November 28, 2022

New data compliance requirements for global enterprises operating in China: impacts and the way forward

New data compliance requirements for global enterprises operating in China: impacts and the way forward

Loeby Chan is the Head of Salesforce Transformation at IBM Consulting Hong Kong 

In a bid to protect Chinese citizens and businesses, China developed new data protection policies and also enhanced existing policies that had been in effect for the past few years. However, the implications for multinational corporations have been somewhat unclear and, as such, are frequently misinterpreted. To mitigate uncertainty, China introduced the Personal Information Protection Law (PIPL) in November of 2021, with features similar to Europe’s GDPR. The PIPL law is a big step towards addressing lingering doubts on how to be data compliant in China.

Security and compliance remain the focal point of IBM, and the company has been campaigning on the topic of data residency for the last two years. Many companies and their Chinese-based subsidiaries have been demanding this as a major requirement for their business relations. Noncompliance can result in millions of dollars in fines or as much as 5% of a company’s annual revenue. A Chinese government-imposed shutdown is the most likely risk. Becoming compliant with the regulations is no longer a question or a decision to consider but rather an imperative to undertake seriously.

The focal question, therefore, relates to how multinational corporations can navigate, interpret, and adjust their processes, technology, and organizational structures in response to these new regulations (i.e., the PIPL and the data residency policy), having recently spent millions or billions of dollars rationalizing their business and information technology landscapes. This remains a key agenda topic for most clients with data residency issues.

PIPL and data residency policy: are the Healthcare, Retail, and Automotive industries also affected?

Virtually all industries are affected by the PIPL, but especially the pharmaceutical industry, biotechnology companies, and their life sciences counterparts. These and many others face regulations and constraints regarding their users’ storage, processing, and accessibility of data. In the automotive industry, simple data like Vehicle Identification Number (VIN) that may not seem obvious could also be affected by PIPL.

Thus, to avoid issues, constraints, and surprises during data access, there is a need to regularly update user data policies with the legal and compliance teams. Data analysis should be included to easily highlight the risks and successes at every step of the way. Also, a person or group needs to be assigned to drive and oversee compliance-related initiatives and integrate these into any data-related projects (particularly those incorporating aspects of the private/public cloud).

InCountry for Salesforce integration: How it works

Over the years, InCountry has integrated well with Salesforce to implement and solve highly challenging data residency requirements for customers across industries. Recently, a luxury automobile manufacturer encountered a problem with PIPL compliance because their Chinese client data was being kept in a Salesforce UK data center.

Brands using technologies incompatible with PIPL face a serious business challenge, the most severe of which is a potential disruption or even a temporary shutdown of operations until changes to their systems and applications are made to comply with PIPL.

We have always helped clients in the APAC region mitigate these challenges by drawing on prior experience and deploying data residency and in-country solutions. We typically follow a holistic approach that begins with a highly intensive and rapid discovery phase to map out the client’s data, applications, processes, and organization.

However, understanding how InCountry works are critical to helping clients map out the impact and changes required to their Salesforce instance, business processes, and application landscape. Aside from holistic recommendations, the key outcome of this discovery phase is that we can confidently guide the client on their path towards compliance before their hard deadline using a combination of InCountry for Salesforce implementation and process and technology changes. This also includes implementing a fully compliant MVP within a matter of 3-6 months.

How to implement PIPL, data residency policy for the Chinese market

Given how PIPL regards data residency policy and its impact on Chinese multinational companies, we have made the following recommendations:

  1. First, early implementation is the way out. Chinese multinational companies should collaborate with their global, regional, and local data privacy teams to understand the impact and implications of PIPL on all aspects of their business. This will help develop a timely schedule to make sure that their compliance initiatives are properly addressed. In recent months, the number of businesses addressing compliance with the new regulation has significantly increased, and this trend is expected to continue well into 2023.  This is partly because of the regulations that are becoming effective in March of next year.
  2. Be Ready to Invest. First, assess and procure technology to help stay compliant and secure. Next, conduct and map “as-is” and “to-be” processes that ensure compliance needs are addressed for the near and long term.
  3. Each situation is unique, and what works for one company may not work for another. Collaboration with a data residency service like InCountry and an SI / consulting firm can significantly accelerate and reduce the risk of a multinational company’s compliance journey in China and beyond.
  4. To ensure compliance with future changes in regulatory requirements, adopt agile methods and scalable solutions.

Why do we always work with InCountry?

The ability to solve simple and complex data residency challenges at the local, regional, or global scale remains a key criterion in choosing a data residency technology platform to work with. The InCountry service can address these, and over the years, they have maintained a track record for the highest standards of quality, commitment, and client success. When coupled with their attainment of the most rigorous industry compliance certifications available, customers gain the necessary confidence in the soundness of their approach. InCountry is a fast-growing data residency technology company with knowledge and experience in client issue diagnostics and a structured solution strategy.

In summary, by using the InCountry for Salesforce managed app and service, our customers can continue to leverage their existing Salesforce instance on a global scale.

In Conclusion

The PIPL remains the focal issue for many multinational companies operating in China with data residency issues. Virtually every industry is affected, from healthcare to automotive. Failure to comply with the PIPL can cost a company millions of dollars in fines, 5% of the total annual revenue, or a possible shutdown by the Chinese government. Hence, implementing the PIPL in line with the data residency remains a big, non-negotiable central theme for many multinationals in China.

Through a strategic partnership with InCountry, many businesses have changed their mindset from seeing data residency as scary and beyond their reach to prioritizing data residency investments. Companies that formerly relegated initiatives to address these issues as nice-to-have, are now increasing their budgets and see these initiatives as business energizers, increasing productivity, lowering TCO, and enhancing their competitive edge.