IDC Names Securiti a Worldwide Leader in Data PrivacyView
China has been active in putting the final touches on the implementation of its data protection and data security laws in the form of CSL, DSL, and the PIPL. Hence, the Cyberspace Administration of China (CAC) has now released a draft of the Administration of Network Data Security. The Administrative Regulations on Network Data Security Management (Draft Regulation) is open to public comments until the 13th December 2021.
There is no clear timeline on when it comes into effect and when the final draft will be ready. Here are some of the key takeaways to know about the latest draft:
The Draft Regulation will apply to the use of the internet to carry out data processing activities and the supervision and management of network data security within the territory of China. The GDPR, considered a benchmark when it comes to data protection regulations, applies to all companies that deal with data collected within the EU and the UK, regardless of whether the company is based in the EU or the UK. The latest Draft Regulation carries the same provisions with all companies coming under its scope, even if the data processing and collection is done outside China, provided the following conditions are met:
Under the Draft Regulations, data handlers are required to establish a data security emergency response mechanism. If the data handler is a target of a security incident such as a data breach that compromises the collected data of their customers, they must take the proper measures to notify the concerned authorities within 72 hours. Furthermore, if the security incident results in a suspected crime, the police must additionally be notified. The Draft Regulation also provides the notification content details and mediums for notifying the concerned stakeholders.
Lastly, if the security incident compromises the data of more than 100,000 individuals, the municipal division of the CAC must be notified within 8 hours of the breach’s occurrence. A written incident report will also need to be submitted within five working days. he CAC has the discretion to direct that individual notifications do not need to be given if a data handler has successfully contained the incident to avoid harm.
Under the Draft Regulation, the data handlers would have to prove that whatever data they’ve collected on their customers or visitors to their site was obtained with proper consent. It is yet to be seen how the Draft Regulation defines “consent” but for now, the burden to prove that all data was procured with consent will remain on the data handlers. The Draft Regulation also provides several conditions where consent is mandatory for the processing of the personal data of individuals.
In case an individual or an entity lodges a request to copy, supplement, restrict, withdraw, or erase their personal data from the company’s position, their request must be entertained within 15 days of the initial request. In case further deliberation is required, the data handler must inform the individual or entity making the request within the same time frame.
If, for any reason whatsoever, the data handlers need to share personal data collection with parties outside China, they must have an annual data export security assessment. This report must have all the relevant information properly documented and reported to the municipal division of the CAC by 31st January of every year.
Furthermore, the Chinese government will also implement a security gateway through which all data being transferred out of China will have to pass.
The Draft Regulation also provides the details of what constitutes “important data” and stricter requirements for its processing. Organisations that process the personal data of more than a million people will be deemed to be subject to the “important data” processing requirements. Data handlers will have to report to the provincial-level CAC within 15 working days of identifying what “important data” they hold.
This is arguably the most important take-away from this draft. Under the Draft Regulation, , companies or Data handlers as they’re referred to, will be required to have a complete cybersecurity audit and review of their practices under these circumstances:
Companies listed in foreign markets will be required to submit annual data security assessments to the provincial-level CAC by the end of January each year.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128