Workforce risk

Data security and information protection

The recent promulgation of the ‘Data Security Law’ and ‘The Personal Information Protection Law of the People’s Republic of China’ suggests that companies are now facing a period of stricter data compliance supervision, with new challenges arising in the area of corporate employment management and employee personal information management.

Decentralised data management: Organisation data usage scenarios are complex, with management responsibilities often overlapping and dispersed across different departments. The lack of an organisational mechanism, system and process for overall data security management put organisations at risk of failing to properly manage personal information and important data.

Data collection and use violations: When collecting and using personal data, it’s important to explain the purpose, application, scope and related changes of data collection and use to the data providers. Failure to do so may result in the risk of illegal collection and use of data. For example, failure to disclose the purpose and use of personal information collection to candidates during interviews and background checks, or excess data collection during the onboarding process without sufficient disclosure of the scope of data collection can also lead to compliance risks.

Data theft and leakage: As technologies such as cloud computing, big data, and artificial intelligence continue to advance, employees' personal privacy and important data are increasingly at risk of data theft from multiple channels on the Internet. When companies exchange data with a third party or engage in a third-party service, direct access to employees' personal data by third parties may pose risks of data leakage and illegal use.

Tightened global regulation: Countries around the world have recently enacted a number of laws and regulations for data and privacy protection. As a result, global organisations are faced with the challenge of meeting the data compliance requirements of local and recipient countries' laws when transferring and managing data across borders. This is a key challenge for organisations looking to navigate the increasingly stringent regulatory landscape. 

What we offer

Establish a robust data management organisation: Appoint a data protection officer, clarify the responsibilities and the RACI matrix (R: Responsible ‘who execute’; A: Accountable ‘who approve’; C: Consulted ‘who consult’; I: Informed ‘who inform’) for relevant departments such as business, HR, internal control, compliance, information security, risk management, and internal audit. Establish, implement and promote a normative system for data security from a global perspective, playing the management role of coordinating and leading. Based on data security compliance, promote the ‘mining the value of data and boosting the digital development of companies’ and prevent the use of a ‘one size fits all’ data management approach.

Establish a data management system: Categorise HR business scenarios involving data security, and summarise legal requirements related to corporate HR management. Based on the legal requirements and the company’s business characteristics, establish and improve the data security management system covering the full data lifecycle, including classification grading, de-identification, cross-border data, risk assessment, etc. Manage the entire process of data collection, storage, use, processing, transmission, deletion, and destruction, with well-defined responsibilities of multiple participants, clarified procedures and security control in each link of data management.

Sign legally binding documents: Identify relevant parties in the area of internal and external personal data sharing, transmission and entrusted processing, and sign relevant transfer agreements with relevant external parties following the standard contract templates stipulated by national laws. Work with internal parties to clarify the rights and obligations of the relevant parties concerning data protection, which calls for formulating management systems, signing transfer agreements, adding personal data protection clauses (employment contracts, assignment agreements, etc.), and ensuring compliance with data processing activities through legally binding documents.

Conduct regular technology security assessments: Conduct technical assessments of the company’s current HR-related applications, servers, network equipment, and physical environments to identify and fix security vulnerabilities. Identify sensitive assets that may be accessible to unauthorised parties on the Internet, including sensitive documents, domain names, URLs, identity credentials and code bases, etc., and implement safeguards to protect these assets accordingly.

Establish a global privacy compliance operation platform: Establish a privacy security platform, set up relevant mechanism dynamics on the platform, remain vigilant to the supervision and compliance requirements of the regions where overseas subsidiaries are located, and build a dynamic knowledge base of laws and regulations. Use the digital platform to record the entire data management lifecycle, including the management of personal consent records, the management of data processing activities, the records of cross-border data transfers and other activities.

Legal and regulatory compliance

With the rapid development of the Chinese economy, Chinese companies have an increasing demand for domestic and overseas markets. Along with this growth, China has introduced a series of laws and regulations such as the ‘Labour Law of the People's Republic of China’, the ‘Labour Contract Law of the People's Republic of China’, the ‘Social Insurance Law of the People's Republic of China’, and the ‘Law of the People’s Republic of China on Promotion of Employment’, which have led to the gradual improvement of China’s labour and employment law system. As the demand for labour and employment continues to expand, the frequency of employee hiring, departures, transfers and promotions has accelerated. Ensuring compliance with labour laws has become an important issue for Chinese companies as they rapidly develop their production and operating capabilities.

Common labour and employment compliance risks:

  1. The basis and proportion of social security payments may not comply with regulations, resulting in longstanding problems such as underpayment, non-payment or illegal payments in other locations.
  2. The content of the company’s internal rules and regulations may be incomplete, unreasonable, or in violation of laws and regulations; procedures without democratic publicity are not in compliance.
  3. The legal basis for unilaterally terminating employment contracts may not be clear, and procedures may be illegal or flawed, resulting in labour disputes or arbitration.
  4. Inadequate preparation, immature schemes and project plans, and a lack of consideration for employees’ demands and response plans in the process of terminating, modifying and transferring labour contracts may lead to mass incidents or major public backlash.
  5. When going overseas, companies may fail to conduct sufficient research on the basic requirements of overseas labour compliance, forcing them to scramble to deal with disputes and complaints, or even face penalties for violations. 

What we offer

More and more companies are recognising the risks associated with labour and are taking proactive measures to prevent them, while at the same time improving their internal management mechanisms. PwC can provide a range of risk prevention measures and schemes, including but not limited to:

  1. Stay current with the latest changes in laws, regulations and regulatory requirements, improve internal and external training mechanisms, and provide regular internal and external training to the HR department on compliance with the employee lifecycle of hiring, leaving, transferring and promoting, as well as market practice requirements.
  2. Conduct regular health checks for compliance with labour and employment laws, formulate a list of common employment risks, countermeasures and periodic self-inspection procedures.
  3. Improve the drafting and updating of internal rules, regulations and related document templates.
  4. Identify and categorise the list of high-risk issues and suggest optimal market practices at the early stage of going overseas.
  5. Simultaneously comply with overseas labour employment regulations and policies, and set up an overseas labour employment compliance system according to business needs.

Timely development of risk contingency plans and implement support in the face of emergencies.

Contact us

Johnny Yu

Workforce Advisory Leader, PwC China

Tel: +[86] (10) 6533 2685

Liuyang Li

Partner, PwC China

Tel: +[86] (10) 6533 5845

Vivienne Jin

Partner, PwC China

Tel: +[86] (10) 6533 5943

Follow us