On January 30, 2022, Shanghai issued the first official Corporate Data Compliance Guideline. The 38-article document guides companies to strengthen their data management in terms of data compliance, identification, assessment and elimination of data risks. The guideline emphasizes that a company’s management is responsible for data compliance and recommends that a dedicated data compliance management department be established. At the same time, it discourages a company’s legal department from assuming compliance management responsibilities.
Identifying data risks also outlines prohibited activities and rules for handling personal data. When it comes to the cross-border transfer of personal data, Chinese regulations on cross-border data transfer must be complied with and a self-assessment of the risk of data transfer must be made in advance. Data processors shall obtain the consent of the relevant individuals and provide them with the following information: Name of the foreign data recipient, contact details, purpose and nature of the processing, type of personal data and how they can exercise their rights to personal data with the foreign data recipient.
It also calls for a data security incident response plan and increased employee training on data compliance. Although the official guideline is not mandatory at this time, data processors should be aware of the potential civil, administrative and criminal liability for breaches of the regulations.
The guideline is considered a model for corporate compliance reform and serves as a guide for data processing companies in China. Since the guideline is not mandatory, it is still uncertain when a comprehensive management system for corporate data compliance can be established. Companies should continue to expand their corporate data compliance resources.