1. Introduction
Under China's Personal Information Protection Law (PIPL), companies that handle personal information are required to conduct a Personal Information Protection Impact Assessment (PIPIA) for certain types of processing of personal information. PIPIA is quite similar to the Data Protection Impact Assessment (DPIA) under the GDPR. The purpose of PIPIA is to evaluate the potential risks and impacts associated with handling personal information, helping organizations identify and address privacy and data protection concerns.
This article aims to provide guidance by explaining the requirements and scenarios that require a PIPIA in China, thereby helping companies understand their obligations and ensure compliance with the PIPL and other relevant laws that may apply.
2. When to Conduct a PIPIA?
Article 55 of the PIPL stipulates the following scenarios that necessitate a PIPIA:
- Processing sensitive personal information: Organizations or personal information processors processing sensitive personal information are required to conduct a PIPIA. Sensitive personal information refers to information about an individual that, if exposed or used inappropriately, could cause infringement to the individual's dignity or significantly harm their safety or property. Therefore, processing sensitive personal information carries various privacy risks, such as unauthorized personal information breaches, identity theft, discrimination, etc. Conducting PIPIA helps in identifying these risks so that personal information handlers can ensure the effective protection of individuals' personal information processing.
- Utilizing personal Information for automated decision-making: Organizations or personal information processors are required to conduct a PIPIA if they are utilizing personal information for automated decision-making. Automated decision-making may lead to discriminatory treatment of individuals therefore, transparency and fairness are required to be maintained when utilizing personal information. Conducting PIPIA helps keep a record of such processing activity and identifies measures that ensure transparency and non-discriminatory treatment of individuals.
- Entrusting personal information processing to third parties: Third parties are required to comply with some PIPL requirements. Therefore, when an organization entrusts personal information to third parties, it is required to conduct a PIPIA. This will allow it to assess personal information protection measures implemented by third parties, such as encryption, access controls, secure personal information storage practices, etc.
- Transferring personal information overseas: When it comes to transferring personal information across borders, personal information handlers can rely on different methods, such as undergoing CAC-led security assessments, implementing SCCs, and obtaining certification. However, regardless of the method chosen, personal information handlers are still required to conduct a PIPIA. The scope and depth of PIPIA may vary depending on the method chosen for data transfer and the type and volume of personal information being transferred abroad. For a detailed understanding of these data transfer mechanisms and requirements, review our blog.
- Other processing activities having a significant impact on personal rights and interests: This catch-all category encompasses a wide range of processing activities that affect an individual's personal information protection. The PIPL does not explain what ‘significant impact’ means. A non-exhaustive list of such activities could include the following:
- Implementing new extensive personal information collection practices such as utilizing Internet of Things devices to collect personal information on users’ habits and preferences to acquire a comprehensive profile, or
- making significant alterations to existing processing activities such as increasing the volume of personal information being processed.
3. How to Conduct a PIPIA?
Personal information handlers conducting PIPIA to assess the impact of processing on personal information protection, identify privacy risks, and implement effective measures to protect personal information should follow the following steps:
- Clearly outline what personal information processing activities and systems are included in the PIPIA.
- Assess whether the purposes for processing personal information align with legal requirements and are necessary for achieving the organization's objectives.
- Evaluate the potential impact of processing activities on the protection of personal information.
- Conduct an assessment of security risks associated with the processing of personal information.
- Evaluate the effectiveness of existing protective measures implemented to safeguard personal information.
- Document the findings of the PIPIA and keep a record for 3 years.
4. PIPL’s PIPIA Vs GDPR DPIA:
PIPIA and DPIA have the following similarities and differences:
- The GDPR and PIPL both require organizations or personal information processors to assess the risk to individuals’ personal information protection before processing their personal information in certain situations. The triggers for these assessments under GDPR and PIPL are different.
- The GDPR and PIPL both require these assessments to be documented; however, PIPL specifies that PIPIA should be recorded for 3 years.
- The GDPR requires the data controller to consult the supervisory authority before processing in cases where the DPIA indicates that processing would result in high risk in the absence of measures taken by the controller to mitigate the risk. The PIPL does not prescribe any such requirement.
5. How Securiti Can Help
PIPIAs are crucial in implementing personal information privacy and protection within an organization. If you want to understand these assessments better and access templates for them, sign up for the Securiti Assessment Automation demo. Securiti provides detailed question-based guidance, conditional risks along with risk descriptions and recommendations, and readiness scores.
Request a demo to learn more.
