前 言

       国有企业的规模庞大，其在全国经济中扮演着核心角色，并在市场参与者中占据了关键位置。这些企业领先于制定和推广数字经济、数字产业及数字企业的数字资产评估标准，这些标准不仅对民营企业和社会领域的推广至关重要，而且对于国有企业的数字资产的保值和增值极为有利，同时也推动了整个社会数字经济的高质量发展，使国有企业在数字经济的高质量发展中起到了领军作用。

       国务院在2018年就发布了《中央企业合规管理指引（试行）》（简称“指引”），并在2022年基于此《指引》，正式出台了《中央企业合规管理办法》（简称“办法”）。相比《指引》，新的《办法》内容更为全面，对于国中企合规管理的要求更加突出，并显著加强了监管力度。特别是在数据治理方面，《办法》的第六章专门设立了信息化建设的章节，强调中央企业应当加强合规管理信息化建设，突出了数据保护在国企合规体系建设中的重要性。

       目前，正值深化国有企业改革的关键时期，自二十大以来，国家对建设数字中国、加快数字经济发展、提升数字化公共服务水平的战略部署越来越重视。作为国民经济的中坚力量，国有企业应承担起在企业数据合规管理方面的引领示范责任。

       建立符合法律要求的数据管理体系是整合和活化国有企业数据资源、优化国有资产的关键步骤。

       根据《企业国有资产法》第二条，企业国有资产是指国家对企业的各种形式出资所形成的权益，因此，国有企业在经营管理过程中形成的数据资产也是国有资产的一部分。随着地方债务不断增加，中央和地方政府都认识到了债务风险和化解责任的重要性和紧迫性。

       《国务院办公厅关于进一步活化存量资产扩大有效投资的意见》（国办发〔2022〕19号）针对我国基础设施等领域存量资产未能有效利用的现状，提出了活化存量资产的重点领域和方法。且通信、金融和公共服务行业的国有企业，极易收集大量个人信息甚至国家机密信息。面对这些数据，其中的有效内容可以被妥善利用，避免数据资产收集后以数据孤岛的形式闲置，如果能够有效利用这些数据资产，企业就可以以合法合规的方式再利用这些资源，从而提升企业的整体收入，这种资源利用实际上也是活化存量国有资产的一部分。（《国有企业数据资产入表及估值实践的操作指南》）

       因此，广东某国有企业零售商委托本所数据合规团队协助公司全面识别和评估该公司在数据安全管理方面的合规风险，明确风险管理的内部环境，并从零开始全新的网络及数据安全管理体系。以下是该项目部分服务内容的展示：

Image | The tip of the iceberg in delivering written results

Compliance project initiation and preliminary investigation

The first step of the project is to conduct a comprehensive due diligence investigation. Based on multiple laws and regulations such as the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, as well as relevant national and industry standards, the team conducted an in-depth analysis of the company's current situation. At this stage, the team pays special attention to key aspects such as data collection, processing, storage, transmission, and sharing, in order to accurately identify potential compliance risk points.

Risk assessment and compliance inspection

Through preliminary investigation and analysis, our legal team has developed a series of documents including the "Data Processing Activity Full Lifecycle Compliance Self Inspection Checklist" and the "Mini Program Processing Activity Full Lifecycle Compliance Self Inspection Checklist". These self inspection checklists help companies assess the compliance of their personal information processing activities and ensure compliance with legal requirements at all stages.

At this stage, our legal team issued the "Data Compliance Risk Review and Assessment Report" and the "Personal Information Collection Compliance Testing Report", which detailed the current situation, existing problems, and specific rectification suggestions of the company and its mobile applications such as WeChat mini programs in data security management. These reports not only include an assessment of control over the company's internal systems, but also cover key areas such as data compliance policies, text and UI optimization for mini programs, supplier access mechanisms, and data access rules.

Text revision and policy optimization

Based on risk assessment and compliance checks, our legal team has further submitted a series of revised texts to the company, including the "Real Name Authentication Service Agreement," "Store Service Agreement," "Privacy Policy," and "User Service Agreement," which clarify the various terms and conditions that users should comply with when using mini program services. These text revisions not only ensure the legal accuracy of the terms, but also enhance users' understanding and trust in personal information protection.

Establishment of compliance management system for structured data

Our legal team has tailored a comprehensive set of data management system texts for the company, covering key aspects such as the "Data Compliance Responsibility Institution Management System", "Data Security Life Cycle Security Management System", "Data Asset Grading and Classification Management System", "Network Security and Information System Security Protection System", etc. These institutional documents not only lay a solid foundation for the company to establish a secure, compliant, and efficient data management system, but also help the company refine the responsibilities and obligations of various departments and individuals, ensuring comprehensive coverage of data security.

Long term cooperation and continuous support

Our legal team has been tracking the company's new business for a long time and has developed a comprehensive review and evaluation report for the company's newly launched WeChat mini program, ensuring that its privacy policy and actual operational status comply with legal requirements, and proposing specific rectification suggestions. Through these continuous efforts, the company's data management system has gradually improved and compliance has been significantly enhanced.

Dynamic adjustment and continuous training

Our legal team promises to provide ongoing legal advice and support. In addition to delivering written results, the legal team also regularly conducts specialized training for the company to enhance internal employees' awareness and operational skills in data security. At the same time, the team also provides the latest legal information and dynamically adjusted institutional documents to adapt to the constantly changing legal environment and the actual needs of the company.

Dynamic adjustment and continuous training

The first step of the project is to conduct a comprehensive due diligence investigation. Based on multiple laws and regulations such as the Cybersecurity Law, Data Security Law, and Personal Information Protection Law, as well as relevant national and industry standards, the team conducted an in-depth analysis of the company's current situation. At this stage, the team pays special attention to key aspects such as data collection, processing, storage, transmission, and sharing, in order to accurately identify potential compliance risk points.

Project achievements and social impact

Through the professional services of our data compliance team, the state-owned retailer has successfully established a data compliance management system from 0 to 1, which not only improves the company's data processing capabilities and security level, but also enhances consumers' trust and loyalty to the brand. In addition, the successful implementation of this compliance project has provided valuable reference and inspiration for other companies in the same industry, promoting progress in data security and compliance management throughout the industry.

Conclusion

Data compliance is not only a legal requirement, but also a manifestation of corporate social responsibility. In the era of digital economy, how enterprises effectively manage and protect data is directly related to their business success and sustainable development. Lawyer Zeng Li and his team helped the client build a strong data security protection network that complies with the latest legal regulations in this project. Looking ahead to the future, our legal team will continue to work hand in hand with clients to face more challenges and opportunities, and safeguard the data security of more enterprises.