Blog Post
Getting ahead of China’s data security law
On June 10, 2021, China passed its Data Security Law (DSL), which impacts every business operating in China as well as those working with Chinese businesses and citizens. The law states that handling of personal information (PI) must have a clear and reasonable purpose and should be limited to the "minimum scope necessary to achieve the goals of handling" data.
According to China Briefing, the DSL recently added new and extensive data-processing obligations that have severe penalties such as business suspension, revocation of the business license, fines up to $1.56 million and even potential criminal penalties. Considering the September 1, 2021 implementation date, companies should begin taking the steps necessary to meet DSL compliance now.
What is the Chinese data security law?
The Chinese Data Security Law categorizes data into three categories: national core data (defined as national security, the lifelines of the national economy, important to people's livelihood and to public interest), important data, and general data.
It requires strengthened protection of personally identifiable information (PII) through a multi-level protection scheme, which imposes different levels of security requirements based on the damage that would result in the event of a cybersecurity incident. Among other things, the key provisions of the DSL include tightened restrictions on data transfers outside of China.
For example, data generated by businesses dealing with critical infrastructure must pass a security assessment to transfer data overseas. For the most part, critical data is expected to be stored within Chinese territory according to Article 31 of the DSL.
It’s also important to note that data refers to any record of information in electronic or other forms — for instance, written records of information. Data processing activities regulated by DSL include, without limitation, the collection, storage, use, processing, transmission, provision and disclosure of data.
China’s data privacy law 2021: Getting ahead
Any business or entity that engages in data processing activities need to adhere to the following obligations:
- Establish a data security program, carry out security training, and implement security measures and protocols.
- Designate a data protection officer (DPO) or other responsible data security officer to enforce protocols.
- Implement risk monitoring and have a plan in place in the event of a data breach or security incident.
- Conduct periodic risk assessments when handling “important data” and report these findings to relevant government agencies.
Ensure compliance with Chinese privacy laws today
The DSL is the first of its kind in China and may be especially overwhelming for multinational corporations to adapt to. The best way to begin a compliance journey is finding out exactly where all of your business’ data is stored and processed. Ground Labs’ Enterprise Recon has the ability to scan and detect hundreds of data types across various locations such as the cloud, servers and emails regardless of what country your business operates in.
Interested in learning more about data compliance? Book a call with one of our experts to get started on your DSL compliance journey today.