Navigating China’s Cybersecurity and Data
Transcript of Navigating China’s Cybersecurity and Data
Navigating China’s Cybersecurity and Data Protection PoliciesSinolytics Primer – Linking China‘s cybersecurity and data regulatory framework to your business needs
Tiffany Wong
Project Leader
Dr. Camille Boullenois
Project Leader
Dr. Jost Wübbeke
Managing Partner
Profile Key expertise areas Approach
Sinolytics – a European research-based consultancy entirely focused on China
Sinolytics Cybersecurity Services2
Primary source and Chinese-language research
Problem-solving and developing tailored solutions
Flexible delivery formats: strategies, reports, workshops
Depth in content, while strong in contextualization
Extensive expert network and research partners
• Founded in 2017, Sinolytics is a
client-serving, research-based
consultancy with offices in Berlin,
Beijing and Zurich
• Uniquely blending in-depth research
with management consulting
approach to problem solving
• Operating at the nexus of business
and policy and analyzing China’s
political economy, Sinolytics advises
companies from across business
sectors and functional areas
• 50+ clients, including some of the
largest and most respected foreign
companies operating in China
Macro-, industrial and S&T/innovation policies
14th FYP, automotive, S&T cooperation, 5G/new infrastructure
China’s digital economy and digital transformation
Digital platforms, valuetization of data, AI, startups/VC
Market governance and regulatory compliance
Cybersecurity/personal information/MLPS 2.0/x-border, CSCS
Social policies: welfare and domestic consumption
Health, pension, urbanization, rural economy and labor
Finance, geoeconomics (trade/investment) & geopolitics
Financial opening-up, BRI, RCEP, tech decoupling, EU-China
Public and Governmental Affairs (PGA)
Structures, strategy, stakeholder analysis, network support
Sinolytics offers cybersecurity regulatory support to clients backed by deep industry expertise
Sinolytics Cybersecurity Services3
Trainings and on-demand advisory
Product
Building cohesive strategies for HQ and
China offices to deal with China’s fluid
cybersecurity framework
Preparing clients to meet challenges posed by China’s unique cybersecurity and data regime
• Piecing together China’s cyber regulatory framework puzzle to form comprehensive and forward-
looking cyber and data regulatory strategies
• Supporting HQ-China offices to build strategies and SOPs to ensure smooth but compliant cross-
border, cross-function data operations
Responding to cybersecurity
compliance needs effectively and
strategically
Preparing clients to navigate high-risk regulatory landscape
• Assessing cybersecurity compliance risks of current operations in China and supporting with
mitigation strategies
• Ensuring China offices and business units meet compliance requirements and providing support
for gap closures
Staying at the forefront of cybersecurity
regulatory knowledge and response
Preparing clients to be ready for upcoming policies and requirements
• Updating and monitoring policy updates across cybersecurity regulatory areas specific to
client industries
• Establishing an early warning system for new requirements for timely preparation and action
Cyber and Data Strategy
Compliance and Risk Assessment
Regulatory monitoring
Preparing clients for specific scenarios with targeted and tailored advice
• Trainings for HQ and China offices to approach issues raised by China’s cybersecurity regulatory
framework
• On-demand calls upon request and one-on-one advisory for targeted questions
Client Value-add
Bridging general and granular
knowledge gaps with high-level and
in-detail advice
4
1
2
3
China’s maturing cyber security regime
Key regulatory frameworks: MLPS 2.0, Cross-border data transfer, Personal
information, Network security
Industry impacts: Signals from automotive, finance, and health industries
Sinolytics cybersecurity expertise
Sinolytics Cybersecurity Services
4
The number of national cybersecurity laws,
regulations and standards increased enormously… with many national regulations already implemented
1995 2000 2005 2010 2015 20200
50
150
100
170
# of cumulative national regulations and standards
10
22
1
28
2325
3
6
4
9 4
30
10
0
20
# of regulations and standards by area
Draft
General MLPS 2.0 CIIO Network
products
and
encryption
PIP Industry
Specific
Implemented
The implementation of the Cybersecurity Law gained momentum in 2020 and 2021
Cross-
border
data
transfer5
Cybersecurity law
effective in 2017
Sinolytics Cybersecurity Services
National
security
Techno-
nationalism
International
Cyber
governance
Digital
economy
Cybersecurity
Consumer
Protection
Information
control
Cyber threats are seen as
national security threats
Censoring information and surveilling
population seen as key for social
stability
China addresses the recent
scandals of personal information
misuse
China aims to lead the world in digital
economy and technologiesPromotion of self-sufficiency
and Chinese technology
China aims to influence the
international cyberspace rulemaking
6
Objectives of the 14th FYP: National cybersecurity law, regulations, and system standards should be improved and developed, and
security guarantees for data resources in important areas, important networks and information systems should be strengthened
Security, innovation policies, and geopolitical objectives drive China’s cybersecurity policy
6 Sinolytics Cybersecurity Services
Draft RegulationsNew/adjusted in 2020/2021
2017 Cybersecurity Law
CIIONetwork product
and encryption
Personal
Information
Protection
Cross-border
Data Transfer
Measures on Cybersecurity Review
MLPS 2.0
MLPS and CII Security Protection System Guiding Opinions
Reg. on Security Protection of CII
Reg. on Cross-Border Transfer of Personal Data
Encryption Law
Grading guidelines for classified
protection
Baseline for MLPS for cybersecurity
Implementation guide for MLPS for
Infosys
Testing & evaluation guide for
MLPS
General requirements for MLPS
of cyber security I - V
Tech. Reqs. for MLPS Security
Mgmt Center
Guidelines for Data Cross-Border
Transfer Security Assessment
Network key equipment security
tech. reqs. - General reqs
Network key equipment safety -
technical reqs
Basic reqs for CII network security
protection
CII security control measures
More regulations &
standards expectedMore regulations &
standards expectedGeneral Reqs for InfoSys
Encryption Application
Catalog of critical network equipment
and network security products
Technical requirements. for
security design for MLPS
Capability requirements for
organization of MLPSSecurity requirements for database
management systems
PI Protection Law
PI Security Impact Assessment
Guidelines
Guidelines for PI Security in Mobile
Apps
Information Security Technology PI
Notification Consent Guide
PI Security Engineering Guidelines
Online PI Security Protection
Guidelines
PI Anonymization Guidelines
PI Security Specification
MLPS Classification Guideline
Commercial Encryption Mgmt.
Regulations
List of Commercial Encryption
Import License, Export Control List
Opinions on Impl. of Commercial
Encryption Testing and Certification
Certification Rules for Commercial
Cryptographic Products
Commercial Password Product
Certification Catalog
Data Security Law
Measures on Security Assessment on Cross-Border Transfer of PI
Revised Criminal Law
Revised Civil Code
Consumer Rights Protection Law
Simplified overview of China’s cybersecurity framework
Measures for Security Assessment of
Cross-border transfer of Personal
Information and Important Data
7 Sinolytics Cybersecurity Services
Multi-pronged cybersecurity regime have critical implications for businesses in China
Sinolytics Cybersecurity Services8
High-level foreign business implications
2017 Cybersecurity Law 2021 Data Security Law 2021 Personal Information Protection Law
What is it?
• The CSL is the first legislation devoted to
supervision and management of cybersecurity
and internet space in China
Why is it important?
• Introduces key cybersecurity concepts, e.g.
MLPS 2.0 and critical information
infrastructure operators (CIIOs)
• Lays foundation for future laws and regulations
• Overall: Unique cybersecurity regime with
increased oversight from authorities
• Management: Cybersecurity protection
responsibility is shifted primarily from IT
departments to management
• Risk and compliance: Risk assessment and
evaluation procedures for entities introduced
• Operations: CAC has increased power to use
CSL for non-cybersecurity related issues, such
as export control or supply chain limits
What is it?
• To be implemented in Sept 2021, the Data
Security Law is concerned primarily with data
protection and data activities of entities
Why is it important?
• Demonstrates “important data” and “national
core data” significance for data protection
• Equates data security as national security, with
extraterritorial implications
• Overall: Data security and data transfer
strategies
• Management: Foreign business HQs have to
follow DSL while treating Chinese data abroad
• Risk and compliance: “Important data”
processors face extra requirements, incl. for
cross-border transfer
• Operations: Data security review regime can
open foreign business data activity to
regulatory scrutiny
What is it?
• Taking effect in November 2021, the Personal
Information Protection Law is concerned
primarily with personal and consumer
information protection
Why is it important?
• Sets fundamental requirements for handling of
PI and sensitive PI for entities
• Regulates cross-border data transfer
• Overall: Granular personal information
protection requirements along data value chain
• Management: Foreign business HQs have to
follow PIP law while treating Chinese citizen
data abroad
• Risk and compliance: Businesses have to
conduct impact assessment for cross-border
personal information transfer
• Operations: Enforcement activities already
underway for standards based on PIP law
Businesses in China see an increasing enforcement of cybersecurity and data regulations
Sinolytics Cybersecurity Services9
Regulatory compliance is actively enforced
Sample PSB Outreach Letter for MLPS 2.0 compliance
Companies see fines, litigation, and business suspension over regulatory violation
• 2021 PIP Law draft increased fines for violations to 50 million RMB, or 5%
of annual revenue for the company
10
1
2
3
China’s maturing cyber security regime
Key regulatory frameworks: MLPS 2.0, Cross-border data transfer, Personal
information, Network security
Industry impacts: Signals from automotive, finance, and health industries
Sinolytics cybersecurity expertise
Sinolytics Cybersecurity Services
4
Sinolytics Cybersecurity Services11
MLPS 2.0 sets rules for all companies that operate networks (“network operators”) to increase security protection capabilities,
including the ability to prevent threats, detect security incidents and recover after damage
• The number of technical requirements in various security areas
increase for higher MLPS 2.0 levels• Network operators are obligated to conduct a self-assessment
• Above level 2 are subject to extra expert evaluation
• Above level 2 need to file with local public security bureaus
Level 4
53
Level 1 Level 3 Level 5Level 2
122
189
204
Companies need to grade their MLPS 2.0 level…
Management Personnel Security
O&M Management Security
Management Org. Security
Construction Management Security
Security Management
Management Center Security
Computer Environment Security
Network Boundary Security
Telecomm Network Security
…and comply with corresponding requirements
Requirements
not published
Level 1
Legal
persons
Public
security
Nat’l
Security
Level 2 Level 3 Level 4 Level 5
DamageSerious
Damage
Damage
Very Serious Damage
Serious
Damage
Damage
Very Serious Damage
Serious
Damage
Very Serious Damage
OR OR
OR OR
MLPS 2.0All firms operating networks have to follow MLPS 2.0 requirements
Companies in some industries face higher likelihood to be labelled CIIOs
Finance
Telecomm.
Health
Manufacturing
• Bank operators
• Securities and futures trading
• Insurance
• Data center/cloud services
• Voice, data, internet network and hubs
• Health institutions such as hospitals
• Disease control
• Emergency centers
• Intelligent manufacturing system
• High-risk industrial facilities
CIIOs face stricter requirements (most updated regulations from Guiding Opinions
and Data Security Law)
• Critical Information Infrastructure Operators (CIIOs) face stricter requirements such as data localization
• 14th FYP indicates that the construction and regulation of a well-developed CIIO protection infrastructure is a major cybersecurity policy goal
• The final definition of CIIO companies depends on industry regulators; designated CIIOs will be supervised by the MPS and industry regulators
Water
conservancy
City
infrastructure
• Long-distance water delivery
• Urban water source
• Sewage treatment
• Urban rail transit
• Smart City op. & mgmt
Asset risk assessment: CIIOs have to
conduct a risk assessment of all assets
Data storage: CIIOs have to store important
and sensitive personal information in
separate data servers within China
Supply chain: Network providers and
servicers to CIIOs have to undergo
cybersecurity review procurement procedures
Post-incident recovery: Post-cyber incident
recovery requires instant back-up system
Critical Information Infrastructure Operators regulation regime slowly developing
CIIOs are companies that
may “gravely harm
national security, the
national economy, the
people’s livelihood and
the public interest if
sabotaged”
12
Known CIIOs
Sinolytics Cybersecurity Services
CIIOs
Sinolytics Cybersecurity Services13
• According to regulations, companies face new impact assessment and approval procedures for data transfer abroad
• All companies that are network operators and transfer personal data outside the borders of China will be affected
• The PIPL suggests that all companies transferring
personal information abroad undergo a one-time
impact assessment assessment and contract
procedure
• Some industries (e.g. finance, automotive) see
security assessment requirements for transfer of
important data
• Uncertainties remain; e.g. if group companies are
to be treated as a separate or entire entity
Implications for companies
Multi-party impacts
Data transfer contracts require coordination
and assessment of data sender and recipient
Cross-entity data protection coordination
Security assessments and record-keeping
require increased coordination among MNC
entities
Increased spot-checks
Provincial CACs will inspect transfer records
in a randomized manner
Management and structure
Data security compliance team required and
work norm processes for data transfer
security need to be established
Companies will face extra cost for compliance with
new cross-border data transfer requirements, e.g:
Cross-border Data Transfer
New cross-border data transfer
regulation and standards not yet
officialized…
…but already present new data transfer
requirements for companies in China
• Standard on Cross-Border Data
Transfer Security Assessment likely
to be officialized by CAC in early
2022
Companies face challenges of new cross-border data transfer requirements
• Data Security Law (2021) indicates
that cross-border data transfer
regulations will be published by the
CAC and the State Council
Personal Information Protection Law: wide-sweeping impact on many companies
Sinolytics Cybersecurity Services14
• China’s 2021 Personal Information Protection Law (PIPL) sets out framework requirements for companies to protect personal
information they collect and process
Human resources
Finance and
accounting
Marketing/e-
commerce
• Employees’ address, personal phone
number, e-mail address
• Position, work unit, education, degree,
education experience, work
experience, training record,
transcripts
• Clients’ address, personal phone
number, e-mail address
• Software usage records, click
records, favorite lists
• Transaction and consumption
records
Business Function (Sensitive) Personal Information
• PIPL allows some personal
information collection without
individual consent for some
HR functions
• Personal pricing algorithms
and automated decision-
making through big data
analysis are completely
prohibited by the new PIPL
and supporting regulations
Impact on operations
• Bank account, deposit information
(including the amount of funds,
payment collection records)
• Client’s name, address, personal
phone number, photos, nationality,
job position
See also separate
industry slide
Implications for Companies
• Financial personal information
face specific categorization
• Certain categories of
sensitive financial personal
information may need to be
localized
For cross-border data transfer,
companies need to demonstrate that
data transfer abroad is necessary
Companies should segment
sensitive personal information
processing and develop separate
consent mechanisms
For cross-border personal
information transfer, companies need
to conduct impact assessments and
sign contracts with foreign data
recipients
Individual (retractable) consent
required for all PI collection
Penalties for non-compliance can
reach up to 50 mn CNY or 5% of
annual revenueBased on support regulations and standards
Examples of the impact of China’s PIPL on various business functions:
Triggers for the
review
Potential impact of network products and services on national
security
The network product and services review process
• Requirements apply to
a list of key network
products
• These products must
undergo a security
review
Providers of key network products must pass technical
reviews
CIIOs must ensure their supply chain meets cybersecurity review
Network Products & Services
Principles taken
into account
• Data control: Make sure no data can be illegally obtained/
processed
• Controllability: Ensure that the products cannot be
manipulated
• Product choice: Make sure that the purchasing party is not
deprived of its right to choose products and services
➢ Router
➢ Switch
➢ Server
➢ Firewall
➢ …
Point-based
score review
General requirements Technical requirements
Detailed requirements exist for
each of the products
Sinolytics Cybersecurity Services15
Network products and services: CIIOs and providers in the regulatory spotlight
16
1
2
3
China’s maturing cyber security regime
Key regulatory frameworks: MLPS 2.0, Cross-border data transfer, Personal
information, Network security
Industry impacts: Signals from automotive, finance, and health industries
Sinolytics cybersecurity expertise
Sinolytics Cybersecurity Services
4
Sinolytics Cybersecurity Services17
Industry Most Relevant Cybersecurity Regulations by Industry1)
Implications for MNCs and SMEs
IT
Automotive
Health/Pharma
Chemicals
Finance
Machinery
Retail
MLPS 2.0 CIIONetwork
ProductsCross-border
Data transferEncryption
Personal Data
Protection
• IT & cloud companies listed as
CIIOs face tough approval
processes from authorities
• Corporations face tough regulations
on data collection and processing
• Unique-to-ICV cybersecurity reqs.
• Sensitive personal data from clinical
trials face tough regulations
• Data transfer partners can be CIIOs
• Data transfer partners can be CIIOs
• DG data can be listed as important
data
• Industry-focused regulations for
personal data treatment
• Data localization required
• Some machinery processes may
be subjected to increased data
protection requirements
• Strict personal data protection
requirements for eCommerce
1) Relevant cybersecurity regulations depend strongly on business models
Different industries are affected by a combination of cybersecurity regulations
= will affect corporations
= possibly affect corporations Effects of regulations for industries
stand for MNCs and SMEs,
regardless of size
Sinolytics Cybersecurity Services18
• Automotive industry is one of the first industries to see a comprehensive industry-specific data protection regime
• Draft regulations point to granular important data and personal information protection categories, with localization requirements and cross-border
transfer thresholds
• “Recommended principles” for data collection and processing included renewed consent for data collection at every start of journey, and in-
vehicle handling of PI/important data
Industry:
AutomotiveAutomotive industry: granular data security requirements suggested
Implications for Auto OEMs and Suppliers
Cross-border data transfer: Auto
OEMs, suppliers, and system providers
face increased requirements cross-
border dataprocessing
Increased monitoring: Auto OEMs will
face increased scrutiny from provincial
CACs and relevant departments on how
they handle data
Supply chain compliance: Auto OEMs
need to establish a cybersecurity
guarantee mechanism for their entire
supply chain
Data processing regime: Auto OEMs
will have to ensure compliance with
dedicated personnel and SOPs
China’s burgeoning ICV cybersecurity regulatory framework shows heightened focus on ICVs
Industry:
Finance
…but strict cybersecurity regulations for all
financial institutions can impact operation models
• Foreign companies can now set up wholly-owned units in the mainland and take part in a 45 tn USD financial services market
• According to Bloomberg, foreign banks and securities companies could see profits of more than 9 bn USD a year in China by 2030
• Finance industry faces cybersecurity requirements for data localization and tight personal information protection requirements
Foreign institutions are setting up to move
into China
Asset Management
Securities
Insurance
• Applying for licenses for 100%-owned
companies
• Approved for majority stakes in local
joint ventures
• Greenlighted for first entirely foreign-owned
insurance holding company in China
Risk
Evaluation
Personal
financial
data
• Personal financial information
categorized in three levels: C1, C2,
C3, with corresponding restrictions
• “Specification for financial
information service security” (GB/T
36618-2018) requires strict risk
compliance for cybersecurity
• These include back-up
requirements (e.g. on different
servers) and post-incident response
mechanisms
Due to type of personal data
gathered. some financial
institutions are likely to be
categorized as CIIOs, and face
additional restrictions
Financial institutions face
restrictive cross-border data
transfer restrictions for personal
financial data, which pose extra
challenges for data transfer
limits and methods
Dedicated China-specific
cybersecurity team needs to be
established to deal with extra
data protection requirements, risk
monitoring and evaluation, and
cybersecurity trainings
Implications for Financial Institutions
Sinolytics Cybersecurity Services19
Financial institutions: strict personal data protection rules apply
No vulnerabilities
Low vulnerabilities
Medium vulnerabilities
High vulnerabilities
High growth for digital healthcare in China
• In 2016, 58% of patients in China reported having shared
technology information with healthcare professionals, compared
to 26% in the UK, 17% in Sweden and 12% in Germany
During Covid-19, internet diagnosis and treatment1)
increased by 17 times, and consultations on 3rd-party
Internet service platforms increased by 20 times.
Life science firms and insurance firms are likely to
benefit from expansion
COVID-19 has increased the market potential
But the industry suffers from high
cybersecurity vulnerabilities
• In 2018, a total of 77% of hospitals’
patient apps had cybersecurity
vulnerabilities
• In April 2020, China’s largest and
first cross-border telemedicine app
“Dr. Chunyu” was suspended for
privacy violations
2020 Health Law
emphasizes data
protection
Healthcare is
highlighted as a
focus of
cybersecurity
regulations
Specific healthcare
cybersecurity
regulations in the
making
Art. 49: “The state protects citizens ’personal health
information and ensures the safety of citizens’
personal health information. No organization or
individual may illegally collect, use, process, or
transmit personal health information of citizens”
• "Key Information Infrastructure Security Protection
Regulations” (2017): healthcare operators are CIIOs
• “Personal Information Security Specification” (2020):
healthcare data is ‘sensitive information’
➔ This implies particularly strict requirements in all
areas of cybersecurity and data protection
• Four specific regulations issued in 2018
• National standards are being drafted
➔ Healthcare-related companies must prepare to
specific cybersecurity requirements
Cybersecurity regulations have implications for healthcare
infrastructure
6% 4%23%
67%
Industry:
Healthcare
Sinolytics Cybersecurity Services20
Digital health: between market potential and heavy regulation
21
1
2
3
China’s maturing cyber security regime
Key regulatory frameworks: MLPS 2.0, Cross-border data transfer, Personal
information, Network security
Industry impacts: Signals from automotive, finance, and health industries
Sinolytics cybersecurity expertise
Sinolytics Cybersecurity Services
4
22
Social CreditAutomotive
• Level Determination
• Requirement Gap
Analysis
• Gap Closure Support
• External Assessment
and Filing
• Connecting Sinolytics’
automotive
experience with
Cybersecurity
• Links between
Cybersecurity
Regulation and Social
Credit System
MLPS 2.0
• CIIO Determination
• CIIO Requirement
Gap Analysis
• CIIO Strategy, e.g.
Cybersecurity Review
Measures
CIIO Encryption
• Encryption Law
Provisions
Cybersecurity Strategy
• HQ and China office
cybersecurity strategy
• Monitoring/Forecasting
New Rules
Finance
• Connecting Sinolytics’
finance experience
with Cybersecurity
• Cross-Border Data
Transfer Assessment
• Identifying Specific
Review Requirements
• Implement Review
Cross-border Data transfer
Personal Data Protection
• Identifying sensitive
personal data
• Privacy policy advice
• Data anonymization
assessment
• CIIO Procurement
Rules
• Network Product and
Services Catalogue
Network Products
• Connecting digital
health business
models with
Cybersecurity
Our service focuses on the topics below, tailored to your needs
Health
Sinolytics Cybersecurity Services
Sinolytics’ Cybersecurity and Personal Data Expertise
Overall strategy and regulatory topics:
Industry-specific topics:
Machinery Pharma
• Connecting
machinery and
manufacturing
models with
Cybersecurity
• Connecting Sinolytics’
pharma experience
with Cybersecurity
23
1 Level Grading
Network Identification
Identify client network
systems relevant for
MLPS 2.0
Level grading
Support in self-
determining the MLPS
2.0 level regarding
potential impacts for
relevant objects
Self-assessment report
Support in producing a
report that can be
provided to authorities or
3rd parties if required
Technical
Requirements
List of requirements
based on the graded
level as defined in
standards, also including
encryption, personal data
protection, etc.
Operational/
Management
Requirements
Based on the level,
clarify necessary further
steps, such as external
review, approval from
industry regulator and
filing with public security
bureau
2Requirements
Assessment3 Gap Analysis
Status Quo Analysis
Evaluate client’s current
cybersecurity measures
in accordance with MLPS
level
Gap Identification
Identify potential
compliance gaps against
the backdrop of
requirements and client‘s
status quo
4Implementation
& Enablement
Gap Closure Roadmap
Define a roadmap to
close potential gaps and
define specific measures
to be taken
Document Preparation
In case of external review,
approval or filing,
formulate relevant
materials and inputs for
grading
Partnership Evaluation
In case of external review,
identify local accredited
3rd party reviewers that
provide best fit for client
needs
5Continuous
Compliance
Strategy
Develop a strategy to
continuously deal with the
MLPS 2.0 system
Monitoring Process
Build process to regularly
update MLPS 2.0
assessment against
regulatory dynamic and
regular reporting duties
Communication Process
Build internal processes to
communicate MLPS 2.0
related requirements among
internal stakeholders
Sinolytics Service
MLPS 2.0 Compliance Service (Example)
Requirements Report Compliance RoadmapStrategy &
Monitoring
Sinolytics Cybersecurity Services
Sinolytics Cybersecurity Services24
Sinolytics Service
Personal Information Protection Compliance Service
Sinolytics examines company compliance with 500+ requirements for personal information protection
Regulatory Areas covered by our compliance analysis:
Third PartyData Collection
Data Storage
Data Usage
User Rights
Personnel
management
Security
Measures
Anonymization
Impact
Assessment
Cross-border
data transfer
Sinolytics Cybersecurity Services25
Sinolytics Service
Cybersecurity workshops and training (Example)
Company HQ – China Offices Cybersecurity Strategy Issue or Topic Compliance and Response Strategy
Company HQ and China offices of SMEs and
MNCsMainly China-based offices of SMEs and MNCsAudience Audience
Topics
covered
China’s entire cybersecurity framework, targeted
towards company’s business industry
Impact evaluation of Chinese cybersecurity
regulations on HQ and China office operations at
business level
Cross-border implications of China’s
cybersecurity framework, especially compared to
other data protection regimes (e.g. GDPR)
AimEnable top-level, cross-functional, and tailored view on cybersecurity
in China and clarify strategies and frameworks for overarching
cybersecurity needs in China
AimEnable deep and granular understanding of cybersecurity compliance
in China for on-the-ground operations, tailored to business model and
business needs
Topics
coveredDeep-dive into singular and/or combination of
regulatory topics
Targeted deep-dive of compliance requirements
according to business industry and their
challenges to businesses
Compliance strategies and use-case examples
from businesses in China
26 Sinolytics Cybersecurity Services
Meet our team
27
Dr. Camille BoullenoisTiffany Wong
Tiffany leads Sinolytics’ cybersecurity
service portfolio and has extensive
experience advising corporations and
industry groups on China’s
cybersecurity and data governance
regime. She also specializes on
facilitating business strategies for clients
dealing with China’s industrial and
technology policies against the
backdrop of an ever-evolving
geopolitical landscape. Prior to
Sinolytics, she worked at an advisory
group in Washington, D.C. analyzing
China’s BRI debt structure. She holds
an M.A. from Johns Hopkins in
International Economics and China
Studies and a B.A. from the University
of Chicago in Political Science and
International Relations.
Project LeaderProject Leader
Camille advises clients on regulatory
compliance in the Chinese market and
has strong mastery of data analytics
tools and methods. Prior to Sinolytics,
she worked as an analyst at China
Policy, and contributed to the EIU,
Oxford Analytica and the ECFR on
topics pertaining to China’s social and
economic issues. She is also a
researcher at the Australian National
University and has studied at Sciences
Po (Paris) and Oxford; with many years
of experience in China, she has an
outstanding command of the Chinese
language and political landscape.
Dr. Jost Wübbeke
Managing Partner
Jost is a leading expert on China’s
industrial, technology, and automotive
policy. He heads Sinolytics’ service
portfolio for cybersecurity, internet
governance, and e-commerce. Jost
has consulted large MNCs and SMEs
on their China cybersecurity strategy
including MLPS, personal data, and
cross-border data transfer. Previously,
he headed the MERICS technology
policy team, where he published
groundbreaking analyses on Made in
China 2025 and Internet Plus. He has
a PhD from FU Berlin on China’s
industrial policy. He also holds degrees
in International Relations and China
Studies from Berlin and Bochum and
was a research fellow at Tsinghua
University.
Sinolytics’ cybersecurity team
Sinolytics Cybersecurity Services
Fynn Heide carries out consulting
work and research on
cybersecurity policy and personal
information protection. He
previously worked at Trivium
China and the Mercator Institute
for China Studies and for a
member of the German
Bundestag on China-related
topics. He also focused on several
Sino-German cultural exchange
and preservation projects in
Beijing and Berlin. He holds a B.A.
in Politics, Philosophy, and
Economics from the University of
Warwick, where he wrote his
dissertation on the corporate
social credit system.
Analyst
Fynn Heide
China insights and judgment at the nexus of business and policy
ContactSinolytics [email protected]
28