OUTCOME SEEKING: A DTA SECURITY STRATEGY THAT ENABLE COMPLIANT WITH CHINA CROSS-BORDER DATA FLOW REGULATIONS.
The Chinese regulatory authority, Cyberspace Administration of China (CAC) has relaxed the compliance requirements for cross-border data flows. (Of course, in this context its all about the outbound flow of China data!)
Exemptions from data security assessment or regulatory filings are available. This is a significant relief for companies that are non-CIIO (Critical Information Infrastructure Operators) or do not process sensitive personal information. However, it comes with a caveat:
“With fewer [authority] resources needed for handling the filings and approvals of cross-border data transfers, it is possible that [they] may spare more resources on enforcement of the regulations. Therefore, it is important for data processors to conduct data mapping and implement data tracking mechanisms … for compliance with these new regulations.” White & Case, Global Law Firm
In this article:
Data Mapping: Navigating Your Data Landscape
Data Tracking: Maintaining Control and Transparency
Automated Monitoring Tools: Empowering Your Data Protection Strategy Where to Start?
Data Mapping: Navigating Your Data Landscape
- System / Data Inventory: Creating an inventory is the first step towards effective data protection. Take stock of all the personal information and important data your organization collects, processes, and stores. This inventory provides a clear picture of your data landscape. Start with what you know and gradually build it out.
- Data Classification: Categorise your data based on sensitivity and regulatory requirements. This classification helps you prioritize protection efforts and determine the appropriate level of security for different types of data. You might need to have a mapping between the Data Classification Schema globally vs. China.
- Data Flow Diagrams: It is impossible to visualise the flow of all data within your organization (It would only reflect the complexities of the real world!). Start with a PoC: Map out its origin, storage locations, and destinations. By understanding how data moves, you can identify potential vulnerabilities and implement appropriate security measures.
Data Tracking: Maintaining Control and Transparency
- Data Access Logs: Implement logging mechanisms that record access to personal information and important data. Capture details such as who accessed the data, when it was accessed, and for what purpose. This audit trail enhances accountability and aids in incident investigation.
- Data Transfer Auditing: Monitor and track data transfers outside of China. Keep a record of the parties involved, the type of data transferred, and the purpose of the transfer. This auditing process ensures compliance with regulatory requirements and helps detect any unauthorized data flows.
- Encryption and Access Controls: Apply robust encryption techniques and access controls to protect data from unauthorized access and ensure that only authorized individuals can access and transfer sensitive information. These measures add an extra layer of security to your application access controls.
Automated Monitoring Tools: Empowering Your Data Protection Strategy Where to Start?
- Data Loss Prevention (DLP) Systems: Deploy DLP that automatically detect and prevent unauthorized data transfers or breaches. These systems generate alerts for any suspicious activities, allowing you to take prompt action to mitigate risks. Again, you need to know where your sensitive data or “important” data is. Deploying DLP everywhere is not possible.
- Intrusion Detection and Prevention Systems (IDPS): Leverage IDPS solutions to monitor network traffic and identify potential data leaks or unauthorized access attempts. These systems act as a proactive defense mechanism, helping you stay one step ahead of potential threats.
- User Activity Monitoring: Utilise specialized software to track data behavior, including data access patterns. This enables you to identify any unusual or non-compliant activities, helping you quickly respond to potential data breaches or insider threats. But only after you have a good idea of where sensitive data is, and the normal behaviour of them
“IT’S POINTLESS TO IMPLEMENT AUTOMATION TOOLS WHEN YOU DON’T HAVE A REPEATABLE AND PROGRAMMABLE PROCESS”