On 15 August 2017, EY jointly launched the seminar on doing business in mainland China under the latest Cybersecurity and data protection legal framework with Hong Kong Corporate Counsel Association (HKCCA) at the conference centre of EY in Hong Kong. Dr. Zhong Lin, partner of EY Chen & Co. Law Firm and Keith Yuen, partner and the Greater China cybersecurity leader of Ernst & Young (China) Advisory Limited had been invited to give keynote speeches to share their insights on the hot topic. Representatives of local and multinational companies from a variety of industrial sectors registered the seminar.
With the Cybersecurity Law of China coming into effect as of 1 June 2017, compliance with the Chinese cybersecurity and data protection legal framework has become critical for any companies doing business in mainland China. How do they keep up with the latest data protection and cybersecurity legal development and requirements in China? What will they do to achieve compliance with data protection and cyber security in China? How will they get punished if they fail to meet the new requirements? Both of the speakers provided in-depth analysis of the complicated laws in an easy to understand approach to address those questions.
To start with, Dr. Lin laid a solid foundation for the audience with a brief introduction of the legal background and evolution of the cybersecurity and data protection regulations in China. He further explained the definitions of personal information, network and network operators under the legal framework. He pointed out that companies not compliant with the law will be impacted by sanctions such as fines, suspension of the business license, suspension of the business activity until rectification or shutdown of the website. With the potential legal and business risks under the new laws being discussed, Dr. Lin suggested effective solutions to keep the risks that companies have been encountering under control.
Dr. Lin advised that companies shall develop a cybersecurity and data protection localization program, deploy department-wide cybersecurity and data protection protocols and guidance, as well as reinforcing cybersecurity and data protection training to employees to arouse their awareness. He also recommended issuing a data mapping focusing on the data flows and the origin/recipient of the personal information and a data protection and cyber-security health-check when elements for compliance and compliance targets were not clearly defined.
Keith focused on the guidelines for cross border data transfer security assessment. He differentiated personal information from personal sensitive information then further explained that important data closely related to national security, economic development, or social and public interests. Numerous sectors would be impacted if their business involved data cross border transfer, including but not limited to telecommunication, mail & express, population health, finance, credit, food & medicine, broadcast & television, E-commerce.
Other key issues he covered also held close attention from the attendees: when do companies need to conduct the data cross-border transfer security self-assessments? How the assessments will be conducted and what are the implications of the assessment results? Keith even drew up a scenario for the audience to judge whether the data were legal and legitimate and instructed them to consider the combined risks rating and most importantly to come up with possible solutions.
The one-hour seminar turned out to be very informative and inspiring to the audience. They showed further interests in future discussions and looked forward to working with EY to address their practical issues.
More pictures here.
Members can find slides of the presentation on the Resources section: Seminar Materials.