Are you on track for compliance with the Data Security Law of China?

On 10 June 2021, the Data Security Law (the "DSL") was passed in the Standing Committee of the National People's Congress and will take effect on 1 Sep 2021. The DSL serves as a fundamental legislation in the field of data security and compliance. Various obligations are imposed on entities that process any amount of data in and outside China. There is also expected to be a series of implementation rules to clarify the relevant obligations in the future.

How can multinational corporations prepare for compliance at this stage? We have listed the following the DSL Checklist to help companies grasp the important points and understand what they are suggested to do next to adapt to these rules more smoothly.

You also should be aware of the consequences in case of a violation. The legal liabilities may include warning, correction order, fine, suspension of business, and revocation of business license. This Checklist can serve as a quick-reference guide. On top of this, you are suggested to pay close attention to relevant updates. And it is highly recommended to ask professional law firms for help so that you can build reliable company policies and systems.

The DSL Compliance Checklist is as follows.

Category Action(s) / Deliverable(s) Article of DSL
1. Scope of Application and Extraterritorial Reach
(1) Application Scope and Extraterritorial Reach
  • Assess whether your organization is processing any data in China.
    • Note: "data" under the DSL refers to any record of information in electronic or non-electronic form.
    • Note: "data processing" include activities such as the collection, storage, use, refinery, transfer, provision, or public disclosure of the data.
  • Assess whether your organization is processing any data outside China, which may have an impact on the national security, public interests, or the lawful rights and interests of citizens or organizations in China.
    • Note: this clause provides a broad scope of extraterritorial reach and the DSL does not give typical examples of such cases. Generally, processing data collected or generated from business operation in China will be caught by this clause.

2





2
2. General Considerations for Data Processing
2.1. Data Governance
(2) Policy Framework
  • Introduce external facing terms of services, policies, guidelines, and/or directions ("Policies and Guidelines") or review your existing Policies and Guidelines and make amendments to ensure compliance of relevant requirements under the DSL.
  • Introduce internal data security governance model and relevant operation guidelines or review existing internal Policies and Guidelines and make adjustments to ensure compliance of relevant requirements.
  • Implement policies on technical measures such as data encryption, data back-up and access control to ensure security.
  • If your organization is engaging in providing intermediary services for data transaction, such as a data broker, establish a policy to check the identity of the data provider and the data recipient.

27


27


27


33
(3) Incident Response
  • Establish a response policy for data security incidents.
  • Establish a mechanism to deal with notification to users and authorities about data security incidents.

29

29
(4) Trainings and Education
  • Provide education and training programs on data security to employees with a role in data processing, security, or compliance.
 27


Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.