China’s New Rules for Personal Information Protection Certification: All You Need To Know

The Cyberspace Administration of China (CAC) and the State Administration of Market Regulation (SAMR) announced, on November 18, 2022, a new authentication certification rule (“Rules”) related to implementing personal information protection.

The new certification is meant to ensure that all organizations processing users' data have the appropriate mechanisms in place to protect the data they collect, store, use, process, disclose, delete, and transfer outside Chinese borders.

The new rules will come into effect immediately, requiring all subject organizations (referred to as personal information processors) to comply.

Read on to learn all you need to know about the scope of the certification, the procedure to get the certification, and other relevant details:

Scope of the New Rules

Primarily, the personal information processors must comply with the requirements of the Personal Information Security Specification (GB/T 35273 Specification). Those personal information processors that engage in cross-border processing activities must also fulfill the requirements for TC260-PG-20222A Security Certification Specification (“Certification Guidelines”) in addition to the GB/T 35273 Specification.

Certification & Authentication Procedure

The authentication process of the personal information protection certification is divided into three parts, i.e., technical verification, on-site audit, and post-certification supervision.

Certification

The certification authority will clarify the requirements for certification entrustment materials, including basic information about the client, a power of attorney, and any other relevant documents. Once the certification client (i.e., the organization seeking the certification) submits these materials, the certification authority will review them and provide feedback on their acceptability in a timely manner.

The certification authority will then develop a certification plan based on the materials submitted, outlining the details of the certification process. This plan will include the type and quantity of personal information involved, the scope of the certified activities, and any technical verification institutions involved in the process. The certification client will then be notified of this plan.

Technical Verification & On-site Audits

The certification authority will conduct the technical verification and on-site review per the certification plan and forward the reports to the certification institution and certification client. The evaluation reports of the first two parts, along with other relevant materials, are evaluated. If the certification requirements are met, the certification body will issue the authentication certificate. If the requirements are not met, then the certification client will be asked to rectify the shortcomings within a specified time limit, and failure to do so will result in the certification authority denying the personal information processor’s request for the authentication certificate.

If at any time it is found that the personal information processor lied, concealed information, or intentionally violated authentication certification requirements, their request for the certification can be denied.

Post Certification

The final part of the authentication process is the post-certification period. It is by no means any less important. In fact, it may very well be the most critical one. The certification bodies must implement strict post-certification supervision to ensure the personal information processor continues to meet the certification requirements.

This can be done via regular comprehensive evaluation of the personal information processor post-certification. The personal information processor can maintain its certification if its practices are compliant. If they fail this evaluation, their certification can be suspended until they remedy any lapses.

Other Certification Details

In any case, the certification is valid for three years. A personal information processor may submit a request for authentication renewal within six months before the certification expires. The certification bodies will conduct similar post-certification supervision to evaluate if their practices comply with the certification needs before issuing a new certification.

Within these three years, if the personal information processor's name, registered address, certification requirements, and certification scope change, the personal information processor must submit a change of entrustment to the certification authority. The change entrustment will be evaluated based on the nature of the change and determine whether the change entrustment can be approved or not.

If the personal information processor no longer meets the authentication requirements, their certification will be suspended for the time being until it is revoked. The personal information processor may also apply for cancellation or suspension of their certification if they plan to cease their data processing activities that had subjected them to the certification requirements.

The certification authority is then required to appropriately publish its final decision on the matter with relevant information such as the issuance, change, suspension, cancellation, and revocation of certification.

The Rules stipulate specific certification marks to be used by personal information processors who do not engage in cross-border processing activities and those personal information processors that do. Organizations are obligated to ensure that they correctly use the authentication certificate and certification marks in advertising and other publicity within the certificate's validity period and must not deceive the public.

How Can Securiti Help

China represents a significant market for businesses globally. However, like all major markets, China has significant data requirements for its businesses. It may just have the strictest such requirements in the world since there are three data-related regulations in effect in the country. The Personal Information Protection Law (PIPL), Cybersecurity Law (CSL), and Data Security Law (DSL) all serve different purposes but with the ultimate aim of adequately protecting the data of the Chinese state and its citizens.

Automation is the only tangible way for organizations hoping to comply with these regulations, as manually attempting compliance would be a particularly messy affair, not to mention highly inefficient.

Securiti, a leader in providing data governance and compliance solutions, can greatly help.

Owing to its plethora of privacy and security solutions ranging from cookie management and DSR automation to data mapping and breach management, Securiti can help your organization automate its compliance with any major data regulation worldwide.

Request a demo today and learn more about how Securiti can help your organization comply with the data privacy regulation in China and anywhere else.