China’s innovation vision is a double-edged sword for international businesses. On the one hand, business operations are streamlined with more digitalization processes, but on the other hand, it accelerates the Chinese legislation around data protection and cybersecurity.
Given the number of questions we have received recently from our clients, and as a direct benefit of our growing collaboration, we asked our long friend, TekID’s CEO & co-founder Maxime Oliva, to shed light on how to carefully and successfully navigate through this complex business reality. His observations and insights are brought to you in this article.
Digital compliance is part of WFOE management in China
Compliance, in general, is an essential aspect of business management worldwide. However, says Oliva, “the necessity of digital compliance in China has grown considerably, requiring increased attention from international companies doing business in China.” This change in significance stems from China’s new focus – in the past few decades, China has focused on fast growth, quantity over quality. Yet today, China seeks cyberspace sovereignty and commitment from businesses to data privacy and protection.
This approach explains the expansion of the “data protection” legislative framework we have witnessed in China lately, primarily by rolling out the Personal Information Protection Law (PIPL), the Data Security Law, and the Cyber Security Law. More importantly, it’s vital to understand that these laws impact ALL the companies in China, and, therefore, they should strategize their activities accordingly.
For instance, companies that wish to enter the Chinese market might need to raise their registered capital or allocate more budget to initiating their China operation in order to ensure compliance. For companies already doing business in China, compliance grants a competitive edge. Having the capability to demonstrate compliance is a great deal for customers and suppliers, who would demand guarantees that you are worth doing business with.
Refuting some misconceptions by B2B companies in China
Many B2B companies wrongly assume that data laws and digital compliance have nothing to do with them. Maxime points out three things to clarify.
First, in the eyes of the law, there is no such thing as “too small.” This is particularly true for small-medium B2B companies who handle “only” the personal data of their employees and clients – China’s legal environment is structured in layers, and each of them needs to be complied with. Simply put, complying merely with PIPL is not enough. Besides, no law is more important than another, so every obligation has the same severity level.
Secondly, and this is particularly important for industrial companies and those engaging in manufacturing in China – such companies process what is considered by Chinese authorities as “important business data.” Such a definition puts them at a higher risk of exposure and scrutiny.
The last point is relevant for B2B companies in the service sector who work primarily with B2C companies, such as marketing agencies, recruitment agencies, legal advisory, accounting firms, etc. – these service providers are entrusted not only with their client’s data, but also their clients’ clientele data. Thus, they must abide by all compliance regulations under the umbrella of the China cybersecurity law.
Read more recruitment & HR management in China
Practical steps to reinforce digital compliance today
Above all, says Oliva, “international managers have to adjust their prioritization. If, until today, companies could simply disregard digital compliance, this is no longer the case. Digital compliance has become a fundamental part of WOFE management in China, that needs to be adequately addressed.”
- Companies doing business in China can evaluate their compliance status by performing due diligence. This thorough “self-assessment” includes compiling a list of points that indicate compliance and must be reviewed.
- Companies can obtain the “cybersecurity classified protection scheme” certificate. This certification affirms that the company’s systems are reaching the expected level of compliance with the Chinese authorities.
- Companies can also benchmark their compliance by getting the authorities’ approval to carry out cross-border data transfers.
How to ensure long-term digital compliance?
While the abovementioned measures can do in the meantime, they won’t prove beneficial in the long run. First, they are too niche to cover full compliance across all business aspects. Furthermore, China’s legal framework is layered, intricate, industry-specific, and location-specific; thus, there is a good chance that international companies fail to comply with all the small prints of the law and would need some China business support.
Maxime outlined how a professional third party can help you ensure ongoing and long-lasting digital compliance:
A local expert service provider would check your business’s “risk exposure.” This consulting trick helps to classify risks by considering which obligations are publicly visible or purely internal, and looking at which obligation is necessary to be put in place to fulfill another obligation. That way, companies can prioritize risks and work around risk exposure.
The next step is to define compliance KPIs and implement tools to monitor this compliance, for instance, dashboards that evaluate compliance periodically and alert in cases of deviation from the highest compliance level. Reaching maximum compliance is not easy, and the more the business develops, the more challenging it becomes. Hence, it’s recommended to maintain and track continuous compliance. No one wants to invest a wealth of resources in compliance assurance, and two years later, suddenly realize that they are not compliant anymore…
And he left us with A bonus tip: “It’s interesting to point out that China’s policies are forward-looking. In other words, the Chinese authorities enact regulations today, following market trends they foresee in the next 5 or 10 years. The takeaway from this approach is, that those who do their homework and make the necessary adjustments here and now, will reap the benefits in the future.”
China’s business ecosystem is digitalizing. Business operation systems and bureaucratic procedures are already shifting to digital, so it’s imperative to keep up-to-date with the new legislation and prepare accordingly. This includes, among other things, the implementation of control and supervision mechanisms. At PTL Group we can help you build and manage your business responsibly. Subscribe to our quarterly newsletter and get in touch for business support in China.