Perspectives | Research on the path to improve enterprise data authorization service and management capabilities

Text / Jiangsu United Credit Information Co., Ltd. Chen Kang Li Jinshen

General Secretary Xi Jinping pointed out that it is necessary to build a digital economy with data as the key element, give full play to the role of data as a basic resource and innovation engine, and accelerate the formation of a digital economy with innovation as the main guide and support. In December 2022, the Central Committee of the Communist Party of China and the State Council issued the "Opinions on Building a Data Basic System to Better Play the Role of Data Elements" (referred to as the "Data 20 Articles"), which provides top-level design principles and directions in terms of data basic systems, which proposes to "promote the establishment of an enterprise data authorization and confirmation mechanism", encourage enterprises to explore new data authorization and use models, promote fair authorization and rational use of data by small and medium-sized enterprises, and empower the digital transformation of small, medium and micro enterprises.

Difficulties faced

The "20 Data Articles" proposes to encourage the exploration of new models of enterprise data authorization, give play to the leading role of state-owned enterprises, guide industry leading enterprises and Internet platform enterprises to play a leading role, promote two-way fair authorization with small, medium and micro enterprises, jointly and rationally use data, and empower the digital transformation of small and medium-sized enterprises. Enterprise data authorization service and management is a comprehensive work, which needs to comprehensively consider the requirements of law, regulation, business, technology, etc., and also needs to take into account the experience of enterprise authorization operation.

1. There are many compliance requirements for enterprise authorization management. The "20 Data Articles" require "the establishment of a data property rights system that protects rights and interests and is used in compliance", and how to establish an effective and feasible landing standard and implementation mechanism in the data collection authorization scenario to solve the differences in authorization requirements at different levels is the main difficulty faced by the current data authorization system construction. Standards need to be established to ensure consistency with national laws, higher-level compliance regulations, and compliance requirements of data source units, to ensure that all parties follow the same rules in data collection and authorization, to avoid differences in understanding, and to enable all parties involved to clarify processes, responsibilities, and where data goes. When implementing the standard, it is necessary to ensure that the data subject, the data collector, the authorized party and other parties are based on full understanding and consent to the authorization, so as to prevent disputes and compliance risks that may be caused by information asymmetry.

2. Enterprise authorization services and management are decentralized. The "20 Data Articles" require "strengthening the overall planning of authorized use and management, promoting interconnection, and breaking down data silos". To implement this requirement in the scenario of enterprise data authorization management, two key difficulties need to be solved: how to provide unified and convenient authorization services to obtain authorization information, and how to manage the authorized content of enterprises in a unified manner. The establishment of a unified authorization service is a prerequisite for data applications to meet the compliance requirements of different scenarios and systems for authorization services. How to build a unified authorization service capability to support the above scenarios and requirements, improve the convenience of authorization, and reduce duplicate authorization is a problem that needs to be solved to efficiently manage enterprise authorization. How to solve the problem of collecting all relevant authorization information of data, realize the centralized management of authorization information, and then meet the inspection needs of authorization verification and meet compliance requirements in business scenarios such as data collection and data query, this is the second problem that needs to be solved for unified management of authorization content.

3. The efficiency of enterprise authorization and promotion is low. The "20 Data Articles" require "encouraging the exploration of new models of enterprise data authorization and use, and promoting two-way fair authorization with small, medium and micro enterprises", enterprise authorization is a continuous work, and how to effectively expand the coverage of enterprise authorization is a difficult point in the actual development of data authorization and promotion work. However, due to the imperfection of the early data authorization management mechanism and the lack of promotion, data subjects will often face repeated authorizations and multiple authorizations, and some data subjects do not have sufficient understanding of data authorization, or do not trust the purpose of data collection and use, which often leads to low willingness of data subjects to authorize and cooperate, which in turn affects the service experience of users. How to continuously improve the trust of data subjects, enhance the willingness to authorize, improve the user experience, and then cooperate with the development of authorization through reasonable promotion methods are the difficulties that need to be solved in the promotion stage.

Suggestions for improving enterprise data authorization services and management capabilities

1. Establish a standardized enterprise authorization management system. The establishment of an authorization management system is the management basis for establishing a unified and standardized authorization management system, and is the basic measure to ensure that the differences in authorization requirements at different levels are eliminated in the process of data collection and use, and standardized compliance management is realized. Through the establishment of the authorization management system, the foundation of legal compliance management can be effectively consolidated, the legitimate use of data can be fully guaranteed, the rights and interests of data subjects can be protected, legal and regulatory requirements can be complied with, and unified management and implementation standards for data authorization can be implemented in actual work.

When establishing an authorization management system, it is necessary to first implement data classification and hierarchical management in accordance with relevant laws and regulations, such as the Data Security Law, the Personal Information Protection Law, and the Measures for the Administration of Credit Reporting Business, and industry regulatory requirements, and determine the data authorization use scenarios according to the data level; Application delivery and other data authorization management life cycle links to ensure the legal compliance of data use lifecycle authorization, and finally combined with the data management requirements of industry authorities, to support the application needs of public data in enterprise credit reporting and other fields.

When carrying out data collection authorization management, it is first necessary to strengthen communication with data subjects, improve the data subjects' education and awareness of authorization management, and realize the implementation of national requirements for third-party data collection review and monitoring in combination with specific data protection measures, so as to ensure the effectiveness and compliance of data collection authorization management; Finally, when optimizing and adjusting data collection standards and management measures, it is necessary to conduct sufficient cross-organizational coordination and communication with relevant authorized stakeholders to ensure that information is effectively conveyed and adjustment measures are effectively promoted.

2. Create standardized enterprise authorization services and management capabilities. Enterprise authorization service and management capacity building are key measures to ensure compliance, uniformity, security and efficiency in the data collection process. Build a unified authorization service and management system, standardize authorization services through systematic tools, reduce excessive development costs and operating costs caused by decentralized management, improve the transparency and traceability of authorization management through systematic tools, ensure the consistency of authorization process and management process, and ensure the legal compliance of data collection and use.

First, it is necessary to build the basic capacity of authorization management, integrate and integrate the current mainstream authorization service methods such as electronic signature and mobile authorization, and then unify the authorization service, which is an effective way to realize the standard service of authorization management. Through technical means such as electronic signature capabilities, the integration of enterprise stock authorization resources and external third-party electronic certificate resources can be realized, and the process interconnection of data authorization and online enterprise data authorization service management can be realized.

Second, it is necessary to build a unified authorization management capability, gather enterprise authorization information in different business application scenarios, and promote the centralized and unified management of authorization content.

The third is to build a unified authorization service capability that can be empowered externally, better manage and protect the authorization process of enterprise data, and ensure that the authorization process is standardized, controllable, and traceable. This is important to protect the privacy rights of data subjects, ensure the lawful use of data, and promote the development of digital business.

3. Expand enterprise data authorization channels. Improving the coverage of enterprise data authorization is the core premise for giving full play to the value of data elements. Promote and optimize the authorization model based on actual scenarios, improve the authorization experience of enterprises, and strengthen the trust relationship with data subjects. This requires a comprehensive combination of technology, processes, and user education to provide enterprises with a high-quality operational experience and value perception, and to find a balance between the compliant use of data and the value of play.

The first is to build authorization capabilities suitable for a variety of scenarios, provide users with a variety of authorization methods according to their usage habits, improve user authorization experience, establish objection handling channels, and improve user satisfaction through the implementation of multiple channels for online and offline objection declaration and processing.

Second, under the premise of legality and compliance, through the innovative cooperation model of mutual authorization and mutual recognition, promote the mutual authorization and use of data between upstream and downstream units of data, avoid duplicate data collection and authorization processes, so as to improve compliance and efficiency, and effectively expand the coverage of enterprise authorization.

The third is to embed the data authorization process into the existing business process, reasonably integrate the authorization process with the business process, and guide users to authorize the business process in combination with specific business scenarios while meeting compliance requirements, so as to improve the overall compliance, security and efficiency of the business process and the data authorization process.

Fourth, we will continue to strengthen authorization education and training based on the feedback from enterprises in the use of authorization, establish a trustworthy relationship with data subjects, promote data value mining, empower data subjects' own business development, and improve the value perception of data subjects.

To sum up, this paper provides valuable experience and inspiration for the implementation of data authorization through an in-depth discussion of enterprise data authorization management practices. Through the innovation of management and technical means, we can better realize the compliance, security and effective use of enterprise data, and lay a more solid foundation for the development of the digital economy.

(This article was published in the second half of February 2024)