Foreign companies operating in China, even those who do not have a physical presence in the country, must understand the mandatory classification requirements under the Data Security Law (DSL). The latest Draft Standard on Information Security Technology Network Data Classification and Grading Requirements (Draft) clarifies by industry and sector the methods and principals that should be applied.
The DSL, effective since September 2021, regulates data processing activities by organizations and individuals in China, but also on activities conducted outside of China that harm the country’s national security or the public interest, or the legal interests of Chinese citizens and organizations.
It would be right to state that DSL has extensive and extra-territorial application. It imposes several obligations on organizations and individuals even those that are not based in China regarding data categorization and classification, data risk controls and risk assessments, cross-border data transfers, and data export controls.
The DSL applies to data recorded in electronic and other forms, including digital and cyber information, and forms such as paper records. Data processing activities regulated by DSL include, without limitation, the collection, storage, use, processing, transmission, provision, or disclosure of data.
Under DSL, data classification and grading are mandatory.
Institutions should consider when classifying data, the industry that their data belongs to and the business attributes of the data (scope or type of business, target objects, data subjects, data usage, data management, data sources, etc.)
Relevant rules and standards may vary according to different categories. Some data may fall under multiple categories, in which case the company should verify that the correct compliance is executed.
There are three main categories of data under DSL, which align with the latest draft: core, important and general data.
Core data is data where upon any leakage, tampering, damage, illegal access, illegal use, and illegal sharing, may directly harm political security, key areas of national security, the national economy, citizen’s livelihood, and major public interests.
Important data is data where upon any leakage, tampering, damage, illegal access, illegal use, and illegal sharing, will directly harm national security, economic operation, social stability, public health, and safety.
General data is data where upon any leakage, tampering, damage, illegal access, illegal use, and illegal sharing, would only affect the legitimate rights and interests of a small group of organizations or individuals.
This structure must be respected when grading data. Institutions should evaluate the potential harm to national security, business operations, social stability, public interests, and the rights and interests of organizations and individuals, taking into consideration data domain, population, region, importance, security risks; and accuracy, scale, and coverage.
The Draft lists the requirements for companies to conduct internal data classification and grading, and encourages regulators to formulate detailed guidance to implement the document within their respective jurisdictions, as well as publish core data and important data catalogues.
The Draft introduces a new concept of dynamic update and management of data, whereby organizations are subject to constant updates to data classification and grading despite having already done so.
Common update situations may include: changes to the data content; material changes to the data timeliness, scale, application, processing methods; merger of multiple raw data; merger of selected parts of different data; convergence and fusion of different types of data; deidentification, pseudonymization, anonymization of data; change of data sensitivity after data incident; under the request of government or industry authorities; or other circumstances where modification to the data security level is required.
Institutions should build a data management framework to identify and understand the data they collect. This may help facilitate the classification and grading of data by undergoing a data mapping process to understand all data collected, processing activities and parties involved.
It is crucial to maintain good record keeping practices when dealing with new data.
Recent cross border data transfer requirements introduced under the Personal Information Protection Law (PIPL), may motivate companies to consider conducting wider data mapping to focus on not only personal data, but also non-personal data under this Draft.
Another important step is to create a data management framework to classify data into groups and assess data sets against their potential impact.
Companies should frequently monitor the data collected, processed, and transferred, based on any potential changes to their importance and impact.
The DSL requires that organizations must adopt technical, organizational, and other data security measures to safeguard the protected data categories. Organizations must establish and complete a data security management system.
The DSL states that organizations must deploy data security training and designate individuals and departments responsible for data security.
Violation of the regulations could result in fines, suspension of businesses, and revoking of business licenses.
To learn more about our services in China, contact our Head of Business Advisory - Ms. Kristina Koehler-Coluccia at kristina@woodburnglobal.com.
DISCLAIMER: All information in this article is verified to the best of our ability and is assumed to be correct at time of release; however, Woodburn Accountants & Advisors does not accept responsibility for any losses arising from reliance on the information provided within. The information provided is for general guidance and does not replace specialized advice.