Checklist: Data Security Law Of China
On 10 June 2021, the Data Security Law (the "DSL") was passed in the Standing Committee of the National People's Congress and will take effect on 1 Sep 2021.
China
Privacy
Are you on track for compliance with the Data Security Law of
China?
On 10 June 2021, the Data Security Law (the
"DSL") was passed in the Standing
Committee of the National People's Congress and will take
effect on 1 Sep 2021. The DSL serves as a fundamental legislation
in the field of data security and compliance. Various obligations
are imposed on entities that process any amount of data in and
outside China. There is also expected to be a series of
implementation rules to clarify the relevant obligations in the
future.
How can multinational corporations prepare for compliance at
this stage? We have listed the following the DSL Checklist to help
companies grasp the important points and understand what they are
suggested to do next to adapt to these rules more smoothly.
You also should be aware of the consequences in case of a
violation. The legal liabilities may include warning, correction
order, fine, suspension of business, and revocation of business
license. This Checklist can serve as a quick-reference guide. On
top of this, you are suggested to pay close attention to relevant
updates. And it is highly recommended to ask professional law firms
for help so that you can build reliable company policies and
systems.
The DSL Compliance Checklist is as follows.
Category |
Action(s) / Deliverable(s) |
Article of DSL |
1. Scope of Application and
Extraterritorial Reach |
(1) Application Scope and Extraterritorial
Reach |
- Assess whether your organization is processing any data in
China.
-
- Note: "data"
under the DSL refers to any record of information in electronic or
non-electronic form.
- Note: "data
processing" include activities such
as the collection, storage, use, refinery, transfer, provision, or
public disclosure of the data.
- Assess whether your organization is processing any data outside
China, which may have an impact on the national security, public
interests, or the lawful rights and interests of citizens or
organizations in China.
-
- Note: this clause provides a broad scope of
extraterritorial reach and the DSL does not give typical examples
of such cases. Generally, processing data collected or generated
from business operation in China will be caught by this
clause.
|
2
2
|
2. General Considerations for
Data Processing |
2.1. Data Governance
|
(2) Policy Framework |
- Introduce external facing terms of services, policies,
guidelines, and/or directions ("Policies and
Guidelines") or review your existing Policies and
Guidelines and make amendments to ensure compliance of relevant
requirements under the DSL.
- Introduce internal data security governance model and relevant
operation guidelines or review existing internal Policies and
Guidelines and make adjustments to ensure compliance of relevant
requirements.
- Implement policies on technical measures such as data
encryption, data back-up and access control to ensure
security.
- If your organization is engaging in providing intermediary
services for data transaction, such as a data broker, establish a
policy to check the identity of the data provider and the data
recipient.
|
27
27
27
33
|
(3) Incident Response |
- Establish a response policy for data security incidents.
- Establish a mechanism to deal with notification to users and
authorities about data security incidents.
|
29
29
|
(4) Trainings and Education |
- Provide education and training programs on data security to
employees with a role in data processing, security, or
compliance.
|
27 |
Click here to continue reading . . .
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.