China:
Checklist: Data Security Law Of China
01 September 2021
Dentons
To print this article, all you need is to be registered or login on Mondaq.com.
Are you on track for compliance with the Data Security Law of
China?
On 10 June 2021, the Data Security Law (the
"DSL") was passed in the Standing
Committee of the National People's Congress and will take
effect on 1 Sep 2021. The DSL serves as a fundamental legislation
in the field of data security and compliance. Various obligations
are imposed on entities that process any amount of data in and
outside China. There is also expected to be a series of
implementation rules to clarify the relevant obligations in the
future.
How can multinational corporations prepare for compliance at
this stage? We have listed the following the DSL Checklist to help
companies grasp the important points and understand what they are
suggested to do next to adapt to these rules more smoothly.
You also should be aware of the consequences in case of a
violation. The legal liabilities may include warning, correction
order, fine, suspension of business, and revocation of business
license. This Checklist can serve as a quick-reference guide. On
top of this, you are suggested to pay close attention to relevant
updates. And it is highly recommended to ask professional law firms
for help so that you can build reliable company policies and
systems.
The DSL Compliance Checklist is as follows.
Category |
Action(s) / Deliverable(s) |
Article of DSL |
1. Scope of Application and
Extraterritorial Reach |
(1) Application Scope and Extraterritorial
Reach |
- Assess whether your organization is processing any data in
China.
-
- Note: "data"
under the DSL refers to any record of information in electronic or
non-electronic form.
- Note: "data
processing" include activities such
as the collection, storage, use, refinery, transfer, provision, or
public disclosure of the data.
- Assess whether your organization is processing any data outside
China, which may have an impact on the national security, public
interests, or the lawful rights and interests of citizens or
organizations in China.
-
- Note: this clause provides a broad scope of
extraterritorial reach and the DSL does not give typical examples
of such cases. Generally, processing data collected or generated
from business operation in China will be caught by this
clause.
|
2
2
|
2. General Considerations for
Data Processing |
2.1. Data Governance
|
(2) Policy Framework |
- Introduce external facing terms of services, policies,
guidelines, and/or directions ("Policies and
Guidelines") or review your existing Policies and
Guidelines and make amendments to ensure compliance of relevant
requirements under the DSL.
- Introduce internal data security governance model and relevant
operation guidelines or review existing internal Policies and
Guidelines and make adjustments to ensure compliance of relevant
requirements.
- Implement policies on technical measures such as data
encryption, data back-up and access control to ensure
security.
- If your organization is engaging in providing intermediary
services for data transaction, such as a data broker, establish a
policy to check the identity of the data provider and the data
recipient.
|
27
27
27
33
|
(3) Incident Response |
- Establish a response policy for data security incidents.
- Establish a mechanism to deal with notification to users and
authorities about data security incidents.
|
29
29
|
(4) Trainings and Education |
- Provide education and training programs on data security to
employees with a role in data processing, security, or
compliance.
|
27 |
Click here to continue reading . . .
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from China
New Data Protection Rules In South Korea
Ius Laboris
The Amended Enforcement Decree introduces specific rules that were delegated by the March 2023 amendments to the Personal Information Protection Act, which also came into effect on March 15, 2024.
The Digital Personal Data Protection Act, 2023: A Deep Dive
Spice Route Legal
Over the years, India has seen various iterations of a draft data protection law. In August 2023, the Digital Personal Data Protection Act, 2023 was passed by the Indian parliament. It is expected to come into effect in a phased manner.