February 16, 2022

Overcoming the Challenge of Data Compliance in China with IBM Consulting

Overcoming the Challenge of Data Compliance in China with IBM Consulting

Loeby Chan is the Head of Salesforce Consulting at IBM Consulting Hong Kong.

China’s data compliance and data protection laws are increasingly imposing more restrictions on how personal data and sensitive information such as PII, PHI, and biometric data are stored or processed in China. This will likely lead to increased project effort and implementation & operating costs, as well as impact solution architecture for global enterprises conducting business in China and across different jurisdictions. As multinational corporations already have to juggle complex cross-functional and cross-regional collaboration for global system implementations, the layers of Chinese regulation at local, regional, and national levels only complicate the process more, which is why IBM Consulting advises companies to start early by addressing compliance and setting up proper project governance models capable of mitigating the dynamic changes of regulations. Regulated industries, e.g. cosmetic products governed by the newly released CSAR, need to additionally consider the implications China’s new data protection law, the Personal Information Protection Law (PIPL), could have on industry-specific compliance requirements.

This highlights the need for a scalable solution that enables the localized, secured storage and processing of regulated data in compliance with PIPL. Global enterprises already present in China should comply with these regulations by conducting regular compliance and legal reviews based on the National Council’s latest legislation and any relevant administrative measures. Perhaps the most effective way to do this, in our experience, is to appoint a person to drive and monitor compliance-related initiatives as a standard practice and embed this person as a key stakeholder into any projects that involve data, particularly projects with elements of cloud infrastructure. Ongoing dialogue with the authorities through this compliance body will help to address risks and issues early on, mitigating potential impacts on a system’s implementation schedule and overall business continuity.

PIPL’s requirements to process and store personal and sensitive data within China implies a potential increase of capital expenditures and operational expenditures, which is another reason organizations need to start the legal and compliance dialogue early to avoid any surprises. For CapEx, you will need to invest in technical infrastructures such as local cloud storage & processing, system enhancements, and additional third party system auditing, whereas OpEx will bring additional headcount to support localized processes, as well as additional legal reviews and audits to monitor the latest policy changes. Markets that have stringent data localization requirements such as China can disrupt your global organization and operation model because data is not allowed to flow freely, which could impact your global reporting and analytics capabilities.

So, does this make it harder to enter markets like China? Yes and no. Due to the data localization requirements present within PIPL, global enterprises cannot in most cases simply adopt existing global solutions and architecture that is already in place and implement it to drive their business operations in China. They have to conduct impact analyses and make enhancements to their existing systems in accordance with the regulations, which raises the barrier for entry and the level of investment necessary to be fully operational in China. If done correctly and in time, the overall process of entering China’s market will not necessarily be more difficult. It simply means more effort and focus from your overall resources would shift towards compliance in comparison with previous years.

As far as my experience goes with IBM Consulting and helping enterprises successfully manage compliance challenges in China, the first thing companies need to know is that they must be ready to invest. They have to assess and procure the right data compliance technology and carefully design and map as-is and to-be processes that ensure both compliance and business needs are met. Seeking external advice from InCountry and a strong implementation partner that can help you navigate the complicated compliance landscape, one who has strong technical and business consulting capabilities to free you up to focus on business priorities, is not a luxury, but a necessity.

Legislation moves at a quick pace in China and regulations often become effective immediately after the third review of the legislation. This means companies always need to be prepared with an enterprise grade solution that is both scalable and flexible enough so that any future regulatory changes can be easily accommodated.

A customer that we recently helped onboard to Salesforce with InCountry in China required the solution we put in place have minimal impact on their existing global Salesforce instance, business processes, and a reduction in the overall TCO. They needed ease of maintenance and scalability for their existing architecture while providing secure and compliant integration options with internal and third party vendors they were working with in China. It didn’t take long before we selected InCountry, which is the leading data compliance solution and compatible with most cloud software and hyperscalers available to the market.

InCountry’s benefits of localized data storage and processing, a major competitive edge, fulfils regulatory requirements both in China and globally for complex matrix organizations. Using InCountry for Salesforce, our customer mentioned above was able to continue to leverage their existing Salesforce instance with minimal changes. This allowed our customer to manage localized data in a single digital and secure cloud platform that’s compatible with most hyperscalers and cloud infrastructure providers – a major win for companies looking to keep costs down as they enter China or other markets with strict data compliance regulations.

To close, here are a few key takeaways to consider for a successful implementation of InCountry for Salesforce:

  • Select your implementation partner carefully. Ensure and challenge your partner to bring that end-to-end view at all times and ensure they have strong Salesforce implementation track record and InCountry integration experience
  • Identify the key use cases or business requirements early-on and understand the implications while selecting one of the 3 InCountry data protection models
  • Conduct in-depth impact analysis on your existing Salesforce instance and the integrated systems in consideration with the InCountry data protection model options
  • Start with a discovery project that focuses on mapping your as-is and to-be architecture / processes while conducting a Proof of Concept before any solution design and build takes place
  • Define what data elements are in and out of scope for InCountry (you probably don’t need all the data on InCountry)
  • Establish a proper Project Governance Model and ensure buy-in through all hierarchical layers of your organization
  • Use Agile or Iterative based methodologies where possible to ensure business value is delivered incrementally and business requirement or regulation changes can be easily absorbed
  • Lastly, test thoroughly and extensively to ensure your business is not disrupted on the first days of going live (this includes proper stress and performance testing)