THANK YOU FOR SUBSCRIBING
Technology to Facilitate Business
×
Applied Technology Review Weekly Brief
Be first to read the latest tech news, Industry Leader's Insights, and CIO interviews of medium and large enterprises exclusively from Applied Technology Review
Cybersecurity Strategy for Global Consumer Products Company in China Market
James He, Cyber security Director, L'Oréal
James He, Cyber security Director, L'OréalThe world is ever-changing. During the past 20 years, China has become the factory of the world for multiple industries, even for some high-technology industries, through the process of globalization. However, in recent 5 years, China market has becoming more and more unique, even separated from the rest of the world, due to some geo-political reason, high-tech competition, data sovereignty and localization requirement, and end-to-end supply chain security. etc.
But the only thing that has not changed is that China is still one of the biggest consumer markets in the world, due to the key factors: population, purchasing power and government policy support for the internal circulation of China's economy. I believe no global consumer product company is willing to give up China market. The only thing we need to study is how to adapt our Chinese organization to this unique market and unique digital world, and the same to our Cybersecurity strategy in China, as a cybersecurity practitioner.
First of all, China has its unique and comprehensive cybersecurity law and regulation, including data security and privacy protection. What’s our strategy to comply to these requirements while keeping our global strategy and visibility? What kind of bottom line should we hold for both sides? I believe this is the part where cybersecurity, legal, even government affairs need to work very closely, and keep updated of the political climate, understand government’s legislation and enforcement trends, even benchmark with industry peers, then we can formulate our own executable compliance strategy and plans. From technical perspective, neither global centralization nor China localization technology and data residency strategy will be fitting for both sides simultaneously, we definitely need to source for an intermediate solution like geographically partitioned or distributed solution to meet China data residency requirement while allowing only necessary aggregated or pseudonymized data to be transferred cross-border to keep a global consolidated view.
For selling the consumer products well in China market, you can never ignore the major Chinese E-Commerce platforms. Yes, we can have our own Direct-to-Consumer or loyalty programs, but it is crucial to embrace and integrate to China major E-Commerce walled garden, and make use of China’s digital advertisement channels by leverage interesting marketing content and KOLs, even legitimately use 1st, 2nd and 3rd party data, social and search marketing touchpoint to target potential customers. That’s why operational risk of the E-Stores on E-Commerce platforms become critical to us, there is high volume of operation accounts to be managed on those E-Stores, sometimes with high turnover and complex roles. Our successful experience is to build an E-Commerce platform account management system to be integrated with our own HR system, automate the check-in/check-out/rotate process, enable the role-based authorization and entitlement review control, and of course enable audit logging to have abnormal activity alerts based on the pre-defined risk scenario rule. There will also be some privilege accounts for managing the key functionalities of E-Stores, we do have successful story to create a secure and centralized environment for business to access their E-Stores via privileged accounts, and enable the visibility, accountability and traceability around the usage and completely avoid sharing credentials of privilege accounts.
“China is a unique market, for some consumer facing solutions we definitely can consider local solutions with global standard risk assessment to be performed.”
As you know, China Personal Information Protection Law (PIPL) took into effective on 1st Nov 2021, which is equivalent to Europe’s GDPR, even more strict in some areas. But the biggest difference is still due to China’s unique digital ecosystems, which leads to the unique approach of privacy protection regulation’s enforcement and execution in China. After PIPL, all the major Chinese E-Commerce platforms have performed a privacy revamp per latest privacy requirements, the interface between E-Commerce CRM, Order Management System, Warehouse and Logistic System is changed. It has become more and more difficult for merchants to acquire the personal information from customers, unless we successfully convince customer to join our own membership program. Legally speaking, this is the right thing to protect the lawful rights and interests of citizens and organizations, also serve economic and social development of the whole digital ecology.
To protect all our loyalty members’ privacy information in China with compliance to the China local cybersecurity and privacy regulations, we must build a comprehensive privacy protection program or system, which includes:
• Privacy and Security by Design
• Supply Chain security management
• Personnel security governance
• Data mapping for personal information processing register
• China digital application compliance check
• China specific target marketing rule
• Chinese Data Subject Rights protection and appeal management
• Content management
One thing I’d like to highlight here is the last item: content management, which is also a very special requirement in China cybersecurity framework, which requires continuous monitoring and filtering to make sure all the contents generated either by your company or your users are legally and politically right; this is not a small effort.
In a global company, there is always debate between choosing global security solution or local security solution. Global solution enables global visibility with centralized management and operation, keeps globally consistent configuration and rules. While local solution is more fit to local consumer’s habit and experience, sometimes has high performance and even low cost. Again, China is a unique market, for some consumer facing solutions we definitely can consider local solutions with global standard risk assessment to be performed. For the kind of more backend solution, of course we will prefer to choose global certified solution, so that we can have a global view on the full picture. Again, there is no one-fit-all answer; we still need to deep dive case by case. But the risk assessment methodology and process should be consistent without any bias. One of the good examples is NFT platform, which is also a very hot topic in both China and globally, to issue NFT in China, there are many potential legal risk, compliance requirement and industry practice in China; we must choose a qualified operator of a NFT platform with all the licenses in China and contractual commitment to cooperate. However, we will still mitigate all the cybersecurity risks by global solution based on the underneath blockchain technology.
Read Also
On-Orbit Computing for Next Generation Space Missions
Mark Broadbent, Sr. Avionics Engineer and Katie Gibas, Marketing Communications Manager, Moog Inc
Hollywood in Your Hand: Shooting for Different Mediums
Robert Jarzen, Group Creative Services Director, Midwest Marketing Team, Audacy, Inc
Implementing Industrial Robots
Laurent Huberty, Manufacturing Technology Team Manager, Husky Technologies
Building Cybersecure Offshore Platforms with Smart Design Strategies
Gabriel Albuquerque, Automation and Instrumentation Design Manager, Petrobras
Ethics & Compliance In A Digital World: Navigating Hcp Engagement In Apac
Sherene Cham, Regional Director, Ethics & Compliance – Apac, Menarini Group
Bridging Innovation, Strategy and Patient Connection
Shigeto Miyamoto, VP of Digital Solutions, APAC, Syneos Health
Top
ON THE DECK