IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
China has been active in putting the final touches on the implementation of its data protection and data security laws in the form of CSL, DSL, and the PIPL. Hence, the Cyberspace Administration of China (CAC) has now released a draft of the Administration of Network Data Security. The Administrative Regulations on Network Data Security Management (Draft Regulation) is open to public comments until the 13th December 2021.
There is no clear timeline on when it comes into effect and when the final draft will be ready. Here are some of the key takeaways to know about the latest draft:
The Draft Regulation will apply to the use of the internet to carry out data processing activities and the supervision and management of network data security within the territory of China. The GDPR, considered a benchmark when it comes to data protection regulations, applies to all companies that deal with data collected within the EU and the UK, regardless of whether the company is based in the EU or the UK. The latest Draft Regulation carries the same provisions with all companies coming under its scope, even if the data processing and collection is done outside China, provided the following conditions are met:
Under the Draft Regulations, data handlers are required to establish a data security emergency response mechanism. If the data handler is a target of a security incident such as a data breach that compromises the collected data of their customers, they must take the proper measures to notify the concerned authorities within 72 hours. Furthermore, if the security incident results in a suspected crime, the police must additionally be notified. The Draft Regulation also provides the notification content details and mediums for notifying the concerned stakeholders.
Lastly, if the security incident compromises the data of more than 100,000 individuals, the municipal division of the CAC must be notified within 8 hours of the breach’s occurrence. A written incident report will also need to be submitted within five working days. he CAC has the discretion to direct that individual notifications do not need to be given if a data handler has successfully contained the incident to avoid harm.
Privacy policy is subject to extensive attention in the new Draft Regulation. Such a level of attention highlights how crucial it will be for companies to maintain a robust and rigorously updated privacy policy. Some important facets that the privacy policy will have to cover include:
Under the Draft Regulation, the data handlers would have to prove that whatever data they’ve collected on their customers or visitors to their site was obtained with proper consent. It is yet to be seen how the Draft Regulation defines “consent” but for now, the burden to prove that all data was procured with consent will remain on the data handlers. The Draft Regulation also provides several conditions where consent is mandatory for the processing of the personal data of individuals.
In case an individual or an entity lodges a request to copy, supplement, restrict, withdraw, or erase their personal data from the company’s position, their request must be entertained within 15 days of the initial request. In case further deliberation is required, the data handler must inform the individual or entity making the request within the same time frame.
If, for any reason whatsoever, the data handlers need to share personal data collection with parties outside China, they must have an annual data export security assessment. This report must have all the relevant information properly documented and reported to the municipal division of the CAC by 31st January of every year.
Furthermore, the Chinese government will also implement a security gateway through which all data being transferred out of China will have to pass.
The Draft Regulation also provides the details of what constitutes “important data” and stricter requirements for its processing. Organisations that process the personal data of more than a million people will be deemed to be subject to the “important data” processing requirements. Data handlers will have to report to the provincial-level CAC within 15 working days of identifying what “important data” they hold.
This is arguably the most important take-away from this draft. Under the Draft Regulation, , companies or Data handlers as they’re referred to, will be required to have a complete cybersecurity audit and review of their practices under these circumstances:
Companies listed in foreign markets will be required to submit annual data security assessments to the provincial-level CAC by the end of January each year.
Muhammad Faisal Sattar is a Certified Information Privacy Professional (Asia) and Certified Information Privacy Manager (CIPM), known for his expertise in global privacy laws, AI governance, and corporate compliance. He is a McCall MacBain Scholar at McGill University. As a privacy lawyer, Faisal provides advisory services related to customized privacy solutions on global privacy developments, AI risk assessments, and privacy assessments.
His interests particularly center on the complex interplay between technology, law, and privacy, with a strong focus on policy matters. His legal expertise and industry experience make him a reliable source for his insights on legal developments in data privacy laws, and privacy assessments.
Get all the latest information, law updates and more delivered to your inbox
September 11, 2023
Securiti has just been recognized as a Leader in the “IDC MarketScape: Worldwide Data Privacy Compliance Software 2023 Vendor Assessment” report. This makes us...
May 10, 2023
Privacy-by-design and privacy-by-default are two cornerstone concepts of data protection regulatory frameworks. Thus, compliance thereof is an essential legal prerequisite for any entity which...
April 5, 2023
Online advertising has permeated every aspect of our digital experiences. From search engine results to social media feeds, advertisements seem to follow us everywhere...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128