With the implementation of the new regulations, how can enterprises keep up with the era of online data security and compliance?


The “Several Provisions on the safety management of automobile data (for Trial Implementation)” issued by the five departments will come into force today. This is the first to promote the implementation of data security regulations in the automotive industry after the introduction of the data security law, and its importance can be seen.

In fact, more than four regulations on vehicle data security and intelligent networked vehicle management have been issued this year. What are the reasons behind the intensive release of policies? What are the details and highlights of the regulations that deserve attention? In order to keep up with the new stage of compliance driven, what actions should relevant enterprises take? Based on the above questions, we invited Zhang Kang, a security expert of Tencent security vehicle networking, and Liu Haiyang, a data security expert of Tencent security Yunding laboratory, to explain the contents of laws and regulations and provide action ideas.

On April 29, the National Technical Committee for information security standardization issued the security requirements for data collection of information security technology networked vehicles (Draft).

On June 21, the Ministry of industry and information technology issued the guidelines for the construction of network security standard system of Internet of vehicles (smart connected vehicles) and solicited public opinions.

On August 12, the Ministry of industry and information technology issued the opinions on strengthening the access management of intelligent networked automobile manufacturers and products.

On August 16, the Internet Information Office, the national development and Reform Commission, the Ministry of industry and information technology, the Ministry of public security and the Ministry of transport announced several provisions on vehicle data security management (for Trial Implementation).

Data security management is imminent

What are the new requirements of the regulations?

Under the trend of “new four modernizations”, the amount of data generated by vehicle operation is very large. In the future, the data of only one vehicle will be in “g” or even “t”. However, how to reasonably develop and utilize such huge data is still in its infancy. Zhang Kangti, a security expert of Tencent’s secure Internet of vehicles, said that in the past, many enterprises followed their own standards, and the industry as a whole was in a state of “thousands of enterprises and thousands of aspects”. Cooperation and data communication in the industrial chain were often unable to effectively ensure data security and sharing because their respective protocol standards were not unified.

On the other hand, security incidents occur frequently, and severe data security challenges have become the core pain point of the development of the industry. It is reported that from January to September 2020, there were more than 2.8 million malicious attacks against vehicle enterprises, Internet of vehicles information service providers and other related enterprises and platforms; In an information security incident in June this year, the personal information of about 3.3 million car owners and potential customers was leaked.

Data security management is urgent, and the promulgation of the “Regulations” provides the basis for data security in the automotive industry, and gives the majority of users a reassurance to drive.

The regulation defines the main body of automobile data and supervision, puts forward four recommended data processing principles, defines the obligations of data processors, formulates cross-border data transmission rules, and preliminarily establishes the compliance framework of China’s automobile data security.

Liu Haiyang, a data security expert at Tencent security Yunding laboratory, believes that the regulations clearly define the types of “automobile data processors” and “important data” for the first time. For example, “automobile data processor” is not limited to automobile manufacturers, parts and software suppliers in inertial cognition, but also includes dealers, maintenance institutions and travel service enterprises. At the same time, the regulations have implemented the annual report system, and automobile data processors should actively report the annual automobile data safety management on time, which means that the national supervision has been strengthened and an important step has been taken towards systematic management.

From event driven to compliance driven

It is imperative to improve safety capability

“In the past, Internet of vehicles security was still in the stage of industry education, which was more event driven. Only when loopholes were found or safety accidents occurred, the relevant parties would take action. The implementation of the regulations turned the industry into compliance driven. Automobile data processors must comply with safety, otherwise they would break the law.” Zhang Kangti said.

At present, the government is still gradually complementing and improving the vehicle data supervision system and methods. Under the framework of upper laws such as the data security law and the personal information protection law, the government will further promote the improvement of the relevant implementation rules of rules and systems such as the guidelines for the administration of access to intelligent networked vehicle manufacturing enterprises and products and several provisions on the administration of vehicle data security, so as to clarify the responsibility of enterprises for data security protection, Improve the automobile data security protection system.

Of course, compliance is not the ultimate goal. It speeds up the original long process of industry education and quickly forms a general cognitive consensus, which is only the starting point for truly realizing the data security of the Internet of vehicles. For the current car enterprises, the improvement of their own security capability is also important. The lack of technical means to adapt to the intelligent driving environment (such as fuzziness and anonymization of collected images and videos), unknown risk vulnerabilities of on-board systems and external components and many other problems are restricting the development process of data security.

Stick to the safety bottom line

Actively build a new benchmark for network security capability

How can car companies better meet the requirements of the compliance era? In terms of the framework of independent construction of security capacity, Liu Haiyang put forward the proposal of “promotion Trilogy”:

1. Sorting out data assets and data scenarios: sort out the important contents of the enterprise’s data assets and data scenarios (such as big data processing and analysis, intelligent driving data labeling, third-party entrusted processing, etc.), so as to lay the foundation for technical control, compliance response and management system construction;

2. Evaluation and analysis of the enterprise’s own compliance: as mentioned in the personal information protection law and the data security law, as a data processor, we should regularly carry out compliance audit, evaluate our own data control status and compliance status, and analyze the compliance gap;

3. Check and fill the gaps and improve the hard strength of security: improve the lack of security technology, generally including data encryption and decryption, data desensitization, electronic authentication and other core contents;

4. Establishment of management system and audit process: establish the enterprise’s data security management system, implement the data security protection obligations, and ensure the compliance of vehicle data operation through audit.

At the same time, the large amount of data, many subjects and long chain of the Internet of vehicles also mean that the single point risk solution has little effect. Through the joint in-depth construction of Internet of vehicles security technology and the formation of a whole process integrated solution, it will be able to effectively and comprehensively accelerate the improvement of the security capability of train enterprises.

Taking SAIC as an example, it is actively exploring the way to build the security capacity of Internet of vehicles. In April this year, SAIC and Tencent announced to jointly build a joint network security laboratory. The two sides will jointly build network security products, establish a network security operation system covering the whole life cycle of intelligent networked vehicles, and improve the network security level of automobile cloud management end integration by deeply integrating into the vehicle R & D and manufacturing process.

The introduction of regulations further promotes the industry to speed up the process of data security layout, and challenges and opportunities coexist. On the new journey facing the future, Tencent security is willing to cooperate with more enterprises to strengthen technology research and development and data security technology application, improve safety and controllability, build a perfect data security management system, build a “automobile network security base” in the compliance era, and jointly explore a new benchmark in the automobile network security industry.