'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on September 13, 2021 AUTHOR - Privacy Research Team
The Personal Information Protection Law (the “PIPL”) is China’s primary data protection law which is said to be at par with regulations such as the CCPA and GDPR. This law is designed to protect the privacy rights of individuals living in China. The PIPL is set to go into effect on November 1, 2021. The PIPL prescribes various obligations for data controllers and data processors, restrictions on cross-border transfer, lawful basis of processing and hefty fines. These requirements will have a significant effect on employment context processing, multinational companies’ HR activities, including recruitment, performance monitoring, cross-border transfers etc. If an offshore employer processes the personal data of Chinese residents (employees) for the purpose of analyzing and assessing their behavior and for another purpose specified under other Chinese regulations, then the employer is required to fulfill the PIPL obligations.
This article provides a guide for the Human Resource Management Team (HRM Team) of an organization aiming to comply with the PIPL. Following are the key obligations under the PIPL that an HRM Team must consider while handling personal data of job applicants and current and former employees.
Article 13 of the PIPL provides that employers should not process the personal data of job applicants, current employees or former employees without having a lawful basis of processing. Following are the basis that an employer can rely on to process the data of prospective, current and former employees:
Securiti’s Data Mapping Solution enables organizations to conduct effective and automated data mapping that can help organizations identify the correct legal basis and ensure lawful data processing.
There are certain circumstances in which employers need to rely on specific consent as a lawful basis for processing employees' personal data. These circumstances are:
Please note that consent should be voluntary and clear. If there are material changes to the purpose or manner of processing or the type of processed information, the employer would need to obtain the employee’s consent again. Furthermore, employers should ensure that they process the personal information of employees for a proper purpose and in a reasonable manner. The employer must ensure complete compliance with all of the Personal Information Processing Principles when it comes to handling employees’ personal information.
Securiti offers a consent management solution to simplify compliance. This solution will let organizations obtain and keep track of the consent while maintaining comprehensive reports.
The PIPL requires employers to give employees an individual privacy notice before any data is “handled”. This notice needs to have the identity and contact of the employer, the purpose and of data handling, the categories of handled personal information, the retention period of the data with the employer, and procedures to exercise rights under the PIPL. These privacy notices should be provided in a clear and comprehensible manner.This would include employers’ obligation to notify its employees of the existence of any monitoring activity (or any surveillance if carried out), the purposes for which the personal data is to be processed for and any other information necessary to guarantee fair processing.
These privacy notices should be provided in a clear and comprehensible manner.
Securiti helps revamp your privacy notice and simplify the creation process. This module can help you manage your privacy notices and keep them in line with the requirements set by privacy regulations.
The PIPL does not clearly state exactly how long the employer is allowed to retain an employee's personal information after they have left the organization. It is often advised that the personal information be erased 3 years after the employee’s employment has been terminated.
Article 38, 39 and 40 of the PIPL state that an employer needs to obtain freely given consent before transferring this data. Employers must also provide notices to employees explaining the details of the transfer. The notice should include the following:
Failure to do so will be in breach of this provision which will result in fines and penalties.
After the consent is obtained, the organization is required to fulfill other cross border data transfer requirements. Employers should also conduct an assessment on the destination country to ensure that proper legislations are in place to protect an individual's data.
Securiti offers an all-encompassing and comprehensive Schrems-II solution to enable companies to conduct effective cross-border data transfer risk assessments, identify and review data transfers from the EU and remediate discovered vendor risks.
When we look at third-party transfers, the only obligation towards the employer is to gain written consent from the employee before transferring their data.If an employer engages a third party (e.g., human resources service providers) to process an employee’s personal information, the employer should carry out risk assessment in advance. The employer should also supervise the third party’s processing of such information.
For example, if an employer is outsourcing payroll services, it should obtain consent from its employees for the transfer of their personal data.
Securiti’s Vendor Management Solution allows organizations to assess their vendors based on a predefined risk score and also offers a centralized process to assess how compliant the third-party vendors are with the PIPL.
In the event of a data breach, the PIPL requires employers to take “immediate” remediation actions and notify the relevant agency and affected employees.
Securiti’s Data Breach Management Solution swiftly identifies compromised data and impacted data subjects in a security incident. It utilizes built-in privacy research to help organizations deliver breach notifications within hours of a security incident.
Under the PIPL, there are certain security requirements that employers must abide by in order to stay compliant. These requirements are as follows:
Under the PIPL, employees are given the following rights:
Employers are required to fulfill the DSR requests of their employees in a timely manner.
Securiti offers the DSR Automation Solution to help organizations honor all rights and simplify the process of exercising these rights. This process turns manual work into an automated system that will help enterprises swiftly process data subject requests and enable coordination between stakeholders for reviews and approvals.
Non-compliance with the law can result in various fines and penalties. In case of non-compliance, the departments fulfilling data protection duties may order the organization a correction, confiscate unlawful income, or issue a warning. The PIPL prescribes the following penalties for violations and non-compliance:
In order to achieve compliance, HR management needs to honor the aforementioned obligations. This can be done in the following ways:
Manual methods come with a flurry of obstacles such as high costs and the risk of human error. In this day and age, organizations need to incorporate the help of automation to ensure compliance with privacy regulations such as China’s PIPL.
Securiti’s Sensitive Data Intelligence Solution enables organizations to discover, analyze, and protect large datasets. It offers organizations a 360-degree solution to all their compliance needs. Watch a demo of Securiti’s Sensitive Data Intelligence solution and start your journey to PIPL compliance.
With data growing rapidly and employee obligations getting more strict, organizations need to start optimizing their data and consent management systems. The most important obligation under China's PIPL is the need to obtain freely given consent and with data being collected at such large volumes, it becomes virtually impossible for this to be done through manual methods. Organizations need to start considering the adoption of automated processes to keep them compliant with China’s PIPL as well as privacy regulations around the world.
See how Securiti can help you get automated. Request a demo today.
See how easy it is to manage privacy compliance with robotic automation.