'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on September 7, 2021 AUTHOR - Privacy Research Team
China has passed its data protection law named the Personal Information Protection Law (PIPL) that is set to take effect on November 1, 2021. The PIPL is comparatively more strict than other privacy laws. However, it does have several similarities to the GDPR.
PIPL is going to have a great impact on organizations because of its extraterritorial application, strict compliance requirements, and hefty fines. Most of the organizations already have privacy policies and effective privacy management practices in place to ensure compliance with the GDPR. However, these existing policies won’t be fully able to address the compliance requirements required under the PIPL. Organizations should begin reviewing their policies and practices in preparation for complying with the PIPL (which will go into effect on November 1st, 2021, less than two months time). We have compiled a checklist of key requirements under China’s PIPL:
China’s PIPL extends its territorial scope to the processing of personal information conducted outside of China, provided that the purpose of the processing is:
(i) To provide products or services to individuals in China, or
(ii) To “analyze” or “assess" the behavior of individuals in China, or
(iii) For other purposes to be specified by laws and regulations.
So if you are an offshore organization that is processing the personal data of Chinese residents for the purpose of providing services or products, or for analyzing and assessing their behavior, you must establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purposes, and also file the information of the entity or the representative with competent government authorities.
Under the PIPL, organizations can process personal information only on a lawful basis. PIPL provides seven lawful basis for the processing of personal information. Please find these lawful basis here and ensure that your organization relies on one of these basis for the processing of personal information. Your organization’s processing activities should have a clear and reasonable purpose and shall be directly related to the processing purpose. Please note that, unlike the GDPR, “legitimate interest” is not a recognized lawful basis under the PIPL.
Where your organization relies on consent as a lawful basis of processing, you must provide a convenient mechanism for individuals to withdraw their consent. You should not refuse to provide services to individuals who don’t agree to have their data processed, unless that data is necessary for the provision of that product or service.
PIPL requires organizations to provide an explicit privacy notice to individuals in a clear and easily understood language before the processing of their personal information. Your privacy notice should include the following information:
If your organization notifies individuals through the method of formulating personal information processing rules, then you should make these processing rules public and convenient to read and store.
PIPL provides individuals with several data subjects rights (i.e, access, rectification, limit, deletion, etc.), and mandates that organizations should establish convenient mechanisms to accept and process requests from individuals to exercise their rights. Therefore, your organization should have an automated data subject requests mechanism.
PIPL requires that in the event of a security breach, organizations should take “immediate” remediation actions and notify the relevant agencies and affected individuals. You should have a clear security breach response plan and tools in place to ensure compliance with the breach notifications.
Your organization must conduct a Personal Information Impact Assessment if you are conducting processing in one of the following scenarios:
Under the PIPL organizations are required to formulate internal management structures and operating rules, and implement data classification and management mechanisms. This requirement aligns with the new data classification obligations under China’s Data Security Law. Therefore, your organization should have data classification and management mechanisms in place in accordance with categories of personal information that you process.
If your organization is involved in cross-border data transfers with China, you must oblige with these strict requirements. You must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. You must also meet one of the following conditions:
If you process a large volume of personal information or categorize yourself as a critical information infrastructure operator, then you must fulfill the data localization requirements of the PIPL.
If you are engaging third parties for your processing activities, you must ensure that you conclude an agreement with the third parties on the purpose for processing, the time limit, the processing method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information processing activities of the third parties.
Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Request a demo and start your PIPL compliance process today.
See how easy it is to manage privacy compliance with robotic automation.