As digital transformation increases worldwide, cybersecurity teams across the globe are shifting their focus and prioritizing secure data procurement and processing practices. As the criticality of data processing (first highlighted in China in the 2016 Cybersecurity Law) is magnified on a global scale, various countries are passing regulations requiring that businesses dedicate resources to securing data processing cross-organizationally. Following in suit of the global trend, The National People’s Congress of the People’s Republic of China (‘NPC’) is taking legal action to protect data processing. Let’s take a deeper look at the impact of the China data security law:
What is the china data security law?
The law, announced on June 10, 2021, takes effect on September 1 of the same year and looks to regulate data processing activities both within China and in businesses operating there. Ultimately, the law places broad expectations around the tracking of valuable data in the interest of the country’s national security. The law highlights the following:
- General data security.
- Protects the legitimate rights and interests of individuals and organizations belonging to and operating within China.
- Introduces additional requirements for the processing of important data.
- Requires the appointment of a person in charge of data security and the conducting of risk assessments.
- Mandates that data processing information be shared with all relevant regulatory departments.
It is expected that specific guidelines on how valuable data is stored, processed, tracked, and reported on locally will follow. Additionally, the NPC is drafting a personal information protection legislation that is expected to be adopted later this year.
How does the new China data security law impact the broader security community?
The law & best practices
The law places further emphasis on best practices widely recognized in the security sphere. Most notably, the law supports the notion that all organizations should have regulatory workflows in place addressing the acquisition and processing of data. This includes keeping a data catalog, and optimizing internal processes to address key points highlighted in the law.
Additionally, companies should be fully enabled to communicate the ways in which they prioritize data protection. This includes having a first-line friendly program, a clear data security management system, and comprehensive training programs in place across all levels of the organization.
Read more on Data Catalogs: OneTrust DataGovernance Announces Data Catalog
The law & cross border data transmission
The law also addresses cross border data transmission handling of any Chinese data (e.g. providing data by China subsidiaries of a foreign company to foreign law enforcement agencies or courts shall be subject to prior approval by competent PRC authorities). This law will also govern any data activities outside of China that are perceived as a direct threat to the country’s national security, security of its companies/citizens, or public interest. This presents a new set of challenges for any companies using an ‘offshore delivery’ model to serve their Chinese customers from abroad.
Tip: use data mapping exercises to pin down potential risk spots within their respective organizations. Try OneTrust’s data mapping tool.
How can OneTrust help?
The OneTrust platform leverages expertise in Vendor Risk Management, Privacy, GRC, and many other categories to deliver an immersive cybersecurity management experience. We enable you to gain visibility into all aspects of your organization’s security structure, allowing you to holistically protect both your customers and data, better preparing you to be in compliance with new regulations like China’s data security law.
Explore OneTrust: Request a demo today.
