"Data Security Law" first anniversary: no best practice ｜ Industry observation

Just at the beginning, each has its own solutions.

Wen ｜ Xu Wenyu

Edit ｜ Zhenzi

Source ｜ Number (ID: Digital36kr)

Cover Source ｜ Vision China

Bleak

Bleak

Change

About 14 months ago, Zhang Yang, who has joined a major Internet factory for nearly 5 years, felt that the company's large customer advertising business had a little shock.

"Due to the decrease in advertising effects, at that time, from the sales side, the budget assigned by customers was 10%less." After a year, he recalled 36 氪.

For this big factory with an annual advertising revenue of more than 10 billion yuan, the advertising business is still the company's cash dairy cow. Among them, "KA (big customer) advertising business accounts for about 40%." Zhang Yang estimated.

The cause was 14 months ago, around July-August 2021, just to coincide with the "Personal Information Protection Law" and "Data Security Law" from promulgation to effective window period.

In the past, the advertising industry was in an extensive state for the purpose of precision marketing.

有行业人士对36氪表示，在法律逐步严格之前，广告主常用的方式是，先对用户的性别、年龄、地域等基本信息画像，再通过用户的行为数据（如用户的录音、检索内容、 Chat records) and algorithms, accurate positioning whether specific users are potential consumers with purchasing capabilities.

"Basically 10 pushes, at least 3 will be clicked, and one may be placed. Take a GUCCI luggage price of 20,000 for example. If 100 people buy it, it is 2 million income, the advertising fee may be 30 at 30. Wan, the brander can make a profit. "He counted a account to 36.

After the second half of 2021, it is clear that this method will be difficult to work within the scope of compliance.

In the "Personal Information Protection Law" officially implemented in November of that year, there was a clear stipulation that the handling of personal information should have a clear and reasonable purpose, and it should be directly related to the purpose of handling the purpose of handling. Collecting personal information should be limited to the minimum range of processing purposes and shall not over -collect personal information.

As a result, "the test of new products behind the company is not very pushing products for refined people." Zhang Yang said. This is also mentioned by the beginning of the article, the reason for the "decrease in advertising effect".

And this is just the part of the personal data. Under the premise of the current "Cyber ​​Security Law", "Data Security Law" and "Personal Information Protection Law", the scope of the data session of the enterprise often exceeds personal information- Therefore, in the infrastructure field of some businesses, the impact of data compliance is deeper than imagined.

The travel industry is an example. For example, maps are the most important resources of map manufacturers and one of the most important traffic entrances in local life. The quality of surveying and mapping is self -evident to the importance of map merchants.

Maps often cover sensitive information. An expert in the field of map merchants told 36 氪, "the industry stipulates the geographical location of the high tower bridge, military bases and other geographical locations, and cannot appear on the electronic map."

These data attributes means that with the refinement of compliance requirements, electronic map surveying and mapping qualifications have also become scarce resources. This qualification may have a profound impact on autonomous driving, smart transportation and other businesses.

After the reform in June 2021, the quality of the domestic electronic map was divided into Grade A and B. Obtaining Class A qualification means that vehicles equipped with their maps can be smooth across the country. Class B qualification corresponds to the certification of the provincial surveying and mapping unit, and vehicles equipped with their maps can be smooth in specific provincial jurisdictions.

For the current new car, map navigation has become a necessary function. This means that the entire vehicle factory that seek to cooperate with external map merchants must have the qualifications of electronic maps and mapping in order to allow vehicles equipped with their maps to be released across the country and travel through road traffic across the country.

In the list of electronic map A -level surveying and mapping qualifications released in February, March, and August this year, Jiangsu Zhitu, Momenta, Jingzhong Maps, Zhonghai Ting, Didi and other display have not yet been approved. Gaode appeared in the February review list.

Two changes, two types of solutions

On the whole, after the implementation of the independent laws and regulations, the changes in enterprises can be divided into two categories.

In the first category, many companies have changed the way to do business in the past.

Zhang Yang told 36 氪 that the company where his own company can check the previous advertisers that need to be selected by the advertisers must be offline.

During this period, many companies also made corresponding business adjustments or tilt. 36 氪 learned that Baidu relied on the "Fengyun Plan" operated by advertisers to deal with the current situation of accurate advertising and accurate advertising.

Baidu provides free materials for paid customers to set up homepages in the site. When users searched with the brand's keywords, 60%of brand advertisements occupying a page length will appear. Then, it provides advertisers with insight into the conclusions of users in the station to inform the advertisers what materials and materials are more attractive to users.

Since the homepage in Baidu Station was built by the advertiser himself, Baidu shared the user's data on the main page of the advertising main page through the compliance protocol. Therefore, Baidu's paid insight into information can be shared with advertisers compliantly, and advertisers can further reach user realization in the station.

This test is a company's detailed operation capabilities. It can be said, "In the past, Baidu was lying down to make money, and now I need to trot to make money." Some insiders of Baidu commented to 36 氪. E -commerce platforms also have similar brand service solutions. After the data privacy policies issued data in 2021, passive precipitation private domains are the mainstream. Some platform ISV ​​executives pointed out that the platform encourages brands to develop users into authorized members, and members can reach at any time in the platform.

Brand owners are also doing their own efforts. "In the past, many e -commerce platforms will take the initiative to share with the brand, including consumer gender, age and region, and even whether there are information such as cars and houses at home. With avatars, there is nothing to help digital operations. "A digital person in charge of a waist retail brand told 36 氪 that the brand is currently upgrading its membership system.

The second type of more in -depth affecting the industry pattern (the map listed above), waiting for the policy to be further clarified may be a more appropriate approach.

Not long ago, some insiders of Gaode speculated to 36 氪 that if the units with no relevant surveying and mapping qualifications still have to carry out relevant operating activities, they must find qualified map merchants to cooperate. "Existing companies are discussing this cooperation model," a qualified Internet company revealed.

Coincidentally, this way of cooperation happened to usher in two days ago. On August 30, 2022, the official website of the Ministry of Natural Resources issued the "Notice on Promoting the Development of Intelligent Connected Motors and Maintenance of Geographical Information Safety". Units with corresponding surveying and mapping qualifications carry out surveying and mapping activities.

The same situation occurs in cross -border business.

The American CTO Zhou Jie told 36 氪 that for operators, financial companies, cross -border enterprises or companies listed in the United States, the impact of relevant laws such as the Data Security Law may be greater than other industries - - These companies are likely to have a large amount of data and be supervised by outbound policies.

When interviewing a multinational enterprise a few months ago, the other party said that the current group's basic security construction such as encrypted storage and desensitization of sensitive data has been complete. The most confused part is exactly the interaction of multinational data. "This part has stagnated, and the policy is clear." The person in charge of the security said.

Fortunately, after a few months, the regulations for data outbound are as clear as what he expects.

The latest change was on the evening of August 31, the National Internet Information Office released the "Guide to the Evaluation of Data Outbound Security Evaluation (First Edition)".

Among many interpretations, this "Guide" further clarified the evaluation rules for data outbound security on the basis of the "Guidelines" that has been formally implemented -including the scope of application, the application method and process, and the declaration that should be submitted. Materials and official channels for consulting consultation are provided with data outbound security assessment report templates and data outbound risk assessment report templates.

Crossing the pain period

New changes are still continuing.

For example, Yibang Dynamics reports that in order to protect consumer privacy, Alibaba will provide virtual number solutions from September 1 to cut off the connection between the real mobile phone number on the consumer order.

The impact of this is that merchants will not be able to obtain consumer phone calls through the platform, nor can it be connected directly by calling or text messages.

A reasonable infer is that there will be only a lot about data compliance in the future -which is also closely related to the current regulatory dynamics and the status quo of compliance governance of many enterprises.

In the interview, many people engaged in compliance business mentioned to 36 氪 that "compliance is not prosecuted." Xiang Li, CEO of Mangosteen Technology, who focuses on DPO training business, told Li that the procuratorate currently launched the "third -party supervision of corporate compliance of the enterprise involved in the case" evaluation mechanism, that is, what we call "compliance non -prosecution", this mechanism is also applicable to data compliance. "Compliance will not be prosecuted", that is, if the illegal enterprise is rectified during the rectification period given by the procuratorate in the procuratorate, the third -party evaluation agency is requested to make rectification. After the rectification results are approved by the procuratorial organs, the procuratorial organs will make no approved arrest or arrest or Decisions without prosecution or sentencing suggestions.

Compliance does not prosecute, which means a space for self -correction. But on the other hand, compliance construction may have a huge gap between different enterprises.

Wei Tao, vice president and chief technical security officer of Ant Group, mentioned in an interview with 36 氪 that the implementation of relevant laws has been implemented in the past year, and the industry still has a huge gap in security investment. Many companies have widely used digital systems, but they can often see the construction of their professional security teams lag.

"Some companies have bought safety products and have a safety alarm, but no one cares. This is not a minority." Wei Tao said.

In contrast, the progress of supervision technology. Kong Lingxin, CEO without litigation, believes that domestic data security supervision will go forward, which will be more advanced than the European Union and the United States.

"China's characteristics are to achieve curve overtaking with technology. Today, many audit units are already using code or database -level technologies to monitor the data collection system and trading system of various companies. From the general trend judgment, data security supervision will be stricter. . The time window for the company's own rectification, or it is closed in the future. "

On the other side of the story, many compliance construction enterprises in this period of time will also encounter real challenges.

The American CTO Zhou Jie observed that the Data Security Law and the Personal Information Protection Law have been promulgated for more than a year, but in general, the compliance of many companies is still in a relatively early exploration stage. "Many of our customers are confused, and now data compliance is still lacking from law to technology landing. At present, this may be distinguished according to the sensitivity of the industry in the enterprise. . "At a more practical level, when the company reaches the compliance rectification stage of the business and product level, it is often necessary to use technical means to solve the final problem -how to transform legal language into technical languages ​​and minimize the business of business The influence is also one of the main difficulties they face. "The interpretation of legal opinions may not understand." Some companies admitted 36 氪.

In this regard, Xuan Yimiao, the co -founder of the full data security service provider, believes: "Safety manufacturers have the responsibility to take the lead in exploring how to explore the requirements of technical implementation compliance, and they also have more experience advantages in this regard. In -depth understanding of laws and regulations, formulate industry technical standards and standards for reference, so that data security construction is more professional and more efficient. "

From a more realistic perspective, compliance construction may involve many expenditures such as consulting, training, related system transformation and upgrading. A industry insiders engaged in compliance consultation emphasized: "Compliance is a cost that requires costs." He told 36 氪 that his company had a quotation of 900,000 yuan to bid a compliance consultation of a consumer e -brand, but The brander chose a four major financial consulting companies quoted at 750,000 yuan. However, despite this, the brand later still had data compliance problems and led to the off of related products.

One of this phenomenon is that companies that currently have strong pressure and construction power are often companies with high digitalization, financial resources and technical capabilities. In other words, although we often see that many Internet header companies have been interviewed and punished, in fact, data compliance infrastructure of such enterprises is often the frontier of the industry.

"This is a very complicated context. At present, there may be no best practice." After helping nearly a hundred companies to carry out data compliance construction, Wang Xinrui, a partner of litigation cooperation and partner of Shihui Law Firm, admits that "This is what we often hear during participation in legislative and supervision work. The greater the ability, the greater the responsibility. 'How much data can a company take?"

A background is that in the era of Internet and mobile Internet, data has been regarded as a "asset" by all walks of life, and it has also become a new "production factors" tied with land, labor, capital, and technology. From this perspective, at the moment when the general trend of digitalization, through the dual role of law and technology, let domestic enterprises make up for the lack of security capabilities in the past, a high probability is a compulsory course.

At the first anniversary of the implementation of the Data Security Law, everything has just begun.

(Finish)

*Thanks to Youyi Technology and Hongtu Technology for their support for this article.

Reference link:

Data compliance strategy of listed companies at home and abroad

https://mp.weixin.qq.com/s/fdlsffmqcgaa3glzpk0zqw

Taobao waved his knife! 2 days later, the merchant can no longer get the consumer's mobile phone number anymore

https://mp.weixin.qq.com/s/dj1xoamjtiwmwrktea3vlq

Never calm online car, battle of sediment

https://mp.weixin.qq.com/s/zbbyy5qqhnfhmrjsxhg9pog

The article refers to relevant regulations and policies:

"Notice on Promoting the Development and Maintenance of Geographical Information of Smart Connected Motors" (https://www.mnr.gov.cn/dt/ywbb/20220831_2758156.html))

"Data Outbound Security Evaluation Declaration Guide (first edition)" (http://www.cac.gov.cn/2022-08/31/c_16635689996202.htm))

Part of the content comes from the interview with the six -degree expert

Zhang Yang in the text is the name

36 The official public account of its subsidiary

I sincerely recommend you to follow

wx_fmt = pNG "data-nickname =" Data-alias = "Digital36kr" data-signature = "36 氪 official account. Record the stories of China's industry and promote the development of global wisdom." Data-from = "0"data-is_biz_ban = "0" />

Everything has just begun

Bleak

- END -