China’s Personal Information Protection Law (PIPL) has been a hot issue in China since the first draft was submitted in 2020. While lawyers and analysts predicted the law’s enactment only during 2022, the Chinese government has expedited the law’s passing, so much so that the official enactment date is just around the corner. So, mark your calendars for November 1st and keep reading the new law’s basic yet essential key details and implications.
Managing operations in China? Check out our China business support services
Here’s what you should know
The PIPL is, in many ways, very similar to the GDPR. So, it shouldn’t come as a surprise or make your life too complicated. But there are a few important things to note:
- Information can be collected by either electronic or physical means.
- Follow the simple guideline of asking for consent; make sure you explain what the information you are asking for will be used for and how. Try to collect only the required information for your business needs, and store it for the shortest time possible.
- It is the company’s responsibility to ensure that all personal data handling processes are well secured and consistently monitored.
- Cross-border data transfer will be regulated under the new law. This means that if you need to transfer information of Chinese individuals outside of China, you will need to pass a security assessment and make sure you comply with other requirements.
- The law leaves room for provinces’ local governments to draft more specific regulations. We recommend that you check in with the local government where your business is registered to confirm the local compliance requirements. By all means, we highly advise connecting with experienced service providers, who will double-check your activities.
Read more about operational audits in China
3 simple steps to ensure compliance
First, start with conducting a data mapping procedure: review all your company’s data-related processes and make sure you understand how you collect data, where you store it, for what purposes and whose access to the data is allowed.
Consult with an expert to ensure you are not missing any blind spots and are fully aware of the implications of the PIPL and the DSL (Data Security Law) on your operation.
Run a security audit and make sure all your internal processes are secured. We also recommend that you appoint a person in charge of these processes. Another recommendation is to start educating others in your company about their responsibilities.
To sum up, recently China has promoted several new laws as part of its data protection framework, so the compliance requirements change frequently. Check in with us to ensure you’re on the right track.
Reference:
- The full law text (Chinese)
- Translation by Stanford’s University DigiChina
