EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
How EY can Help
-
Discover how EY's data protection and privacy team can help your organization protect its information over the full data lifecycle.
Read more
First challenge
From a legal perspective, the GBA comprises three different jurisdictions, each of which have different laws and regulations on cybersecurity, privacy protection and cross-border data transfer. There are both similarities and differences. Enterprises in the GBA are therefore constantly facing challenges over data security compliance.
Privacy protection
- Organizations need to integrate these provisions on three sides to build a unified system to collect, use and process personal information.
- Develop privacy policies and statements applicable to three sides and make modifications based on regulatory differences and scopes of services.
Cross-border data
- Establish standard contract terms for cross-border data flow, define the responsibilities, rights and obligations of senders and recipients, and develop relevant protection measures.
- Engage an independent third party to obtain Data protection certification.
- Make clear laws and regulations on cross-border data flow and maintain close relationships with competent authorities.
- Sort out data derived from operation and cross-border scenarios that may be involved.
- Establish cross-border data transmission mechanism within the organization.
- Improve internal control system for data security and make self-assessment.
Second challenge
Under the conflicting and complicated legal environment, many enterprises don’t have sufficient capability in compliance. Those capabilities include security compliance culture, organization structure, human resources, compliance management framework and execution mechanism and cybersecurity and privacy compliance capability, etc.
Organizations need to build up security management capacity to prevent and resolve security threats while considering compliance capability.
Data security management
- Identify important data within the organization and standardize the formats for important data description.
- Develop classification and grading standards and build differentiated management requirements and technology-based protection strategy.
- Evaluate security capability and establish data security management system to sustain standard management of data lifecycle.
Cybersecurity management
- Develop organization-wide security management system.
- Stablish a compliance training mechanism for all employees and build an effective performance assessment mechanism.
- Establish processes and mechanisms for reporting non-compliance and security breaches and ensure the mechanisms operate smoothly while processes are optimized and improved on an ongoing basis.
Third challenge
There are differences in the internet and other conditions in Guangdong, Hong Kong and Macau. Being exposed to complicated internet conditions, to protect information assets is challenging to enterprises.
Enterprises should enhance security protection and establish a good foundation for network resilience. As the most practical security standards, grade-based security protection system can help organizations improve security capability and demonstrate to regulators that their operations can meet China’s security obligations no matter where they are within the region. Apart from the grade-based security protection system 2.0, organizations can also refer to relevant international standards according to their specific situations to build a good foundation for network resilience and establish a security-oriented proactive defense and perception mechanism.