The Paper's reporter Tian Zhongfang
On January 20, the surging news (www.thepaper.cn) reporter learned that at this year's Shanghai "two sessions", Zhao Baiji, member of the Shanghai Municipal Committee of the Chinese People's Political Consultative Conference and chairman of PwC Asia Pacific and China, brought a proposal on the "Proposal on Establishing a Data Security Audit and Evaluation Mechanism".
"2021 is not only a landmark year in the process of Internet rule of law in mainland China, but also a key year in Shanghai's urban digital transformation process." Zhao Baiji pointed out.
Zhao Baiji said that on the one hand, the mainland has made significant progress in legislation in the field of data security and personal information protection in 2021. On September 1, the Data Security Law came into effect, forming the top-level design of the mainland in the field of overall data security governance. On November 1, the Personal Information Protection Law came into effect, ushering in the first year of the mainland's legal system in the field of personal information protection. The Guidelines for the Classification and Grading of Internet Platforms (Draft for Solicitation of Comments) and the Guidelines for the Implementation of Entity Responsibilities of Internet Platforms (Draft for Solicitation of Comments) focus on Internet platforms and clearly define their responsibilities for data security and personal information protection.
On the other hand, the inauguration of the Shanghai Data Exchange in 2021 was established. At the same time, the release of the Shanghai Municipal Data Regulations provides a basic institutional guarantee for Shanghai to comprehensively promote urban digital transformation.
However, Zhao Baiji further pointed out that although the current Cybersecurity Law, Data Security Law and Personal Information Protection Law have formed a troika of mainland cyberspace governance, they have jointly built a strong legal system. However, industry guidelines and implementation norms for relevant security audits and assessments have yet to be explored and clarified.
"For example, the qualifications and access requirements of third-party security audits and assessment bodies are not clear; the scope and standards of security audits and assessments are not clear; and the content, use methods and timeliness requirements of security audits and assessment reports are unclear." Zhao Baiji explained.
In this regard, Zhao Baiji put forward three suggestions:
The first is to clarify the qualifications and access requirements of third-party security audit and assessment agencies as soon as possible.
The second is to formulate the scope and standards of security audit and assessment. In order to meet the needs of relevant security audits and assessments, the auditing standard-setting institutions can take the lead, organize experts in the field of auditing industry, and cooperate with authoritative institutions such as the Shanghai Internet Information Office to formulate relevant work guidelines, clarify the scope, content, and important control points of security audits and assessments carried out by professional institutions, and provide norms and guidance for professional institutions to carry out audit work.
The third is to clarify the content, use method and timeliness of security audit and assessment reports. Generally speaking, security audit and evaluation reports are divided into public reports and non-public reports according to the intended users. In contrast to public reports, non-public reports contain descriptions of specific security controls and the auditor's audit and assessment of the effectiveness of the design and operation of those controls. Based on this, it is recommended that the relevant departments, while studying the relevant audit and evaluation standards, clarify the requirements for the content of the report, the use method and the timeliness, etc., so as to meet the information needs of the expected users of the report and facilitate supervision.
"Although data can promote the development of the digital economy, the lack of security will reversely restrict the development of the digital economy and lead to social problems such as the misuse of personal information." Therefore, as a pioneer in digital transformation and one of the first cities to land data exchanges, it is necessary for Shanghai to take the lead in establishing a trust mechanism between data security and data circulation, and formulate and introduce supporting measures related to security audits and assessments as soon as possible. Zhao Baiji stressed.
Responsible editor: Wang Jie Photo editor: Shen Ke
Proofreader: Shi Gong
![The European Commission announced its decision to expand the range of available spectrum for 5G[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)