Cross-Border Data Compliance in China for International Businesses

Ling Jin

10 Feb 2023

This article is co-written by Ling Jin at Lusheng Law Firm and Holly white at Rouse.
In this article we discuss key drivers, pain points and how to address them.

International businesses in China who deploy data management software solutions may need to implement a regulatory compliance strategy for cross-border transfer of data. Becoming compliant is ever more critical as real risks are emerging, especially with threats rising from customers and employee complaints. Business suspension, fines and reputational damage could arise as a result.

On the surface if may seem hard to define the action that needs to be taken and the urgency. There are considerable uncertainties and multiple complex factors that need to be considered. However, steps can be taken to identify the key pain points and prioritise actions to manage the risks to an acceptable level.      


Business drivers for ensuring compliance

Any business who might be exposed to regulatory non-compliance should act now. Particular drivers are highlighted in the case studies below:


Example 1: Publicly listed industrial manufacturing company with multiple entities in China

The Business had undergone a restructuring and let employees go. A previous employee complaint had a negative impact on the business. Therefore, the overseas HQ wanted to ensure compliance across all Chinese entities to avoid potential future problems. Each entity took a different approach to processing the personal information of employees, job candidates and business partner contacts, requiring bespoke rectification actions for each.


Example 2: Multinational entertainment business operating multiple apps, social media channels and international ERP system

The commercial strategy was changing, reducing the delivery via third-party entities, and increasing their own role in operational delivery. Therefore, creating greater exposure. In addition, the business was reliant on an overseas ERP system to process employee and business partner personal data. Operating in a highly regulated sector, they had previously experienced impacts from regulatory non-compliance. Desire to avoid future issues.


Common pain points when charting the route to cross-border data transfer compliance:

Most businesses should comply with Standard Contractual Clauses (SCC) route, as they will not meet the government security review threshold and the route to be certified by a specialized agency is far from operational. Implementation of the SCC is imminent this year. Businesses should prepare. There are common challenges faced during the compliance rectification process:

Pain point 1: Lack of internal understanding of systems used and data flows

Without knowing which systems are used, what data is transferred to whom and the roles played by different entities, it is not possible to identify the rectification actions needed. This is particularly critical where personal, personal sensitive or important data is transferred.

Pain point 2: Uncertainty about whether to establish a standalone China data handling system

For some, the best solution is to stop transferring the data outside of China. To make the business management decision, the balance between the burden of becoming compliant versus the additional cost of establishing new IT systems, personnel and processes needs to be considered.

Pain point 3: Securing alignment between China and global data compliance

To comply with China regulations, new agreements are likely to be needed with other internal entities or outside service providers. Need to ensure they sit alongside and not conflict with existing international arrangements. Stakeholder management may also be required for those who may push back on the need for changes.

Pain point 4: Ensuring a proportionate response to tackling the risks

The real risks and how to prioritize rectification actions can be unclear. Desire to identify the “must-dos” to effectively manage the risks without undertaking lengthy and costly exercises. Additional pressures for those operating in more sensitive industries, who have CIIO clients or significant numbers of employees or customers in China.

Action needed to address paint points and ensure compliance

Developing and implementing a regulatory compliance strategy for cross-border transfer of data will enable businesses to identify key data compliance pain points; rate the potential risks against their commercial goals in China; and develop appropriate strategies and prioritised rectifications.

Process to develop regulatory compliance strategy:




The time has come for businesses to be compliant with the cross-border data transfer regulations. Any international business in China who shares or gives access to personal data (employee, customer or business partner) with other internal entities overseas or third parties is exposed. Lengthy and costly exercises are not necessarily needed to deliver effective compliance. An experienced based assessment of the situation enables identification of the key risks and how to mitigate potential negative business impacts in the short, medium and longer-term.


Need support with data regulatory compliance in China? Leave your details and a member of the team will be in touch.