How Large Language Models Transform Data Security Compliance Management

Introduction

In 2021 China enacted the Personal Information Protection Law and the Data Security Law, raising new national requirements for data security compliance. A national data bureau was created, prompting enterprises to elevate their data governance. In response, the group’s technology division established a Data Management Department to align with these regulations.

Data Management Value Proposition

The evolution of data management is described in three eras:

The first era (information era) focused on data quality improvement and regulatory reporting, especially for insurance and finance.

The second era built a data‑asset‑centric management system, with both group‑level and subsidiary‑level asset management and value extraction.

The third era, emphasized today, is a compliance‑driven, full‑scope data management framework that ensures secure data flow while supporting efficient asset operations.

Key Governance Challenges

Data responsibility and capability assessment covering strategy, metrics, organization, capabilities, policies, and domains.

Measuring and operating data value, including conversion, quantification, presentation, and operationalization.

Building a scientific, complete compliance assurance system covering planning, architecture, operations, and protection.

Large Model Scenario Applications

The group applies large models to three main scenarios: data compliance management, data asset management, and data capability assessment. LLM tasks include classification, summarization, evaluation, question‑answering, and SQL generation.

Model architecture is layered:

Base layer – handles Q&A and knowledge‑base enrichment.

Decision layer – fine‑tunes models, integrates knowledge graphs, and supports compliance pre‑review, material summarization, content judgment, and maturity assessment.

Execution layer – delivers tools and capabilities downstream, using model explanations to drive further evaluation.

Technical Architecture

A multimodal LLM pipeline processes signals (text extraction, PDF‑to‑image), stores vectorized representations, routes instructions to multiple GPT instances (company‑owned and subsidiary‑owned), and dispatches prompts and jobs. The application layer assembles and formats model outputs to support knowledge, capability, and metric centers.

Compliance Workflow

The compliance process includes policy issuance, systematic compliance checks, reporting to subsidiaries, evaluation, risk monitoring, and special assessments such as PIA and outbound‑data reviews. Policy dissemination is challenging due to evolving legislation, requiring deep legal and technical expertise.

Compliance checks lack clear guidance, so the team creates standardized, engineering‑grade instructions. Data reporting can involve hundreds of documents, often requiring additional cleaning and validation. Risk monitoring aggregates numerous indicators for leadership and subsidiary guidance.

Asset Management Process

The solution comprises one data‑control platform, four rule libraries (compliance, knowledge, asset, tool), five services (management mechanisms, compliance assurance, asset management, operational management, tool implementation), and six client types (executives, data managers, business staff, IT, legal, finance).

Data Capability Assessment

Before external audits, subsidiaries often lack clarity on their maturity. The group conducts internal assessments (DCAM, security capability, data state) using knowledge‑base‑driven AI to automate reviews and provide remediation suggestions, dramatically reducing manual effort.