Introduction

For China related ERP and Cloud application implementation projects, organizations need to consider several legal regulations:

• Personal Information Protection Law called PIPL. According to experts, it has some similarities to Europe’s General Data Protection Regulation (GDPR)

• Cybersecurity Law called CSL

• Data Security Law called DSL

This blog provides some architecture illustrations. Legal advices are not provided here. Please contact local legal advisors to provide legal advices to your own situation.

1) Architecture related considerations – On premise, Privet Cloud solutions

The local legislation to above mentioned laws in China is subject of regular changes. For this reason, organizations should setup a waterproof solution which can provide a long-term solution. Customers we faced in the last years are setting up a dedicated architecture in China to comply with current and future regulations.

A typical solution can be the hybrid scenario, where the corporate Core ERP non-productive instances are run on an infrastructure outside of China, the Productive instances are hosted in China.

In this illustration, the ERP Development and Quality instances are in the EU. For pre-production (PPD) and production (PRD) instances 2 dedicated instances are created with a dedicated hosting infrastructure in EU and China. In a SAP landscape, the STMS configuration will enable to push all Transport Orders in an ‘Y’ routing to EU and China located PPD and PRD instances.

With this approach, all sensitive data will be stored physically in a DC located in China (own data center, Alibaba etc).

Considerations for integration scenarios :

Middleware (MW) solutions can store data (even this can be a non persistence storage).  They can also provide sensitive data to other legacy applications or to any other Cloud service. In this case it could be also required to provide a dedicated MW production instance for China. Some integration scenarios would require the integration of the China ERP Production instance to a CORE legacy system or to a Cloud service provider outside of China. In this case, organization should ensure to transfer only non sensitive data and to follow up regulation changes on a regular basis with local legal advisors.

Considerations for reporting :

Global organizations require consolidated reports on all business units and regions. For the focus area of this blog article, we can imagine a 2-way approach for reporting

 - Way 1 : reporting with drill-down requirement to details, where detailed data can hold sensitive data

 - Way 2 : reporting on aggregated level, where drill-down action can read only aggregated and non sensitive data

2) Architecture related considerations – Public Cloud applications, services

Several Cloud application solutions and services does not provide a dedicated physical infrastructure hosted in China. The illustration below shows an example of a global indirect spend e-procurement solution. In this case, following considerations can be done: 

• try to keep all sensitive data in the ERP system for suppliers

• when sending Contract, Purchase order etc. documents to the suppliers (both located inside or outside of China), it should not have sensitive data

Cloud providers have white papers for their customers with China business, explaining their compliance to the regulations and laws. It is very important to request these white papers and get them reviewed by local legal specialists in China.

3) Architecture related considerations – Great Firewall

The Great Firewall has limited impact on business use cases, according to the report’s we received from organizations operating an activity in China. In addition, most of the corporations have own Networks (Privet cloud networks, own proxies, VPN, etc.) which could reduce any kind of filtering issues.

Summary : China is a very important market for lot of corporation. In order to get access to this huge marketplace, organizations has to be compliant with local regulations. This might have an important financial impact on IT and legal operations, however the benefits of a presence in China should be much more important as these costs. It requires in any cases a careful preparation for IT and business transformation projects, supported by local legal advisors in China.