Compliance Checklist for China’s Data Security Law (DSL)

DSL categorizes data into two main classes: National Core Data and Important Data, and provides stricter requirements for each class. Following are the main considerations for businesses looking to comply with the DSL:

1. Assess the applicability of DSL to your organization:

DSL applies to data processing activities and their security regulations carried out within the territory of China. It also extends its application to data processing activities conducted outside China that harm China’s national security or the public interest, or the legal interests of citizens and organizations in China. Given the definition of “data processing activities” (which includes collection, processing, transmission, storage of data, etc), it may be highly possible that DSL applies to your organization if you are dealing with data transferred from China.

2. Fulfill data collection and purpose limitation requirements:

DSL prescribes that organizations must adopt a legal and legitimate way to collect data, and should not steal or obtain data in other illegal ways. Where other laws and administrative regulations (like PIPL, CSL) contain provisions on the purposes and scope of data collection and use, organizations must collect and use data within the purposes and scope prescribed by these laws and administrative regulations.

3. Conduct data mapping to implement data categorization and data classification:

DSL provides that data categorization and data classification mechanisms will be implemented based on the importance of specific data to China’s national economy, national security, public interest, and possible level of harm to be caused by a data security incident. DSL categorizes data into two main classes: National Core Data, and Important Data. The catalogs of important data will be formulated at the national level and each administrative region and regulatory authorities of different industrial sectors will make specific catalogs of important data in their own regions and sectors.

Organizations subject to DSL will be required to implement this data categorization and classification, therefore it is recommended that you should map and identify internal data and prepare for the data categorization and classification. Organizations should also proactively consult with regulators with respect to sector-specific important data catalogs.

4. Fulfill data security protection obligations:

As per DSL requirements, organizations must adopt technical, organizational, and other data security measures to safeguard important data. Organizations must establish and complete a data security management system. Organizations should also comply with the existing “multi-level protection scheme,” which requires internet network operators to classify their systems in China based on the risks to national security, social order, or economic interests if such systems are damaged or attacked. Based on these requirements, your organization should have a robust data protection management system in place.

5. Have a responsible person and department for data security:

Organizations are required to designate individuals and departments responsible for data security of important data. DSL is yet to define the duties and responsibilities of persons and departments responsible for data security. It is not clear whether the person responsible for network security under the Cybersecurity Law and the person in charge of personal information protection under the PIPL can concurrently oversee the data security under the DSL. DSL also imposes obligations on organizations to deploy data security training.

6. Implement risk monitoring systems, and assess security incidents handlings:

When carrying out data processing activities, organizations shall strengthen their risk monitoring, and immediately adopt remedial measures when data security defects are found. Similar to data incident response obligations under the CSL and PIPL, DSL also requires organizations to have incident contingency planning. Your organization must immediately remediate the incident, promptly notify relevant individuals, and report such data security incidents to the regulatory department(s). Thus, you should have a robust security breach response mechanism in place.

7. Cross border data transfer and data localization requirements:

Under DSL, Critical Information Infrastructure Operators are required to store the important data in the territory of China and cross-border transfer is regulated by the CSL. CIIOs need to conduct a security assessment in accordance with the measures jointly defined by CAC and the relevant departments under the State Council for the cross-border transfer of important data for business necessity. For non Critical Information Infrastructure operators, the important data cross-border transfer will be regulated by the measures announced by the Cyberspace Administration of China (CAC) and other authorities. However, those “measures” have still not yet been released. DSL also intends to establish a data national security review and export control system to restrict the cross-border transmission of data from the perspective of national security. For a detailed understanding of these requirements, please refer to our article.

8. Conduct risk assessment of your data processing activities:

DSL imposes an obligation on all organizations to periodically carry out risk assessments of their data handling activities and practices for the handling of important data. Organizations are also required to send these risk assessments to the relevant regulatory departments.

Such risk assessment reports shall include the categories and quantities of important data processed, how data processing activities are conducted, and the potential data security risks and responding measures

9. Fulfill data trading intermediary services obligations:

If your organization is engaged in data trading intermediary services, you should fulfill the following requirements prescribed under the DSL:

• Explain the source of the data;
• Examine the identity of both parties to the transaction; and
• Keep audit and transaction records when providing services.

Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Request a demo and start your DSL compliance process today.