1、Written byEnterprises in the GBA:Digitization opportunities,security challenges and response strategiesSummaryThe emergence and development of the Guangdong-Hong Kong-Macau Greater Bay Area(GBA)provide a major driving force for digitalization.Governments across the GBA have already released or will

2、shortly release a series of measures to safeguard data security and to ensure compliance in the digitalization process,which provide strong support to data flow across governments and enterprises and across different enterprises in a cross-border data flow scenario.While enterprises enjoy the benefi

3、ts of enabling policies and more data resources,they also face more data security challenges,including balancing business needs while coping with the different data security regulations of three regions,and responding to security safeguard challenges arising from the difference in network and other

4、conditions across the three regions.To cope with the special challenges faced by digitization,enterprises should plan and set unified compliance standards and systems,build effective compliance capability in data security,improve data security management and defense capability.Only with effective se

5、curity safeguard and compliance may enterprises sustain long-term development.1.Digitalization is a core driver of GBA development42.Data governance and data security will be a major area in development6Unification of data standards,compliance standards and security standardsUnified public data reso

6、urces systemDriving orderly flow of data across the GBA3.Favorable conditions for enterprises9Facilitating data flowMore data resources may be usedImprovement of digital infrastructure4.Data security challenges faced by enterprises13Different legal systems in Guangdong,Hong Kong and Macau create hig

7、her compliance challenges on enterprises The current capability to comply is insufficient to cope with security challengesDifferences in the internet and other conditions in Guangdong,Hong Kong and Macau lead to higher difficulty in security safeguards5.How organizations can navigate challenges20Add

8、ress regulatory differences in Guangdong,Hong Kong and MacauBuild security compliance capacityEnhance security management capabilityEnhance security protection capability6.Conclusion31Appendix Comparison of laws and regulations in mainland China,Hong Kong and Macau32ContentsEnterprises in GBA:Digiti

9、zation opportunities,security challenges and response strategies4In February 2019,Chinas State Council formulated the Outline Development Plan for the Guangdong-Hong Kong-Macao Greater Bay Area(“Development Plan”),and it was stated that by 2035,the GBA should become an economic system with mode of d

10、evelopment mainly supported by innovation.In addition to strategic targets,the Development Plan also listed a series of strategic initiatives mainly driven by digitalization,including:Enhancing and upgrading information infrastructureIt was stated in the Development Plan that there will be a compreh

11、ensive planning for a new generation of information infrastructure to be based on Internet Protocol version 6(IPv6),and based on this,the internet will be upgraded and transformed,and bandwidth capacity will be expanded.In driving the construction of city clusters in the GBA with wireless and fiber

12、broadband,there is a need to set up unified standards,open data ports,push forward mutual recognition of digital signature certificates,and establish an interconnected application platform.Smart city development and digital government construction in the Shenzhen Special Economic Zone was realized b

13、y optimizing information infrastructure,opening over 2,000 data interfaces and breaking the information silos of enterprises,which is an outstanding achievement of the Development Plans implementation.In addition,it was also stated in the Development Plan that when optimizing information infrastruct

14、ure,there is a need to strengthen protection of communication networks,major information systems and major data resources,build a sound information security warning mechanism,improve the network security protection level,and realize the objectives of unification of standards,data opening,smart devel

15、opment of cities and security safeguard of information.Expediting the development of the advanced manufacturing industryThe Development Plan provides that the manufacturing industry should undergo structural advancement and optimization through in-depth integration of the internet,big data and artif

16、icial intelligence with the real economy,in order to foster in-depth cooperation between upstream and downstream industries along the industry chain,so as to improve innovative development of the manufacturing industry system in the GBA.According to statistics of the Department of Industry and Infor

17、mation Technology of Guangdong Province,there are 15,000 enterprises which realized digital transformation and 500,000 enterprises which used cloud technology in the province.In the Implementation Plan for the Digital Transformation of the Manufacturing Industry in Guangdong Province(2021-2025)and S

18、everal Policies and Measures for Digital Transformation of the Manufacturing Industry in Guangdong Province released last year,it was mentioned that industrial enterprises will be driven to use new generation of information technology in order to realize digital transformation,and they will be encou

19、raged to migrate to the cloud and use the cloud.Use of artificial intelligence is encouraged to drive industrialization,reduce costs,and improve quality and efficiency.Digitalization is a core driver of GBA developmentEnterprises in GBA:Digitization opportunities,security challenges and response str

20、ategies5Nurturing and strengthening strategic emerging industriesAs early as 2017,the Guidance Catalogue of Key Products and Services in Strategic Emerging Industries issued by the National Development and Reform Commission already laid out the scope of strategic emerging industries,fostering the gr

21、owth,transformation and upgrading of economy and quality development.There are several places in the Development Plan mentioning that strategic emerging industries will be vigorously developed in the GBA,and the development needs to fully leverage the strengths of scientific research and development

22、(R&D)resources and high-tech industrial base in major cities such as Hong Kong,Macau,Guangzhou and Shenzhen to drive development of the seven major strategic emerging industries and the four major industries in the future.It was also mentioned that the new generation of information technology,biotec

23、hnology,IoT,artificial intelligence,big data,5G mobile network,intelligent robotics,the BeiDou Navigation Satellite System and other emerging industries are to be nurtured with priority;and major projects in strategic emerging industries covering information consumption,new health care technologies,

24、hi-tech service industry and others will be implemented to drive digital development and foster transformation and upgrading of the economy.Expediting the development of modern service industriesWith improving technological capability,edges in digitization development and innovative breakthroughs,pr

25、ofessional service industries in the GBA are expediting digital transformation.The Development Plan provides that it is necessary to leverage the economic and finance advantages of Hong Kong,Macau,Guangzhou and Shenzhen to build an international finance hub and vigorously develop a secure financial

26、industry with specific characteristics in the GBA.Application of big data,artificial intelligence,blockchain and other technologies in finance will drive the digital transformation of traditional financial service enterprises.The GBA is expected to have more effective,secure and stable financial ser

27、vices.In addition to the financial service industry,many logistics,catering service and other industries also start to use or leverage the abundant supply of networks and skilled labor,sound logistics infrastructure,government incentives and capital support in the GBA to continue to develop business

28、 and expedite transformation and upgrading despite the pandemic.The strategic initiatives above are closely related with digital development or fall under the category of digital economy or are dependent on digital development.Digital development already becomes a major engine and infrastructure in

29、the GBA.After the release of the Development Plan,the GBA announced new policies one after another.The governments have made several new regulations and policies,such as regulations released by Department of Industry and Information Technology of Guangdong Province,the Overall Plan for the Construct

30、ion of Guangdong-Macao In-Depth Cooperation Zone in Hengqin issued byState Council of the PRC,the Plan for Comprehensive Deepening Reform and Opening Up of the Qianhai Shenzhen-Hong Kong Modern Service Industry Cooperation Zone released in Shenzhen,and Hong Kongs Policy Address released in the past

31、years.These policies will further strengthen exchange of opinions and cooperation among GBA cities,including Hong Kong,Macau,Shenzhen and Zhuhai in digital infrastructure,digital transactions,digital finance,high-tech and smart manufacturing.Enterprises in GBA:Digitization opportunities,security cha

32、llenges and response strategies6Digital development must involve effective data governance and data security and ensuring effective data governance and data security is the prerequisite of fostering economic integration among the GBA as well as the cross-strait three regions.To be in line with the p

33、lanning with digital as the development engine,the GBA already gradually laid down requirements in developing data governance and security and implementation initiatives concerned.On 5 July 2021,the Peoples Government of Guangdong Province issued the Action Plan for the Reform of the Market-oriented

34、 Allocation of Data Elements in Guangdong Province(“Action Plan”)which is the first market-oriented allocation of data elements document in mainland China.It listed 24 tasks in five major areas,including releasing public data resources value,energizing social data resources,strengthening integration

35、 of data resources and their innovative applications,fostering data transactions and flow,and improving data security safeguard to accelerate the cultivation of the data elements market.In the context of digital development,in addition to the action plans above,the governments in the GBA are introdu

36、cing or will soon introduce a series of measures to safeguard data security and compliance,and provide strong support for accelerating the flow of data between governments and enterprises,among enterprises,and across borders.Such measures include but not limited to the following:Data standardsProfes

37、sional research on data elements standardization is gradually being conducted and pilots of data elements standardization in phases and in different areas in the GBA will take place to support industrial federations,chambers of commerce,enterprises,universities and research institutes in studying th

38、e development of standards in data capture,process,application and quality management1,laying the technical foundation for data flow.Compliance standardsAs Guangdong and the Hong Kong and Macau SARs have different legal systems,the setting up of basic system and standards in the GBA,covering require

39、ments in data flow system,sound data equity,transaction flow,cross-border transfer and security safeguard,clarifying rights and responsibilities of data subjects,data control parties,data use parties,and protecting the interests of data subjects2are one of the prerequisites of GBA development.The GB

40、A is now actively driving relevant work and is studying how to set up a data system and compliance standards with GBA characteristics that comply with the national law and regulations to foster the interchange of data.Data governance and data security will be a major area in developmentUnification o

41、f data standards,compliance standards and security standards1 Article 16 of the Action Plan for the Reform of the Market-oriented Allocation of Data Elements in Guangdong Province2 Article 18 of the Action Plan for the Reform of the Market-oriented Allocation of Data Elements in Guangdong ProvinceEn

42、terprises in GBA:Digitization opportunities,security challenges and response strategies7Security standardsIn strengthening data security safeguard,it was stated in the Action Plan and other guides concerned that there will be development in three areas:(1)setting up a data classification and grading

43、 and privacy protection system,and a data classification and ranking and protection system led by the governments and participated by various parties with clear definition of responsibilities of the parties;and development of a major data catalog for provincial and municipal departments and industri

44、es and areas concerned to provide priority protection of data listed in the catalog.There should also be a sound data privacy protection and security review system,and responsibilities in data security protection,including government departments,enterprises and public institutions and the public nee

45、d to be fulfilled to improve data protection,including personal privacy,personal information,commercial secrets and confidential commercial information;(2)a need to improve the scheme for data security management,data security risk assessment,reports,information sharing,monitoring and early warning

46、and contingency handling;and support the departments,industrial associations,enterprises,academic and scientific research institutions,and professional institutions concerned in their collaboration in data security risk assessment,prevention and handling;(3)a need to improve the technical data secur

47、ity system;build a coordinated security safeguard system with integration of cloud computing,IoT and digital solutions;leverage data protection measures,blockchain and other new technologies including reliable identity authentication,data signature,interface authentication and data sourcing;and impr

48、ove security safeguard for computing resources and data resources so as to strengthen data security protection capabilities.These not only show the planning of the Peoples Government of Guangdong Province in security standards but also show the direction of concerted efforts of various governments i

49、n the GBA.Enterprises in GBA:Digitization opportunities,security challenges and response strategies83Guangdong Provincial Government Service Data Administration Authority.Jingjinet丨Interview with Yang Pengfei:Guangdong Data Exchange will be co-constructed by provinces and cities,coordinated by Guang

50、zhou and Foshan and is expected to be completed before the end of the year,http:/ 4 Article 2 of the Action Plan for the Reform of the Market-oriented Allocation of Data Elements in Guangdong Province5 Article 6 of the Action Plan for the Reform of the Market-oriented Allocation of Data Elements in

51、Guangdong ProvinceIn addition to actively implementing unified standards,the GBA is also actively stepping up the construction of an unified public data resources system,improves basic databases covering population,legal entities,spatial geography and digital passports,and further expanding the data

52、bases of credit,finance,health care,transport,ecology,market monitoring,culture and travel,social relief and investment projects,so as to speed up data flow between governments and enterprises.According to statistics of Guangdong Provincial Government Service Data Administration Authority,as at the

53、end of August 2022,The first-level data element market led by the administrative mechanism has published a total of 33,300 data resource catalogs,providing 51.786 billion data call services for 1,144 business systems of 1,567 government departments3.During fostering of data sharing and flow,the Acti

54、on Plan also clearly listed public data management mechanism and public data security safeguard requirements regarding further orderly opening of public data,including listing requirements of various levels of administrative authorities and public institutions in data capture,gathering,sharing,use a

55、nd management with formulation of Guangdong Provincial Public Data Management Measures4;and it is sought to explore the construction of a public data opening list system with the formulation of the Interim Measures for Public Data Open in Guangdong Province to improve the public data opening catalog

56、 management scheme and standards,targeted opening of public data and management system for authorized opening5.Unified public data resources systemCurrent priorities of the GBA are to drive construction of a big data center at the GBA,support construction of Nansha(Guangdong-Hong Kong-Macau)Data Coo

57、peration Pilot Zone and Guangdong-Macao In-Depth Cooperation Zone in Hengqin,explore the construction of“data customs”,and initiate the review,assessment and monitor of cross-border data flow.Fostering cross-border flow of data not only involves public data,financial data and daily business data of

58、enterprises,but also includes health care and other scientific research collaboration project data.There should be orderly fostering of cross-border flow of data resources to gradually realize cross-border interconnection of scientific research data,and a series of data application model cases is to

59、 be built for industrial development,social governance,services for the public and more.It can be readily seen that the GBA is stepping up improvement of data resource development and use as well as the policy environment for governance and protection of data,regulation to cope with new governance i

60、ssues arising from new economy,and issue of a list of policies to deal with data transactions,cross-border data transfer,personal information and privacy protection,and data security strategies to build a good foundation for a sound data flow mechanism.Driving orderly flow of data across the GBAEnte

61、rprises in GBA:Digitization opportunities,security challenges and response strategies9With in-depth construction at the GBA,a series of major digitalization initiatives will be launched one by one to create a favorable policy environment to safeguard data security and ensure effective and standard d

62、ata flow and use.These are certainly major favorable conditions for enterprises in the GBA.Such initiatives include:Favorable conditions for enterprisesThe GBA is one of the regions in China which is most open and with strongest economic vigor.According to the China Urban Agglomeration Integration R

63、eport released by the China Development Research Foundation under the Development Research Center of the State Council,the GDP of the Guangdong-Hong Kong-Macao Greater Bay Area will reach 14.76 trillion yuan in 2022,surpassing the Tokyo Bay Area and becoming the largest bay area by its economy.Econo

64、mic integration and movement of people among 9+2 cities in the GBA for years is very intensive.With more in-depth development of the GBA,there are already major breakthroughs in bottlenecks in interconnection regarding flow of people,cargos and capital in the area.Construction of data centers and pu

65、blic data resources systems and exploration of cross-border data transfer,including“data customs”will further break through barriers in data flow systems and will further facilitate data flow environment in the area.With implementation of Cybersecurity Law of the Peoples Republic of China,Data Secur

66、ity Law of the Peoples Republic of China and Personal Information Protection Law of the Peoples Republic of China,Measures for the Security Assessment of Outbound Data Transfer in mainland China one after another,balancing compliance in cross-border data flow and meeting business needs are major are

67、as to be improved by enterprises in the GBA.In the foreseeable future,exploration of measures to enable cross-border data transfer in the GBA will provide some considerations for the enterprises to solve the issue and facilitate data transfer which will become their competitive advantage.Facilitatin

68、g data flowMore data resources may be usedConvenient data flow and readily accessible data resources mean enterprises in the GBA may fully take advantage of accessing a large amount of data and having countless applications which will further bring the potential of data elements into full play and d

69、rive innovative-driven development.In addition,the GBA is driving opening and integration of public data resources in various places and is actively exploring how to open resources concerned to enterprises provided that the data will be kept secure,and compliance of data transfer is ensured.This mea

70、ns in the future,enterprises in the GBA will not only have convenient cross-border transfer of internal data but will also be able to exchange data of enterprises between them which complies with regulations and will be able to fully leverage public data to maximize effectiveness in data decisions a

71、nd applications.The following are some data application scenarios in the GBA:Enterprises in GBA:Digitization opportunities,security challenges and response strategies10Application scenarios in financeAccording to the latest data of the Global Financial Centres Index(GFCI),in 2022,Hong Kong,Shenzhen

72、and Guangzhou are among the top 30,ranked third,10th and 24th respectively.There is a rare concentration of city financial centers in the GBA.In the future,digital resources will further enhance the financial service experience of GBA users and enable the emergence of a more stable financial system.

73、Financial institutions in the GBA may drive remote cross-border identity authentication with e-ID and e-KYC platforms built jointly by the three cities and provide more convenient financial services for the users which will further improve capital liquidity in the GBA.The digital financial system co

74、nstructed will also meet the risk management demands of financial institutions,such as anti-money laundering.In addition,financial institutions in the GBA may also legally use the large number of cross-industrial data in finance,e-commerce,the internet and financial technology in the GBA;and integra

75、te user data,credit data and behavior data for data modelling and conduct precise mapping of users with big data processing technology to trace and analyze consumption behavior of users as well as their risk and revenue appetite and information on other features so as to recommend products and servi

76、ces based on the preferences of users,do targeted marketing and provide better services to customers.At the same time,they may take the initiative to maintain and manage customer relations based on customer attrition warning model according to the historical transaction model.In addition,financial i

77、nstitutions in the GBA may further leverage big data to analyze customer behavior,creditability and assets and liabilities conditions,conduct comprehensive assessment of their credit risks and set up a sound risk control systemApplication scenarios in health careUnder the pandemic,using big data ana

78、lysis to develop effective public health care development strategies already becomes one of the priorities of governments and public health care institutions.They may trace the infected based on big data to control spread of the virus as much as possible,and leverage health care big data to take the

79、 initiative to allocate medical resources,reduce major diseases and the costs of treatment effectively,reduce diseases and promote health in general.In addition,convenient data flow and rich data resources are also indispensable in the health care industry.The level of medical service digitalization

80、 in the GBA is increasing.Guangzhou,Shenzhen,Zhuhai,Foshan,Huizhou,Zhongshan and Jiangmen are the first seven cities which already set up municipal health care information platforms for all people and achieve interconnection,data sharing and business coordination among major health care institutions

81、 in the municipals.There is a large flow of population in the GBA.In recent years,Guangdong citizens travel south to Hong Kong and Macau to do body checks,receive dental and aestheticmedical treatments,and have major operations.It is also increasingly common for Hong Kong and Macau citizens to trave

82、l north to medical institutions and homes for the elderly in other cities in the GBA to receive health care services.Sharing and flow of data is the foundation of health care information integration in the GBA and will further lead to more effective use of medical resources in the area which is a ma

83、jor factor to enable citizens in the area to enjoy convenient and quality medical service in various cities in the GBA.Enterprises in GBA:Digitization opportunities,security challenges and response strategies11Application scenarios in e-commerce logisticsIndustrial digital structure in the GBA keeps

84、 upgrading and it gradually becomes a major force to drive the digital economic development in the area.Scale of information consumption and e-commerce transaction volume in the GBA ranks first in the nation with cross-border e-commerce transaction volume accounting for almost 70%of the total,and mo

85、bile payment accounting for 30%of the total of the nation.In recent years,e-commerce logistics enterprises developed many new cross-border ecommerce services,such as cross-border payment service,overseas warehouse service,cross-border e-commerce language service and cross-border data service.During

86、the whole lifecycle of cross-border e-commerce activities,customs and other government departments,domestic and overseas consumers,cross-border e-commerce enterprises,platform enterprises,domestic service providers and other enterprises interact intensively online and offline,and there is interactio

87、n of data among various institutions.With big data,cloud computing and construction of other smart infrastructure,digitalization of information at each part of logistics and online connection is realized which will drive transparency of logistics processes and help e-commerce logistics enterprises i

88、n the GBA to effectively improve quality and effectiveness and lower costs and to enable joint development of cross-border e-commerce and logistics in the big data era.Enterprises in GBA:Digitization opportunities,security challenges and response strategies126 Excerpt Promote the aggregation,circula

89、tion and sharing of data resources;carry out pilot projects for the safety management of cross-border data flow,and explore the establishment of a mechanism that not only facilitates data flow but also ensures safety”7 Excerpt Overall Layout Plan for 5G Base Stations and Data Centers in Guangdong Pr

90、ovince(2021-2025)Sound network and computing infrastructure systems are another inherent advantage of enterprises in the GBA.It was stated in the Development Plan under the 14th Five-Year Plan to expedite digital development and build a digital China.It was also explicitly stated in the 14th Five-Ye

91、ar Plan for National Economic and Social Development and the Outline Plan of Long-Range Objectives Through the Year 2035 unveiled by the Guangdong provincial government to construct a digital GBA and a cross-border big data center covering Guangdong,Hong Kong and Macau6.It was explicitly stated in t

92、he Guiding Opinions regarding Accelerating the Construction of a Coordinated Innovation System for the Nationwide Integrated Big Data Center released by National Development and Reform Commission at the end of 2020 that national hub nodes of big data centers are to be built in Beijing-Tianjin-Hebei,

93、the Yangtze River Delta,the GBA,Chengdu-Chongqing and other major regions.Meanwhile,the GBA has two national supercomputing centers in Guangzhou and Shenzhen with leading computing speed and integrated technological level according to world standards.The overall standard of information infrastructur

94、e keeps improving,and capacity of backbone networks and metropolitan area networks keep expanding and the networks are continuously being upgraded.In the data center industry,a hub was formed in Guangzhou,Hong Kong and Shenzhen with tiered radiation in industries in the surrounding areas.Server avai

95、lability and data storage capacity in these three cities rank first in China.According to data center planning stated in the Overall Layout Plan for 5G Base Stations and Data Centers in Guangdong Province(2021-2025),dual-core nine centers are planned to be built in the province such that there will

96、be two hub data center regions with small latency delays in Guangzhou and Shenzhen,and there will be nine data center cluster regions in Shantou,Shaoguan,Meizhou,Huizhou,Shanwei,Zhanjiang,Zhaoqing,Qingyuan and Yunfu.By 2022,there will be equivalent to around 470,000 standard cabinets in the province

97、 and average availability is around 65%.By 2025,the total number of standard cabinets in the province will be around 1 million with average availability at around 75%7.In addition,the GBA is different from Beijing-Tianjin-Hebei and the Yangtze River Delta regions,with its unique diversified systems.

98、There are two special economic zones in Shenzhen and Zhuhai;three areas in Nansha in the Guangdong Free-trade Zone,Qianhai and Shekou,and Hengqin;and two Special Administrative Regions,Hong Kong and Macau under“One Country,Two Systems”.These create inherent conditions for access of cross-border data

99、.In recent years,the GBA is actively exploring the construction of a global data port,including an international data free trade port in Nansha,and a data center at the Hong Kong-Shenzhen Innovation and Technology Park at Lok Ma Chau Loop in a bid to realize cross-border sharing and flow of data saf

100、ely and under controlled conditions.Improvement of digital infrastructureEnterprises in GBA:Digitization opportunities,security challenges and response strategies13A series of planning and measures in the area will be very favorable to improve digital competitiveness of enterprises in the GBA which

101、comply with legal requirements.However,while enterprises enjoy convenience in the GBA,they at the same time face greater challenges.From a legal perspective,the GBA comprises three different jurisdictions,each of which have different laws and regulations on cybersecurity,privacy protection and cross

102、-border data transfer,as well as different regulations for different industries including health care and financial services.Businesses operating in all three jurisdictions are effectively operating under three different legal systems.Enterprises in the GBA are therefore constantly facing challenges

103、 over data security compliance.In relation to cybersecurity,the Cybersecurity Law of the Peoples Republic of China,the Data Security Law of the Peoples Republic of China,the Measures for Cybersecurity Review and related implementation regulations and rules have been enacted in mainland China.The Cyb

104、ersecurity Law and other laws and regulations have been enacted in Macau.It is reported that Hong Kong is also preparing for legislating for cybersecurity and public consultation is being planned.There are relatively broader definitions on network operators,operators of critical information infrastr

105、ucture and engaging in digital processing activities under the laws and regulations in mainland China when compared to the two other jurisdictions.Enterprises should analyze their own specific compliance requirements in accordance with the particular circumstances of their own businesses.At the same

106、 time,the definitions of“critical information infrastructure operator”under mainland Chinese law and“critical infrastructure operators”under Macanese law are different,and the cybersecurity responsibilities to be respectively borne by such operators are different,of which enterprises should be aware

107、.Different legal systems in Guangdong,Hong Kong and Macau create higher compliance challenges on enterprises Data security challenges faced by enterprisesEnterprises in GBA:Digitization opportunities,security challenges and response strategies14In relation to privacy protection,relatively comprehens

108、ive and systematic protection requirements have already been established across all three jurisdictions.In mainland China,the Personal Information Protection Law and other supporting laws,regulations and guidelines concerned have been rolled out.In Hong Kong,the Personal Data(Privacy)Ordinance has b

109、een enacted,and relevant approved Codes of Practice and Guidelines have been issued by Privacy Commissioner for Personal Data.In Macau,the Personal Data Protection Law has been enacted,and various guidelines have been issued by the Office for Personal Data Protection.While there are similarities in

110、the laws and regulations in the three regions,there are also differences in them,including the following:Differences in definitions of sensitive personal information and automated decision making:There are relatively more detailed compliance requirements in mainland China and Macau on processing sen

111、sitive personal information and automated decision making.In Hong Kong,while there is no specific provision in the Personal Data(Privacy)Ordinance on sensitive personal information processing and automated decision making,there are approved Codes of Practice/Guidelines by the Privacy Commissioner fo

112、r Personal Data defining and regulating the same.Different regulations for processing personal information out of the jurisdiction:In mainland China,Personal Information Protection Law of the Peoples Republic of China not only applies to natural persons personal information processing activities in

113、the PRC but also applies to processing of mainland China natural persons personal information outside the mainland in specific applicable situations.The Personal Data(Privacy)Ordinance in Hong Kong applies to any data user who controls the collection of,holds,processes or uses personal data in or fr

114、om Hong Kong.In some cases,enforcement can be made against non-Hong Kong service providers.There are no express provisions in the Personal Data Protection Law in Macau concerning its application out of Macau,but the Act is applicable to circumstances such as the entire or partial automated processin

115、g of personal information,and non-automated processing of personal information held in or to be held in manually operated databases.Differences in requirements on collection,use and processing of personal information and access rights of personal information:The Personal Information Protection Law o

116、f the Peoples Republic of China further stipulates the conditions where separate consent from individuals is necessary.The Personal Data(Privacy)Ordinance in Hong Kong,on the other hand,provides different scenarios where different types of consent are required.The Personal Data Protection Law in Mac

117、au provides that express consent is required in processing personal information,processing sensitive information,disclosing or distributing all or part of personal information and transferring personal information across the border.Enterprises in GBA:Digitization opportunities,security challenges an

118、d response strategies15There are also differences in laws and regulations in the three jurisdictions on cross-border data transfer,including:On data localization,specific requirements are provided in the Cybersecurity Law of the Peoples Republic of China,Personal Information Protection Law of the Pe

119、oples Republic of China and other laws and regulations.However,the Personal Data(Privacy)Ordinance in Hong Kong and the Personal Data Protection Law in Macau do not have express requirements concerning data localization.On cross-border transfer of data,the Cybersecurity Law of the Peoples Republic o

120、f China,Personal Information Protection Law of the Peoples Republic of China,Measures for the Security Assessment of Outbound Data Transfer and other laws and regulations have provisions regarding conditions on cross-border data transfer,including security assessment,personal information protection

121、certification,entering into standard contracts with overseas recipients.There are also provisions in the Personal Data(Privacy)Ordinance in Hong Kong concerning cross-border transfer of personal information,but such provisions have not yet been effective.The Personal Data Protection Law and the Cybe

122、rsecurity Law in Macau have certain provisions regulating cross-border data transfer,with a list of exceptional cases.For details of similarities and differences in major laws and regulations on cybersecurity,privacy protection,and cross-border data transfer as well as the challenges in compliance i

123、n mainland China,Hong Kong and Macau,please refer to the appendix.Enterprises in GBA:Digitization opportunities,security challenges and response strategies16With data security and privacy protection laws in the three places and under the conflicting and complicated legal environment,enterprises need

124、 to have sufficient capability in compliance in the security area.Otherwise,enterprises in the three places are unable to cope with the various kinds of data security and compliance issues related to their businesses.Good compliance capability in data security includes:Top-down security compliance c

125、ultureOnly top-down security compliance culture may ensure security compliance is effectively executed internally in enterprises.This requires all people,including management and department leaders of enterprises to understand the importance of compliance in the cybersecurity and privacy areas,but c

126、urrently it is difficult for many enterprises to build a top-down security compliance culture because of the following reasons:The current capability to comply is insufficient to cope with security challengesAwareness of some leaders with management roles in compliance is insufficient and they do no

127、t fully understand the importance of cybersecurity and privacy protection in digital transformation,and they still regard this as ordinary compliance and IT internal control issues of enterprises.Some enterprises still regard security bundled with IT but with digital transformation,security issues a

128、re no longer simple IT issues;key departments and boards of enterprises do not trust they are sufficiently secure or understand security enough and there are obstacles in communication on security.Cross-department collaboration is difficult to be achieved and security issues are inevitably ignored b

129、y other functions and departments.Some enterprises lack comprehensive training on security compliance.Trainings of employees are now still mainly confined to those related to jobs and skill trainings and security compliance trainings are not involved.Only a small number of leaders with management ro

130、les received training in security compliance and security policy formulation.Enterprises in GBA:Digitization opportunities,security challenges and response strategies17Sound organization structureA sound cybersecurity organization structure is the foundation of security compliance.A cybersecurity or

131、ganization structure that is embedded throughout an organization may achieve effective breaking of communication obstacles in management,IT and departments and maximize motivation and initiative in cybersecurity and privacy compliance efforts.It is difficult for some enterprises to develop a complet

132、e and effective organization structure mainly because of the following reasons:Some enterprises only have very limited awareness of security compliance and think all legal and regulation-related issues need to be handled by the legal department.In fact,security compliance also involves management,IT

133、,business departments,internal control and other departments.Legal department alone is unable to cope with all aspects of security compliance and handle all issues well.This will only increase hidden compliance issues.Although some enterprises set up cybersecurity organization structure,compliance r

134、oles are not well distributed in different departments,leading to ineffective execution of security compliance work.Sufficient support in human resourcesUnder a sound organization structure,enterprises should be equipped with sufficient human resources to respond to security issues effectively and p

135、romptly.It is difficult for some enterprises to have sufficient human resources to handle mainly because of the following reasons:Some enterprises do not understand requirements in security compliance and roles and responsibilities among different departments are not clear.Therefore,they are unable

136、to have better arrangements in this respect.Security compliance personnel do not have the required qualifications.There is a serious shortage of employees with cybersecurity professional background and skillsEnterprises in GBA:Digitization opportunities,security challenges and response strategies18P

137、roper compliance management framework and execution mechanismSetting up a sound compliance management framework and execution mechanism is the prerequisite of enterprises in driving cybersecurity and privacy compliance.It is on this basis that enterprises may ensure there are proper references to in

138、itiate the work concerned and management roles to handle relevant work may be confirmed.It is difficult for some enterprises to build a sound compliance management framework and execution mechanism mainly because of the following reasons:Some management and employees of enterprises do not have suffi

139、cient awareness of security compliance and organization structure concerned is not sophisticated enough.There may also be a lack of human resources to handle.Based on the actual conditions,it is difficult to build a sound compliance management framework and execution mechanism.With different data se

140、curity and privacy protection laws in the three places,it is difficult to a certain extent to integrate all compliance requirements in the existing security management framework and execution mechanism.Comprehensive cybersecurity and privacy compliance capabilityOnly with comprehensive cybersecurity

141、 and privacy compliance capability may enterprises ensure full execution of security compliance.It may be difficult for some enterprises to build comprehensive compliance capability mainly because of the following reasons:As one of the major elements in security compliance,privacy protection lacks s

142、ystem support internally.From the system perspective,it is difficult to satisfy compliance requirements and guiding implementation of the work concerned cannot be executed.Some enterprises already have a compliance system in place but support in areas such as organization structure and human resourc

143、es is lacking which leads to ineffective execution of processes and mechanism concerned.For most enterprises in the GBA,various kinds of objective restrictions limit their ability to comply and respond at present to new challenges arising from digital development.How to establish an effective data s

144、ecurity compliance system with reasonable deployment of resources will become an issue that needs to be handled by enterprises in the GBA.Enterprises in GBA:Digitization opportunities,security challenges and response strategies19There are differences in the internet and other conditions in Guangdong

145、,Hong Kong and Macau.For example,During the process of enabling the cross-border data flow in the GBA,enterprises face differences in the existing network environment,technology and security standards as well as users habits.These increase their difficulties in security safeguard efforts,and it beco

146、mes a new management challenge.Differences in the internet and other conditions in Guangdong,Hong Kong and Macau lead to higher difficulty in security safeguardsDifference in internet conditions:Access to server lines in mainland China is restricted by storage and server traffic of operators and use

147、 of server lines requires filing with authorities concerned with standard procedures while network operators in Hong Kong and Macau connect lines with international broadbands.There is no need for filing and no restrictions in lines in these two places.With this kind of difference,the internet envir

148、onment in Hong Kong and Macau is more complicated and IT resources of enterprises are exposed to complicated internet conditions.Since information assets in mainland China becoming targets of attacks is increasing likely,how to protect information assets under different internet environment is chall

149、enging to enterprises.Difference in technical and security standards:There is difference in technology and security standards in Guangdong,Hong Kong and Macau,for example,with respect to use of encrypted computing,many mainland Chinese enterprises use mainland Chinas standards,such as public key alg

150、orithm(SM2),cryptographic hash algorithm(SM3)and block cipher algorithm(SM4)while enterprises in Hong Kong and Macau often use commercial computing commonly used globally,such as RSA and DES.Other examples:security standards are set in mainland China while Hong Kong and Macau lack a set of mature ne

151、twork security standards.With this kind of difference in technology and network security standards,how enterprises may manage is one of their challenges.Difference in users habits:Users in Guangdong,Hong Kong and Macau differ in use of the internet.For example,Macau and Hong Kong users mainly use su

152、ch social media apps as WhatsApp and Facebook but mainland China users mainly use WeChat and Weibo.With differences in the habits of internet users,enterprises face difficulties during unifying security monitoring.Besides,in the post-pandemic era,many employees are forced to work from home.The borde

153、r of family and office networks is increasingly blurred.How enterprises may manage security and privacy becomes one of the issues that are difficult to be dealt with.Enterprises in GBA:Digitization opportunities,security challenges and response strategies208 For example,the EUs standard contract cla

154、use(SCC)for data transmission within and outside the EU assists stakeholdersin complying with the EUs General Data Protection Regulation(GDPR).Meanwhile,ASEAN issued the ASEAN ModelContract Clause on Cross-border Data Flows(MCC)for use by member countries to facilitate the free flow of data underthe

155、 ASEAN Data Management Framework.9 In the absence of adequacy determination,the EU provides data transfer mechanisms for organizations to follow with appropriate security measures,including approved Code of Conduct and an approved Certification Mechanism.How organizations can navigate challengesAddr

156、ess regulatory differences in Guangdong,Hong Kong and MacauWhen developing data governance and security compliance strategy for cross-border data flows,organizations shall take into account the similarities and differences of laws and regulations in mainland,Hong Kong and Macau to enable them to bui

157、ld and execute precise compliance solutions to meet different regulatory requirements simultaneously.Despite differences,there is no contradiction.In the case of highly integrated and overlapping operations,it is recommended a set of solutions in compliance with data security regulations on three si

158、des be built.Besides,organizations need to keep themselves informed of any update and adjust solutions accordingly.Currently,organizations in the GBA need to give priority to the following issues in terms of data compliance and security.Privacy protectionAs for privacy protection,there are intersect

159、ions and overlaps among provisions on three sides for collecting,using and processing personal information and data subject rights.As such,organizations need to integrate these requirements to build an unified system to collect,use and process personal information and develop privacy policies and st

160、atements applicable to three sides and make modifications based on regulatory differences and scopes of services.For example,in Hong Kong,any direct promotion shall be subject to compliance,while in the Mainland and Macau,organizations shall comply with requirements when conducting cross-border data

161、 transmission,automated decision-making and processing sensitive personal information in compliance management.Cross-border dataCompliant data flow channels in the GBAAs one of the basic elements of digital economy,data requires timeliness and standardization.As such,data flow mechanism shall be bui

162、lt on an easy and standardized process.Going forward,along with measures expected including“data customs to accelerate the review,evaluation,and supervision of cross-border data flow,developing templates of standard contracts,and obtaining certification for competence in data protection are integral

163、 to reducing the costs of transformation of data standards and compliance management to ensure smooth flow of cross-border data.Standard contract terms.As there is no data exchange mechanism(e.g.,whitelist mechanism)among Guangdong,Hong Kong and Macau,it is likely to use business contracts at the or

164、ganization level to establish standard terms for cross-border data flow,define the responsibilities,rights and obligations of senders and recipients,and develop relevant protection measures.Standard contract terms can help ensure data interoperability and security,while cross-border data flow is sub

165、ject to relevant regulations8to enhance mutual trust among organizations on three sides and facilitate data flow.Enterprises in GBA:Digitization opportunities,security challenges and response strategies21Data protection certification.It is likely to engage an independent third party to make an indep

166、endent assessment of data protection competence of an organization and issue a third-party assurance report to support its competence in data governance and protection pursuant to a unified data governance assessment standards and reporting framework,helping the organization to decide whether data s

167、hould be sent to recipients9.This will facilitate organizations to integrate cross-border data when data security ensured.For example,cross-border group companies can leverage business data in different regional markets and expand their presence when ensuring their competence in data governance and

168、protection.It is suggested to define roles and responsibilities,rights and obligations of stakeholders based on regulatory,policy and market requirements on three sides,e.g.,legal binding,confidentiality agreement,personal data protection measures and terms of suspension of data transmission.Complia

169、nce measures for organizations conducting cross-border data flow activities in the GBACompliance of cross-border data flow is particularly important for risk management within an organization,especially for digital technology companies engaged in international trade,cross-border payment,big data,and

170、 cloud computing.As complying with requirements for cross-border data flows is not easy and simple,it is suggested that organizations seek measures and paths to ensure compliance based on the following aspects and internal practices.Make clear laws and regulations on cross-border data flowThis first

171、 step is to fully understand legal rules related to cross-border data flow,including local ones and those related to data operations in other jurisdictions.When necessary,organizations should consult with relevant legal professionals to provide guidance on the application of legal rules.Sort out ope

172、ration-based data At the present stage,organizations should sort out all types of data derived from routine operation and specific fields as the basis for preliminary identification.Organizations need to confirm whether written identification standards or identification methods are in place in the i

173、ndustry where they operate.If not,organizations need to judge the possibility of each kind of data to be included as important data in line with the concept defined in existing laws and regulations.As for the data that are more likely to be included as important data,organizations shall fulfill the

174、obligations of data security protection as provided in the Data Security Law.Meanwhile,organizations need to maintain close relationships with competent authorities and keep a close eye on implementation guidelines and details to be issued later to take holistic and targeted measures.Enterprises in

175、GBA:Digitization opportunities,security challenges and response strategies22Improve internal control system for data securityThe cross-border data flow compliance is not just about cross-border transmission,but includes prior steps including collection and processing,which are relevant to whether da

176、ta can be transmitted across the border and whether approval procedures are needed.As such,organizations need to establish a complete internal control system for data management,from contract signing to business operation,to give clear guidance to employees and reduce non-compliance risks.According

177、to the data security protection obligations of data processors as provided in Data Security Law,relevant internal control system shall at least include whole-process data security management system,risk monitoring and security incident response system,important data risk assessment and reporting sys

178、tem.Establish cross-border data transmission mechanism within the organizationCompliance obligations for different subjects vary with legal rules.For example,as provided in Cybersecurity Law,critical information infrastructure operators are subject to stricter data security protection obligations th

179、an general network operators.Therefore,organizations need to position themselves based on their operations and applicable legal rules,to define their obligations and what to follow.Given that operators of critical data and critical information infrastructure in mainland China has not been defined cl

180、early,it is suggested that organizations should identify whether they are likely to fall into the scope of critical information infrastructure by sorting out relevant rules and communicating with competent authorities.Meanwhile,organizations need to identify potential cross-border transmission scena

181、rios in their routine operations,even if some organizations are less likely to be identified as critical information infrastructure operators,it is suggested that organizations make self-assessment prior to transmitting data while maintaining close communication with regulators.Enterprises in GBA:Di

182、gitization opportunities,security challenges and response strategies23To build cybersecurity compliance capacity,organizations can take following measures:Identify data security management functionsDifferent from traditional information security,data security is not only about IT security,but releva

183、nt to legal compliance,internal control,and business security.Therefore,if the traditional security team or legal team takes such responsibilities,data security-related needs are unlikely to be addressed at expertise and skill levels,while at functional level,it is not easy to achieve optimal coordi

184、nation across departments and business sectors.To effectively implement security compliance management strategies and systems,organizations need to establish or designate a data security management department,which can be operated as a separate function or managed by an established department.Data s

185、ecurity management department should have the following functions:Develop documentation for data management system and define data security compliance management responsibilities at different levels and departmentsPromote data security compliance management and improve compliance management systemSt

186、andardize processes of data collection,storage,usage,processing,transmission,provision and disclosurePromote the development of systems and norms,the design and implementation of management measures,and the update of data security technology and applications,to ensure data security complianceIn addi

187、tion,organizations should designate a person in charge of cybersecurity and privacy protection under given conditions to supervise the implementation of such measures.The designated person should take the following responsibilities:Coordinate and hold responsibility for the implementation of cyberse

188、curity and privacy protection measures within the organization Organize the preparation of cybersecurity and privacy protection working plan and put it into implementationDevelop,issue,implement and regularly update cybersecurity and privacy policies and proceduresOrganize the cybersecurity and priv

189、acy risk assessments and urge to rectify problemsMaintain communication with regulators and administrative authorities and report cybersecurity and privacy protection incidentsBuild security compliance capacityEnterprises in GBA:Digitization opportunities,security challenges and response strategies2

190、4Develop cross-regional data security system and processThere is no one-size-fits-all solution for data security compliance.With changing businesses and iterating application services,organizations will always be exposed to threats if compliance mechanism doesnt work well.Therefore,organizations nee

191、d to establish effective systems and processes.As operations of organizations in the GBA are highly integrated and overlapped in Guangdong,Hong Kong and Macau,it is better to integrate laws on three sides,establish an overall compliance framework and implementation standards and norms at group level

192、,and provide customized configuration at specific control points in line with local requirements.As for a robust data security systems and processes,priority should be given to the following respects pursuant to existing laws and regulations:Privacy impact analysisFrom the perspective of compliance,

193、privacy impact analysis is required for organizations to perform under given conditions.The Government has issued Information security technology Guidance for personal information security impact assessment(GB/T 39335-2020)as relevant practice guidance.Furthermore,privacy impact analysis is an impor

194、tant means to identify privacy and compliance risks within an organization.In terms of data security,most organizations dont have a well-established process to make it difficult to identify risks brought by new businesses and systems but rely on subjective consciousness and cognition of project part

195、icipants,posing compliance risks.A roust privacy impact analysis includes trigger conditions,individuals and organizations involved,processes and nodes,analysis standards and requirements,validation standards,which can help organizations identify and measure risks without overreliance on subjective

196、consciousness.Privacy by designTo better embed privacy management and practices into technology,operation,and products,organizations need to incorporate privacy into early-stage design standardization and management processes for new systems and processes.During the whole process from system require

197、ment proposal,implementation to system maintenance,organizations should perform ongoing privacy impact analysis,develop protection requirements,make upfront planning for risk management to avoid inputting a vast number of resources for rectification at a later stage.Data retentionHaving a good under

198、standing of business processes and data usage,organizations should retain data in accordance with laws and regulations and develop a retention plan to ensure that strategic requirements align with provisions of minimum retention period.Moreover,in line with regulations,data retention regimes,consume

199、r requirements,and other business needs,organizations should establish partnerships with business units to understand data lifecycle and data transfer process,build connections among all dimensions of data security,and develop efficient data processing procedures to meet retention and processing req

200、uirements while achieving business growth.Enterprises in GBA:Digitization opportunities,security challenges and response strategies25Data subject rights(DSR)The laws and regulations in Guangdong,Hong Kong and Macau provide for DSR in the process of personal information collection and processing.The

201、rights provided include the right to know,the right to access,the right to rectify,the right to be forgotten,the right to restrict processing,the right to object and the right to data portability.Based on legal requirements on three sides,organizations should establish a robust process and mechanism

202、 in response to the rights of personal information subjects,to help implement the rights of DSR.When an individual makes such a request,the personal information processor shall explicitly notify the individual of the effective and convenient way to exercise the rights and make a timely response.Auth

203、orized consent managementThe requirements for obtaining personal consent during the collection of personal information are specified in mainlands Cybersecurity Law and Personal Information Protection Law,Hong Kongs Personal Data(Privacy)Ordinance and Macaus Personal Data Protection Law.So are specia

204、l scenarios which need to obtain the individuals separate consent.In the context of complex compliance requirements,organizations shall not only obtain authorized consent when collecting personal information,but also restrict the processing of personal information based on the authorized consent sub

205、ject to compliance.As provided in Article 15 of Personal Information Protection Law,individuals have the right to revoke their consents if their personal information is processed based on their consent.Therefore,organizations shall protect users right to revoke authorized consent at users touch poin

206、ts,while synchronizing changes in the internal data processing platform.Cross-border data flowCross-border data flow is specified in the mainlands existing laws,regulations,and other regulatory documents,including Cybersecurity Law,Data Security Law,Personal Information Protection Law,Measures for t

207、he Security Assessment of Outbound Data Transfer.So are Hong Kongs Personal Data(Privacy)Ordinance and Macaus Personal Data Protection Law with less strict provisions.These requirements are about strict rules on cross-border data transmitters,users and processors.During the cross-border flow,organiz

208、ations should develop a detailed cross-border flow plan under the guidance of local laws and regulations and conduct an in-depth evaluation on its legitimacy and justice.Moreover,organizations should conduct gap analysis on their current situations and identify remedies to establish a complete mecha

209、nism of cross-border data flow management.Enterprises in GBA:Digitization opportunities,security challenges and response strategies26Define compliance related roles and responsibilitiesData security compliance is by no means the responsibility of data security management department.Meanwhile,it need

210、s to engage numerous departments with defined responsibilities.By coordinating the resources of all parties,integrating the differences of management demands of each department,and defining roles and responsibilities,can an effective multi-party linkage mechanism and a practical management structure

211、 be developed.As the lead of data security compliance,the data security department is responsible for organizing the development of relevant systems and procedures and supervising the execution.IT department should assist data security department in integrating data security management into routine

212、operations and products through technology,and embedding it into organization-wide systems and business development processes by various means including access control,encryption,desensitization and anti-leakage.Business units including sales team,product team and procurement team should cooperate w

213、ith data security department to sort out the data owned by the organization in a systematic way from a business perspective,including identifying the data processor,understanding the data form,storage method and retention time,and conduct data security management within their scope of business in li

214、ne with data governance requirements.Compliance or legal department should improve the data security management framework pursuant to laws,regulations and regulatory requirements,and conduct regular compliance check and risk assessment.Enterprises in GBA:Digitization opportunities,security challenge

215、s and response strategies27Manage post-outbound transmission risks The management of outbound transmission risks is not just about outbound transmission subject to compliance,but the security management afterwards to fulfil the obligations of data security management.Otherwise,if personal informatio

216、n or other important data are disclosed by a security incident,the organization that transmits data hold it responsible.Post-outbound transmission risk management includes but not limited toIdentity authentication and access control:strictly control the outbound data access,only open sample data to

217、those with sufficient business requirements,provide granular access,and prevent unauthorized access to data beyond the permissionData usage and retransmission management:strictly manage the data processing with no processing beyond the initial purposes;control the data retransmission.Any processing

218、conducts different from what is described in assessment and filing for data transmission shall be reassessed and processed to prevent the important data and personal information from being disposed as general data.Balance business needs and improve privacy protection capabilityThe GBA is set to brin

219、g more convenient cross-border data flow mechanism in the future,while compliance obligations and responsibilities will not be reduced.Organizations need to ensure data security before and after data are transmitted without compromising national development and society.As relevant measures are being

220、 developed,it is difficult for organizations to balance compliance requirements,user experience and business needs nowadays.Therefore,organizations are facing pain points amid both intercompany and intracompany data transmission.In line with current situations and industry practices,it is recommende

221、d that organizations use technology-enabled business process control or privacy computing to achieve data invisibility and availability when planning cross-regional data integration and unified application;provide tagging,aggregation,or analysis platforms instead of raw data after computation to ena

222、ble cross-entity data usage and segregation between data ownership and usage,thus reducing security and compliance risks.Enterprises in GBA:Digitization opportunities,security challenges and response strategies28Organizations need to build up security management capacity to prevent and resolve secur

223、ity threats while considering compliance capability.Specifically,organizations can enhance security management in the following aspects:Data security managementIn June 2021,the Data Security Law passed by the Standing Committee of the 13th National Peoples Congress clearly states that the State shal

224、l establish a data classification and grading protection system to classify and grade the data,according to the importance of data in economic and social development,as well as the extent of the harm to national security,public interests,or the legitimate rights and interests of individuals and orga

225、nizations once data are tampered,damaged,leaked,illegally acquired or used.With tightened regulations on data security,organizations shall establish and improve the whole-process data security management system.As for data asset recognition,organizations may refer to Information security technology-

226、Important data identification guidelines(draft)released in 2022,to understand the elements to identify important data,follow the principles of focusing on security influence,highlighting protection priorities,converging with established rules,considering risks as a whole,integrating qualitative and

227、quantitative dimensions and reviewing dynamic recognition to identify important data within the organization,and standardize the formats for important data description.As for data classification and grading,organizations can refer to implementation guidelines such as Cybersecurity standard practice

228、guidelines-Network data classification and grading guide,Industrial data classification and grading guide(trial),to conduct data analysis based on existing internal rules and practical operation at different dimensions including business impacts,compliance risks and social impacts to develop classif

229、ication and grading standards;define data lifecycle from collection,transmission,storage,processing to destruction at institutional level to build differentiated management requirements and technology-based protection strategy for classified and graded data.Whats more,organizations can refer to some

230、 industry standards,such as Data Management Capability Maturity Model(DCMM)and Data Security Capability Maturity Model(DSMM),with data lifecycle as mainstay including 6 phases from collection,transmission,storage,processing,exchange and destruction,and evaluate security capability from perspectives

231、of organization construction,system process,technology and tools and personnel competence,and establish data security management system based on specific situations to sustain standard management of data lifecycle.Enhance security management capabilityEnterprises in GBA:Digitization opportunities,se

232、curity challenges and response strategies29Cybersecurity managementAs the underlying security capability to support data security,cybersecurity management is of great significance to the overall management and control within an organization.To date,there are no general security standards on building

233、 information security system in Guangdong,Hong Kong and Macau i.e.,provisions related to information security management system have not yet issued in Hong Kong and Macau,while in mainland China,grade-based cybersecurity protection system is in place as general requirements for sophisticated securit

234、y management.Given the operations overlapped,and scenarios that security protection is required after data are transmitted to Hong Kong and Macau,organizations in the GBA,regardless of whether the application system is physically deployed in the mainland,can refer to Information security technology

235、Basic requirements for grade-based cybersecurity protection to develop organization-wide security management system,including security management system,security management organization,security management personnel,security construction system and security operation and maintenance system.With incr

236、eased compliance risks,organizations shall establish a compliance training mechanism for all employees,organize security awareness education and security management system publicity training at every key milestone of an employees career,and regularly organize trainings on compliance awareness and ma

237、nagement,to build an effective performance assessment mechanism.Meanwhile,organizations shall establish processes and mechanisms for reporting non-compliance and security breaches and ensure the mechanisms operate smoothly while processes are optimized and improved on an ongoing basis.Enterprises in

238、 GBA:Digitization opportunities,security challenges and response strategies30As the GBA serves as a hub to exchange onshore and offshore data,organizations in the GBA need to have technology-based security protection capabilities in addition to management capacity to ensure business operation and fu

239、lfill obligations while enjoying the convenience of data flow provided by the State.To enhance security protection,organizations shall establish a good foundation for network resilience Like security management,organizations can build up their security capabilities on graded-based security protectio

240、n system,which is relatively sophisticated and mature in the GBA,regardless of whether security systems are deployed in the mainland.Traditionally,organizations believed that only those registered in the mainland should be improved according to grade-based security protection requirements,while igno

241、ring the fact that the requirements could serve as a guidance for overall security protection as well as the practical value as the most authoritative security standards in GBA.As the most practical security standards,grade-based security protection system can help organizations improve security cap

242、ability and demonstrate to regulators that their operations can meet Chinas security obligations no matter where they are within the region.The grade-based cybersecurity protection system 2.0 reflects the idea of grade-based security protection framework based on one center(security management cente

243、r)and three defenses(secure computing environment,secure area boundary,secure communication network).By complying with these requirements,organizations can develop internal security protection framework at technology-based dimensions including secure physical environment,secure communication network

244、,secure area boundary,secure computing environment and security management center.Take computing environment as an example,where control points are specified including identity authentication,access control,security audit,hacking prevention,malicious code injection prevention,trusted authentication,

245、data integrity,data confidentiality,data backup and recovery,residual information protection and personal information protection,and detailed control requirements are defined for each grade-based control point,which can serve as a reference for organizations.Organizations can build a good foundation

246、 for network resilience based on grade-based security protection system 2.0 and establish a security-oriented proactive defense and perception mechanism.Apart from security standards in the mainland,organizations can also refer to relevant international standards according to their specific situatio

247、ns.For example,NIST SP 800-160 Vol.2 Developing Cyber Resilient Systems:A Systems Security Engineering Approach defines network resilience system and how to build it.In a world where security threats have become inevitable,network resilience can help organizations reduce their losses when they suffe

248、r hacking attempts.Enhance security protection capabilityEnterprises in GBA:Digitization opportunities,security challenges and response strategies31The development of the GBA brings unprecedented opportunities and possibilities for organizations to gain competitive advantages through digitalization.

249、Despite convenient channels and vast resources,organizations may face greater security and compliance challenges.Organizations need to address the differences in cybersecurity,privacy protection and cross-border laws and regulations.Existing compliance capabilities are struggling to address security

250、 challenges and risks Differences in network environment increases difficulty in security protection.It is recommended that organizations enhance security and compliance capabilities when facing security and compliance risks.Given differences in laws and regulations in Guangdong,Hong Kong and Macau,

251、establish a set of precise compliance standards inclusive of privacy protection and cross-border flow requirements,and put them into execution,to meet regulatory requirements on three sidesComprehensively enhance compliance capabilities,including improving organizational structure,optimizing institu

252、tional processes,defining roles and responsibilities,managing outbound risks,and strengthening privacy protection capabilitiesBuild up security management capacity to prevent and resolve security threatsStrengthen security protection capabilities and build a good foundation for network resilienceOrg

253、anizations should keep in mind that they shall ensure data security and compliance,fulfill the obligations and responsibilities of safeguarding national security and users rights and interests while accessing green channels.Only with early planning and thoughtful considerations can organizations ach

254、ieve sustainable growth while enjoying favorable policies.ConclusionEnterprises in GBA:Digitization opportunities,security challenges and response strategies32Appendix Comparison of laws and regulations in mainland China,Hong Kong and MacauAreasComparative analysis of requirements Compliance challen

255、gesMainland ChinaHong KongMacauCybersecurity lawsCyber Security Law,Data Security Law,and relevant implementation regulations,such as the Cybersecurity Review Measures.Hong Kong at present does not have cybersecurity-specific legislations.Nevertheless,one should comply with the personal data securit

256、y and disclosure requirements of the Personal Data(Privacy)OrdinanceCybersecurity Law and others.The processing of data in the GBA shall be subject to different cybersecurity requirements across three regions and considerations should be given to the following issues:Given the broader definition of

257、network operators,critical information infrastructure operators and data processing activities provided by laws in the mainland,analysis should be made on the supervisory requirements for the services provided.The definition of“critical information infrastructure operators”in the mainland and that o

258、f“public and private operators of critical infrastructure”in Macau are different,and so are the cybersecurity responsibilities of such operators on both sides.While Hong Kong at present does not have cybersecurity-specific legislations,the newly amended Personal Data(Privacy)Ordinance provides broad

259、er provisions on disclosing personal data without consent,which can be seen as providing potential criminal liabilities for data processors who failed to comply with cybersecurity responsibilities and were reckless as to whether harm would be caused to the data subject concerned by the disclosure.Sc

260、ope of application of cybersecurity lawsNetwork operators,network products and services providers,data processors,critical information infrastructure operators which include public communication and information services,energy,transportation,water,finance,public services,e-government,defense technol

261、ogy and industry,and other important network facilities and information systems which,in the event of damage,disfunction or data leakage,may seriously harm national security,national economy and peoples livelihood,and/or public interests.Data users,third-party data processors engaged and more.Public

262、 and private operators of critical infrastructure;private operators include private entities,whether domiciled in Macau or outside of Macau,engaging in 12 sectors of services including water supply;banking,finance and insurance;audio-visual broadcasting;fixed or mobile public telecommunications netw

263、ork operation and internet access services.Cybersecurity responsibilityNetwork operators shall fulfill a series of security protection obligations according to grade-based cybersecurity protection system.Network products and services shall meet the mandatory requirements of relevant national standar

264、ds and obtain relevant security certifications.Network service providers shall require users to provide real identity information.Develop emergency plans for cyber security incidents.Operators of critical information infrastructure shall fulfil further security protection obligations,including poten

265、tial requirements for national security review when procuring network products and services,security risk-based random checks,and cybersecurity emergency drills.Establish and improve comprehensive data processes data security management system,take technical measures and other necessary measures to

266、ensure data security.Conduct national security review of data processing activities that compromise or may compromise national security.Data users shall take all practicable steps to ensure that any personal data held by data users are protected against unauthorized or accidental access,processing,e

267、rasure,loss,or usage.Data users shall ensure that third party data processors,whether within or outside Hong Kong,engaged to process personal data shall protect the security of personal data through contractual or by other means.The latest amendments further criminalize the disclosure of personal in

268、formation without consent,if the disclosure is made with intent to cause any specified harm,or having been reckless as to whether specified harm would be caused(including personal,property or psychological harm)to the data subjects.Establish a network security management unit capable of implementing

269、 internal cybersecurity protection measures.Designate cyber security responsible persons and their replacements from qualified and experienced individuals with permanent residence in Macau.Take measures to ensure that cybersecurity responsible persons and their replacements are available to be conta

270、cted by to the Alert and Emergency Response Center at any time.Establish a cybersecurity complaint and reporting mechanism.Develop cybersecurity management system and related internal operating procedures.Take internal measures related to cybersecurity protection,review,early warning,and response to

271、 cybersecurity incidents in accordance with cybersecurity management system and applicable technical specifications.Submit annual cybersecurity reports to relevant regulators.Allow representatives from the Alert and Emergency Response Center to access facilities and information networks,and provide

272、information to such representatives as requested.Enterprises in GBA:Digitization opportunities,security challenges and response strategies33AreasComparative analysis of requirements Compliance challengesMainland ChinaHong KongMacauPrivacy protection lawsCybersecurity Law and Personal Information Pro

273、tection LawPersonal Data(Privacy)Ordinance and relevant approved codes of practice and guidelines issued by the Office of the Personal Privacy Commissioner of Hong KongPersonal Data Protection Law and guidelines issued by the Office of Personal Data Protection of MacauRequirements for privacy and pe

274、rsonal information protection are provided in mainland,Hong Kong,and Macau.Requirements across the three regions have similarities but there are also differences.Among them,one should pay particular attention to the following:Whether the personal information collected in relevant scenarios relates t

275、o any sensitive personal information or automated decision-making(legal definitions provided by laws in the three regions are slightly different).the location of the individuals whose information is processed.Scope of application of privacy protection laws and extra-territorial applicability The Per

276、sonal Information Protection Law applies to the processing of personal information of natural persons both within the mainland of China,and outside of mainland China under specific circumstances.For the purposes of providing products or services to natural persons within the mainland of China.To ana

277、lyze and evaluate the conducts of natural persons within the mainland of China.Other circumstances stipulated by laws and administrative regulations.The Personal Data(Privacy)Ordinance applies to any data user who controls the collection,holding,processing or use of personal data in or from Hong Kon

278、g.The latest amendments enable law enforcement agencies to send cessation notices to non-Hong Kong service providers,requiring them to take cessation actions,and such notices could be served by leaving,post,fax and/or email to the last known address outside Hong Kong.Personal Data Protection Law app

279、lies to:automated processing of personal data either wholly or in partnon-automated processing of personal data held or to be held in a manually operated databaseprocessing of personal data for public security purposesRecorded surveillance over voices and images of identifiable persons,and obtaining

280、,processing and dissemination of those voices and images by other meansIn general,the Personal Data Protection Law has no express provisions for extra-territorial application.Requirements for collecting,using,and processing personal data and personal data rights Both the Cybersecurity Law and the Pe

281、rsonal Information Protection Law provide detailed requirements.The Personal Information Protection Law further provides for circumstances where separate individual consent is required,including processing sensitive personal information,publicly disclosing the personal information processed,providin

282、g the personal information processed to other personal information processors,and providing personal information outside of mainland China.However,there are exceptions.The Personal Data(Privacy)Ordinance provides detailed requirements,including the six data protection principles provided in Schedule

283、 1.There are different circumstances where different types of consent shall be obtained,including using personal data for new purposes,transferring such data,matching procedures,and direct marketing.One should also note the detailed exemptions as provided in the Ordinance.There are newly added crimi

284、nal offence provisions for disclosing personal information without consent including being reckless as to whether the disclosure causes the specified harm to the data subject.The Personal Data Protection Law provides detailed requirements.Generally,express consent shall be obtained for processing pe

285、rsonal data and sensitive data,disclosing or disseminating personal data wholly or in part,transferring personal data out of Macau.Also,one should note the circumstances provided in the Personal Data Protection Law where consent is not required.Provisions related to sensitive personal data and autom

286、ated decision-makingThere are detailed requirements for processing sensitive personal dataFor specific purposesWith sufficient necessityTaking strict protection measuresThere are detailed requirements for automated decision-makingEnsuring transparency of the decision-making and the fairness and impa

287、rtiality of the result.Must at the same time provide options not specific to individuals characteristics,or convenient ways for refusal.Unreasonable differential treatment shall not be given to individuals in terms of trading price or other trading conditions.There is no specific provision,but the O

288、ffice of the Privacy Commissioner for Personal Data has approved codes of practice and guidelines in place.Violation of relevant provisions may become evidence of violation of relevant provisions of the Ordinance.Detailed requirements are provided,including:The respective prohibited activities and p

289、ermitted activities of processing of sensitive dataThe respective circumstances where an individual shall be bound by automated decision-making,and an individuals right not to be bound by automated decision-making.Enterprises in GBA:Digitization opportunities,security challenges and response strateg

290、ies34AreasComparative analysis of requirements Compliance challengesMainland ChinaHong KongMacauData localizationAs provided by the Cybersecurity Law and the Personal Information Protection Law,the following information shall be stored within the mainland of China,and relevant security assessment sh

291、all be conducted when data are provided across the border.Personal information and important data collected and generated by critical information infrastructure operators during their operation within the mainland of ChinaPersonal information processed by state agenciesPersonal information collected

292、 and generated within the mainland of China by personal information processors with personal information processed reaching the threshold specified by the national cyberspace administration departmentThere is no express requirement for data localization provided in the Personal Data(Privacy)Ordinanc

293、e.Attentions shall be drawn to whether there are profession or industry-specific data localization requirements.There are no express requirements for data localization provided in the Personal Data Protection Law and the Cybersecurity Law.Businesses engaged in operations in mainland,Hong Kong and Ma

294、cau shall be subject to laws and regulations in the three regions while conducting cross-border data transfer.One must note:Whether businesses are subject to data localization requirements provided by laws and regulations.In this regard,attention must be drawn to the requirements in the mainland and

295、 any information that is required to be stored in the mainland shall be stored within the mainlandThe nature of the cross-border data transfer,and whether businesses have complied with the requirements provided by the relevant laws and regulations of the three regions,as well as requirements of the

296、guidelines of regulatory authoritiesCross-border data transmissionThe Measures for the Security Assessment of Outbound Data Transfer require data processors to conduct data cross-border security assessment if any of the following conditions are met:the outbound data comprises personal information an

297、d important data collected and generated by operators of critical information infrastructure;the outbound data contains important data;a personal information processor that has processed personal information of more than one million people provides that personal information to entities overseas;the

298、personal information of more than 100,000 people or sensitive personal information of more than 10,000 people are transferred overseas accumulatively;orthe circumstances under which security assessment of outbound data is required as prescribed by the CACSection 33 of the Personal Data(Privacy)Ordin

299、ance provides for requirements for cross-border transfer of personal data,but these requirements have not yet been in effect.Cross-border transfer of personal data must comply with the provisions on transfer of personal data with third parties specified in the Personal Data(Privacy)Ordinance as well

300、 as the relevant guidelines on cross-border transfer of personal data issued by the Privacy Commissioner.There are requirements,including:Ensuring appropriate protection by the local legal system in the jurisdiction where data are to be received.Complying with other provisions stated in the Personal

301、 Data Protection Law.However,there are exceptions(i.e.,cross-border transfer of personal data is permissible in certain circumstances where the receiving party is unable to ensure an appropriate level of protection).Vincent ChanPartnerGreater Bay Area LeaderConsultingErnst&Young Advisory Services Li

302、mited+852 2629 Contact usWinson WooPartnerConsulting,China SouthErnst&Young(China)Advisory Limited+86 20 2881 Juliet ZhuSenior ManagerConsultingErnst&Young Advisory Services Limited+852 3758 Alvin Guan Senior ManagerConsultingErnst&Young(China)Advisory Limited+86 20 2838 EY|Building a better working

303、 worldEY exists to build a better working world,helping to create long-term value for clients,people and society and build trust in the capital markets.Enabled by data and technology,diverse EY teams in over 150 countries provide trust through assurance and help clients grow,transform and operate.Wo

304、rking across assurance,consulting,law,strategy,tax and transactions,EY teams ask better questions to find new answers for the complex issues facing our world today.EY refers to the global organization,and may refer to one or more,of the member firms of Ernst&Young Global Limited,each of which is a s

305、eparate legal entity.Ernst&Young Global Limited,a UK company limited by guarantee,does not provide services to clients,nor does it own or control any member firm or act as the headquarters of any member firm.Information about how EY collects and uses personal data and a description of the rights ind

306、ividuals have under data protection legislation are available via member firms do not practice law where prohibited by local laws.For more information about our organization,please visit .2022 Ernst&Young,China.All Rights Reserved.APAC no.03014465ED NoneThis material has been prepared for general informational purposes only and is not intended to be relied upon as accounting,tax,legal or other professional advice.Please refer to your advisors for specific us on WeChatScan the QR code and stay up-to-date with the latest EY news.