Foreign companies operating in China, even those who do not have a physical presence in the country, must understand the mandatory classification requirements under the Data Security Law (DSL). The latest Draft Standard on Information Security Technology Network Data Classification and Grading Requirements (Draft) clarifies by industry and sector the methods and principals that should be applied.
The DSL, effective since September 2021, regulates data processing activities by organizations and individuals in China, but also on activities conducted outside of China that harm the country’s national security or the public interest, or the legal interests of Chinese citizens and organizations.
It would be right to state that DSL has extensive and extra-territorial application. It imposes several obligations on organizations and individuals even those that are not based in China regarding data categorization and classification, data risk controls and risk assessments, cross-border data transfers, and data export controls.
The DSL applies to data recorded in electronic and other forms, including digital and cyber information, and forms such as paper records. Data processing activities regulated by DSL include, without limitation, the collection, storage, use, processing, transmission, provision, or disclosure of data.
Under DSL, data classification and grading are mandatory.
Institutions should consider when classifying data, the industry that their data belongs to and the business attributes of the data (scope or type of business, target objects, data subjects, data usage, data management, data sources, etc.)
Relevant rules and standards may vary according to different categories. Some data may fall under multiple categories, in which case the company should verify that the correct compliance is executed.
There are three main categories of data under DSL, which align with the latest draft: core, important and general data.
Core data is data where upon any leakage, tampering, damage, illegal access, illegal use, and illegal sharing, may directly harm political security, key areas of national security, the national economy, citizen’s livelihood, and major public interests.
Important data is data where upon any leakage, tampering, damage, illegal access, illegal use, and illegal sharing, will directly harm national security, economic operation, social stability, public health, and safety.
General data is data where upon any leakage, tampering, damage, illegal access, illegal use, and illegal sharing, would only affect the legitimate rights and interests of a small group of organizations or individuals.
This structure must be respected when grading data. Institutions should evaluate the potential harm to national security, business operations, social stability, public interests, and the rights and interests of organizations and individuals, taking into consideration data domain, population, region, importance, security risks; and accuracy, scale, and coverage.
The Draft lists the requirements for companies to conduct internal data classification and grading, and encourages regulators to formulate detailed guidance to implement the document within their respective jurisdictions, as well as publish core data and important data catalogues.
The Draft introduces a new concept of dynamic update and management of data, whereby organizations are subject to constant updates to data classification and grading despite having already done so.
Common update situations may include: changes to the data content; material changes to the data timeliness, scale, application, processing methods; merger of multiple raw data; merger of selected parts of different data; convergence and fusion of different types of data; deidentification, pseudonymization, anonymization of data; change of data sensitivity after data incident; under the request of government or industry authorities; or other circumstances where modification to the data security level is required.
Institutions should build a data management framework to identify and understand the data they collect. This may help facilitate the classification and grading of data by undergoing a data mapping process to understand all data collected, processing activities and parties involved.
It is crucial to maintain good record keeping practices when dealing with new data.
Recent cross border data transfer requirements introduced under the Personal Information Protection Law (PIPL), may motivate companies to consider conducting wider data mapping to focus on not only personal data, but also non-personal data under this Draft.
Another important step is to create a data management framework to classify data into groups and assess data sets against their potential impact.
Companies should frequently monitor the data collected, processed, and transferred, based on any potential changes to their importance and impact.
The DSL requires that organizations must adopt technical, organizational, and other data security measures to safeguard the protected data categories. Organizations must establish and complete a data security management system.
The DSL states that organizations must deploy data security training and designate individuals and departments responsible for data security.
Violation of the regulations could result in fines, suspension of businesses, and revoking of business licenses.
Woodburn Accountants & Advisors is one of China’s most trusted business setup advisory firms.
Woodburn Accountants & Advisors is specialized in inbound investment to China and Hong Kong. We focus on eliminating the complexities of corporate services and compliance administration. We help clients with services ranging from trademark registration and company incorporation to the full outsourcing solution for accounting, tax, and human resource services. Our advisory services can be tailor-made based on the companies’ objectives, goals and needs which vary depending on the stage they are at on their journey.
Talk to an expert
Schedule a 30-mins complimentary, no-obligation call to see how Woodburn can help you. Book a call with our Head of Business Advisory - Kristina Koehler-Coluccia.
Topics we can advise on include:
Company Registration
Cloud Accounting & Financial Reporting
Cloud Payroll Services
Tax & Audit Services
Recruitment
Employer-of-Record
Visa Application
Trademark Registration
Switch to Woodburn
Partner with Woodburn (cross referral)
Our calls are automatically scheduled via Zoom - or via Teams, WeChat or WhatsApp upon direct request.
Our advisory calls are available from Monday-Friday from 8am to 5pm CEST and Wednesday until 9pm CEST.