'Most Innovative Startup 2020' by RSA - Watch the video

Learn More

China has passed its data protection law named the Personal Information Protection Law (PIPL) that is set to take effect on November 1, 2021. The PIPL is comparatively more strict than other privacy laws. However, it does have several similarities to the GDPR.

PIPL is going to have a great impact on organizations because of its extraterritorial application, strict compliance requirements, and hefty fines. Most of the organizations already have privacy policies and effective privacy management practices in place to ensure compliance with the GDPR. However, these existing policies won’t be fully able to address the compliance requirements required under the PIPL. Organizations should begin reviewing their policies and practices in preparation for complying with the PIPL (which will go into effect on November 1st, 2021, less than two months time). We  have compiled a checklist of key requirements under China’s PIPL:

1. Identify whether your organization needs to have a dedicated entity or a representative within the borders of China:

China’s PIPL extends its territorial scope to the processing of personal information conducted outside of China, provided that the purpose of the processing is:

(i)   To provide products or services to individuals in China, or
(ii)  To “analyze” or “assess" the behavior of individuals in China, or
(iii) For other purposes to be specified by laws and regulations.

So if you are an offshore organization that is processing the personal data of Chinese residents for the purpose of providing services or products, or for analyzing and assessing their behavior, you must establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purposes, and also file the information of the entity or the representative with competent government authorities.

2. Identify the lawful basis for collection and use of all personal information:

Under the PIPL, organizations can process personal information only on a lawful basis. PIPL provides seven lawful basis for the processing of personal information. Please find these lawful basis here and ensure that your organization relies on one of these basis for the processing of personal information. Your organization’s processing activities should have a clear and reasonable purpose and shall be directly related to the processing purpose. Please note that, unlike the GDPR,  “legitimate interest” is not a recognized lawful basis under the PIPL.

3. Provide individuals the right to withdraw their consent to the processing of their personal information:

Where your organization relies on consent as a lawful basis of processing, you must provide a convenient mechanism for individuals to withdraw their consent. You should not refuse to provide services to individuals who don’t agree to have their data processed, unless that data is necessary for the provision of that product or service.

4. Provide privacy notices to individuals before the processing activities:

PIPL requires organizations to provide an explicit privacy notice to individuals in a clear and easily understood language before the processing of their personal information. Your privacy notice should include the following information:

  • The name or personal name and contact method of the data controller;
  • The purpose of personal information processing and the processing methods, the categories of processed personal information, and the retention period;
  • Methods and procedures for individuals to exercise the rights provided in the PIPL;
  • Other items that laws or administrative regulations provide shall be notified.

If your organization notifies individuals through the method of formulating personal information processing rules, then you should make these processing rules public and convenient to read and store.

5. Have data subject requests mechanisms to fulfill data subjects rights:

PIPL provides individuals with several data subjects rights (i.e, access, rectification, limit, deletion, etc.), and mandates that organizations should establish convenient mechanisms to accept and process requests from individuals to exercise their rights. Therefore, your organization should have an automated data subject requests mechanism.

6. Have a security breach response and notification mechanism in place:

PIPL requires that in the event of a security breach, organizations should take “immediate” remediation actions and notify the relevant agencies and affected individuals. You should have a clear security breach response plan and tools in place to ensure compliance with the breach notifications.

7. Assess the need to conduct a Personal Information Impact Assessment:

Your organization must conduct a Personal Information Impact Assessment if you are conducting processing in one of the following scenarios:

  • Processing sensitive personal information; or
  • Using personal information to conduct automated decision-making; or
  • Entrusting personal information processing, or providing personal information to other data controllers, or disclosing personal information; or
  • Providing personal information abroad; or
  • Other personal information processing activities with a major impact on individuals.

8. Implement data classifications and management mechanisms:

Under the PIPL organizations are required to formulate internal management structures and operating rules, and implement data classification and management mechanisms. This requirement aligns with the new data classification obligations under China’s Data Security Law. Therefore, your organization should have data classification and management mechanisms in place in accordance with categories of personal information that you process.

9. Fulfill cross border data transfer obligations:

If your organization is involved in cross-border data transfers with China, you must oblige with these strict requirements. You must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. You must also meet one of the following conditions:

  1. Pass a security assessment organized by the State cybersecurity and informatization department (related to operators of Critical Information Infrastructure and organizations that transfer a large volume of personal information);
  2. Undergo a personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;
  3. Conclude a contract with the foreign receiving side in accordance with a standard contract formulated by the cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;
  4. Other conditions are provided in laws or administrative regulations or by the State cybersecurity and informatization department.

If you process a large volume of personal information or categorize yourself as a critical information infrastructure operator, then you must fulfill the data localization requirements of the PIPL.

10. Conclude data processing agreements with third parties processors:

If you are engaging third parties for your processing activities, you must ensure that you conclude an agreement with the third parties on the purpose for processing, the time limit, the processing method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information processing activities of the third parties.

Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Request a demo and start your PIPL compliance process today.

Share this

Our Videos

View More

China’s PIPL

China has drafted its new data protection law, Personal Information Protection Law (PIPL) that will strengthen the regulatory framework for privacy and data protection in China.

Learn More
View More

South Africa’s POPIA Explained

The video gives an overview of South Africa's Protection of Personal Information Act (POPIA).

Learn More
privacy policy and notice management View More

Dynamic Privacy Policies & Notices

Automatically Update & Refresh Your Policies and Notices

Learn More
View More

Universal Consent & Preference Management

Simplify and automate universal consent management

Learn More
View More

Cookie Consent Management

Automate and manage the entire consent life cycle with efficiency for various cookie compliance regulations around the world.

Learn More
View More

Sensitive Data Intelligence

Discover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs

Learn More

Take a
Product Tour

See how easy it is to manage privacy compliance with robotic automation.