are relevant provisions in . First , Do you need Authorization 、 And who owns it , The premise is to determine whether the data is personal information . If the data generated by the enterprise , Unable to identify or act as an individual , It belongs to the personal information processor , If it can be identified and belongs to personal information , Personal property . Technically speaking , If the information has been anonymized, it does not belong to personal information , Owned by personal information processor .

Written in the back

Actually ,《 Personal information protection law 》 The introduction of , Just the beginning of a new journey . For businesses , More importantly, the implementation and practice of user information protection . For all network security practitioners ,《 Personal information protection law 》 Whether it means good or pressure , We will all face it seriously , Joint efforts , from 0 To 1、 from 1 To 2, Finding problems 、 Keep improving in the process of solving problems , Help more enterprises systematize their safety work 、 Normalization .