Ping An's Data Security Compliance Management Practices and Large‑Model Applications

Ping An shares its practice in data security compliance management, emphasizing the continuity of data governance principles and introducing the concept of "model empowerment" for large‑model applications.

The presentation is organized into three main parts: Ping An's data management value proposition, large‑model‑driven data security compliance scenarios, and a Q&A session.

Data management has evolved through three eras: the information era focused on data quality and regulatory reporting; the asset‑centric era built a data‑asset management system across the group and subsidiaries; the current compliance‑based era establishes a full‑scope data management system that ensures regulatory compliance while enabling efficient data flow.

Key challenges addressed include data responsibility and capability assessment, measurement of data value, and building a scientific, complete compliance system that covers policy planning, system construction, operation, and protection.

The business understanding comprises three layers: a technical platform layer (data‑asset, operation‑monitoring, encryption, and authorization platforms), an enterprise‑empowerment layer (data work implementation, daily monitoring, special inspections), and an external‑regulation layer (coordination with regulators such as the China Banking and Insurance Regulatory Commission and financial bureaus).

For large‑model applications, Ping An adopts a multi‑modal LLM architecture: text extraction and PDF‑to‑image conversion, vector indexing and retrieval, instruction routing to multiple GPTs (including a proprietary Ping An GPT), prompt and job dispatch, and final result assembly for data compliance, asset management, and capability assessment.

The compliance workflow includes policy issuance, compliance checks, reporting to subsidiaries, evaluation, risk detection, and specialized assessments such as PIA, highlighting the high difficulty of interpreting laws and the need for engineering‑level guidelines.

Data asset management mirrors the subsidiaries' processes—data collection, governance (standard and quality management), inventory (classification and audit), and usage (approval chains, masking, encryption)—with AI‑driven classification and responsibility mapping as core components.

Large‑model‑driven data capability assessment covers DCAM, security capability, and data‑state evaluations, leveraging a knowledge base to automate content review and provide remediation suggestions.

The Q&A section addresses how large models achieve classification and grading, validation methods, risk‑indicator dashboards for management, and balancing data responsibility with usage efficiency through scenario‑driven responsibility assignment.