BY Stephen Cavey | 8 October 2021
On June 10, 2021, China passed its Data Security Law (DSL), which impacts every business operating in China as well as those working with Chinese businesses and citizens. The law states that handling of personal information (PI) must have a clear and reasonable purpose and should be limited to the “minimum scope necessary to achieve the goals of handling” data.
According to China Briefing, the DSL recently added new and extensive data-processing obligations that have severe penalties such as business suspension, revocation of the business license, fines up to $1.56 million and even potential criminal penalties. Considering the September 1, 2021 implementation date, companies should begin taking the steps necessary to meet DSL compliance now.
The Chinese Data Security Law categorizes data into three categories: national core data (defined as national security, the lifelines of the national economy, important to people’s livelihood and to public interest), important data, and general data.
It requires strengthened protection of personally identifiable information (PII) through a multi-level protection scheme, which imposes different levels of security requirements based on the damage that would result in the event of a cybersecurity incident. Among other things, the key provisions of the DSL include tightened restrictions on data transfers outside of China.
For example, data generated by businesses dealing with critical infrastructure must pass a security assessment to transfer data overseas. For the most part, critical data is expected to be stored within Chinese territory according to Article 31 of the DSL.
It’s also important to note that data refers to any record of information in electronic or other forms — for instance, written records of information. Data processing activities regulated by DSL include, without limitation, the collection, storage, use, processing, transmission, provision and disclosure of data.
Any business or entity that engages in data processing activities need to adhere to the following obligations:
The DSL is the first of its kind in China and may be especially overwhelming for multinational corporations to adapt to. The best way to begin a compliance journey is finding out exactly where all of your business’ data is stored and processed. Ground Labs’ Enterprise Recon has the ability to scan and detect hundreds of data types across various locations such as the cloud, servers and emails regardless of what country your business operates in.
Interested in learning more about data compliance? Book a demo with one of our experts to get started on your DSL compliance journey today.
Share this article!
Want to keep up with all our blog posts? Subscribe to our newsletter!
As companies all around the world continue have large portions of their workforce remote, the need to keep their data safe and protected is even more critical. To help companies navigate this new reality and mitigate security risks, we are providing a 90-day complimentary version of our flagship solution—Enterprise Recon. Learn more about it here.
Please submit the form below and we’ll contact you to schedule a discovery call. Want to skip the email? Go here to schedule a meeting directly on our calendar.