The recent promulgation of the ‘Data Security Law’ and ‘The Personal Information Protection Law of the People’s Republic of China’ suggests that companies are now facing a period of stricter data compliance supervision, with new challenges arising in the area of corporate employment management and employee personal information management.
Decentralised data management: Organisation data usage scenarios are complex, with management responsibilities often overlapping and dispersed across different departments. The lack of an organisational mechanism, system and process for overall data security management put organisations at risk of failing to properly manage personal information and important data.
Data collection and use violations: When collecting and using personal data, it’s important to explain the purpose, application, scope and related changes of data collection and use to the data providers. Failure to do so may result in the risk of illegal collection and use of data. For example, failure to disclose the purpose and use of personal information collection to candidates during interviews and background checks, or excess data collection during the onboarding process without sufficient disclosure of the scope of data collection can also lead to compliance risks.
Data theft and leakage: As technologies such as cloud computing, big data, and artificial intelligence continue to advance, employees' personal privacy and important data are increasingly at risk of data theft from multiple channels on the Internet. When companies exchange data with a third party or engage in a third-party service, direct access to employees' personal data by third parties may pose risks of data leakage and illegal use.
Tightened global regulation: Countries around the world have recently enacted a number of laws and regulations for data and privacy protection. As a result, global organisations are faced with the challenge of meeting the data compliance requirements of local and recipient countries' laws when transferring and managing data across borders. This is a key challenge for organisations looking to navigate the increasingly stringent regulatory landscape.
Establish a robust data management organisation: Appoint a data protection officer, clarify the responsibilities and the RACI matrix (R: Responsible ‘who execute’; A: Accountable ‘who approve’; C: Consulted ‘who consult’; I: Informed ‘who inform’) for relevant departments such as business, HR, internal control, compliance, information security, risk management, and internal audit. Establish, implement and promote a normative system for data security from a global perspective, playing the management role of coordinating and leading. Based on data security compliance, promote the ‘mining the value of data and boosting the digital development of companies’ and prevent the use of a ‘one size fits all’ data management approach.
Establish a data management system: Categorise HR business scenarios involving data security, and summarise legal requirements related to corporate HR management. Based on the legal requirements and the company’s business characteristics, establish and improve the data security management system covering the full data lifecycle, including classification grading, de-identification, cross-border data, risk assessment, etc. Manage the entire process of data collection, storage, use, processing, transmission, deletion, and destruction, with well-defined responsibilities of multiple participants, clarified procedures and security control in each link of data management.
Sign legally binding documents: Identify relevant parties in the area of internal and external personal data sharing, transmission and entrusted processing, and sign relevant transfer agreements with relevant external parties following the standard contract templates stipulated by national laws. Work with internal parties to clarify the rights and obligations of the relevant parties concerning data protection, which calls for formulating management systems, signing transfer agreements, adding personal data protection clauses (employment contracts, assignment agreements, etc.), and ensuring compliance with data processing activities through legally binding documents.
Conduct regular technology security assessments: Conduct technical assessments of the company’s current HR-related applications, servers, network equipment, and physical environments to identify and fix security vulnerabilities. Identify sensitive assets that may be accessible to unauthorised parties on the Internet, including sensitive documents, domain names, URLs, identity credentials and code bases, etc., and implement safeguards to protect these assets accordingly.
Establish a global privacy compliance operation platform: Establish a privacy security platform, set up relevant mechanism dynamics on the platform, remain vigilant to the supervision and compliance requirements of the regions where overseas subsidiaries are located, and build a dynamic knowledge base of laws and regulations. Use the digital platform to record the entire data management lifecycle, including the management of personal consent records, the management of data processing activities, the records of cross-border data transfers and other activities.
With the rapid development of the Chinese economy, Chinese companies have an increasing demand for domestic and overseas markets. Along with this growth, China has introduced a series of laws and regulations such as the ‘Labour Law of the People's Republic of China’, the ‘Labour Contract Law of the People's Republic of China’, the ‘Social Insurance Law of the People's Republic of China’, and the ‘Law of the People’s Republic of China on Promotion of Employment’, which have led to the gradual improvement of China’s labour and employment law system. As the demand for labour and employment continues to expand, the frequency of employee hiring, departures, transfers and promotions has accelerated. Ensuring compliance with labour laws has become an important issue for Chinese companies as they rapidly develop their production and operating capabilities.
Common labour and employment compliance risks:
More and more companies are recognising the risks associated with labour and are taking proactive measures to prevent them, while at the same time improving their internal management mechanisms. PwC can provide a range of risk prevention measures and schemes, including but not limited to:
Timely development of risk contingency plans and implement support in the face of emergencies.