Understanding and Complying With China's Data Security Law and Personal Information Protection Law

Background

Trading in China, the world’s second largest economy, has become a given for any multinational business. However, changes to the Chinese Data Security standards in 2021 took many European, US and UK businesses by surprise: not least the potential need to store and process all data within China, a change that could demand a complete IT overhaul.

With multi-million dollar fines, corporate and personal liability and a risk of being unable to trade, it is essential that companies get to grips with the new data security requirements – fast.

But what are the options when businesses lack in-house Chinese security expertise and cannot deploy experts to the country while the pandemic continues?

The result: Significant complications begin to surface because new regulations are printed only in Chinese, yet Chinese nationals are not authorised to undertake the work required for international businesses to become compliant.

Growing numbers of multinational businesses are turning to QTS Global, including one of the largest materials handling companies in The Netherlands. Providing a combination of international security thought leaders with IT experts on the ground in China, QTS Global has helped the company to assess the implications of the new Chinese Data Security requirements and put in place the new policies, procedures and data classification processes required to safeguard operations.

Challenge

Safeguarding Chinese Operations

In 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). These laws, which build on the existing Cyber Security Law introduced in 2017, significantly increase both the extent of required protection and the costs of failure to comply, especially for PIPL infractions. Serious violations could lead to fines of up to 50 million yuan ($US7,855,000) or 5% of annual revenue.

For EU, UK and US organisations working in China, the underlying concepts of the new data security standard will be familiar as they broadly follow the General Data Protection Regulation (GDPR) introduced by the EU in 2018. However, GDPR, while stringent, is specifically focused on the handling of personal data – while the three Chinese data laws together create new demands with which international companies need to get to grips, not least the need to determine whether data needs to be stored and processed in China.

Security Requirements

The original Cybersecurity Law (CSL) uses China’s Multi-Level Protection System (MLPS) classification to define an operator’s security requirements, ranging from Level 1 self- assessment to Level 5 supervised assessment from Cyberspace Administration of China (CAC).

DSL defines in detail the controls around data, its classification and handling requirements for areas such as R&D, Operations and Finance. The CAC, Ministry of Industry and Information Technology (MIIIT) together with industry regulatory bodies and local provinces have the power to define what data is has to be localised. While PIPL has similarities to GDPR regarding the handling of personal data, sensitive data in China also includes financial data. In addition, PIPL does not consider legitimate purposes as a lawful basis for processing of Personal Data.

There is also a strong requirement for data localization especially if a company is identified as affecting National security or welfare of citizens of China.

Many international companies working in China have been taken by surprise by these new security laws. The Dutch materials handling company, despite many years’ experience within China, discovered the new security requirements only when contacted by QTS Global as part of its education programme to ensure multinational businesses operating in China are compliant and trading securely.

As Matthew Spicer, Managing Director of QTS Global, says “No organisation trading in China wants to be in the spotlight of a government data security review.”

Solutions

Reviewing Security Implications

This Dutch company rapidly acknowledged the pressing need to review the implications of DSL, CSL and PIPL. One of the key considerations for this business is the potential need to keep certain data related to local customers and operations inside the country: sending data overseas without authorisation could not only result in a corporate fine but also individual liability for responsible personnel. Even worse, serious offenses could lead to the enforced closure of a business’ website, even the suspension or cancellation of a business license.

QTS Global has worked closely with the company over the past few months, initially providing consultancy services to explain in detail the requirements of the new data security laws and the impact they have on the company’s business operations in China. The consultancy then extended to cover four key areas: policy, procedure, data classification and network security.

Policies

QTS Global’s international security thought leaders worked virtually with the company to undertake a robust review of internal policies to assess existing data processing and storage methods and the potential implication with the new data security requirements. The company must ensure policies meet the requirements laid out in CSL/DSL/PIPL and the use of Data Protection Impact Assessments is now mandatory prior to exporting/processing data overseas.

Procedures

QTS Global advised the need to implement robust guidelines to document and track all data processing activities. In conjunction with company policies such as data retention and disposal, it is essential to identify how and by whom documents are classified to track items through the lifecycle up to and including disposal.

Data Classification

One of the most significant implications of this law is the introduction of new levels of data classification – with different data classes subject to specific new security standards. Companies based outside China need to understand the new implications when processing the data of individuals and organisations in China associated with the delivery of products and services, as well as any processing to analyse and evaluate the behaviour of individuals or companies in China, or processing ‘important’ domestic data. Understanding the different data classifications associated with DSL and PIPL is a key component within the compliance strategy, especially given its influence on possible location of data storage.

Network Security

QTS Global also provided guidance on how to seek Multi-Level Protection System (MLPS) approval with local government – this certification will dictate how and where the company can store its data.

Benefits - Securing The Future

In addition to creating a robust strategy, and designing the policy and procedures required to secure continued operations in China, the company also wanted to work with QTS Global to review its overall network security. While penetration tests had been undertaken in the Netherlands, such tests had not been conducted in China. As a result, QTS Global’s IT team on the ground in China has also undertaken a local IT audit and full penetration test to identify vulnerabilities across the network which could otherwise allow a bad actor to gain access.

Matthew Spicer at QTS Global concludes, “We provide the ability to provide clear communication with local sites and government to keep everyone well-informed. We conduct vulnerability assessments, IT audits and, if required, the necessary expertise to secure data. China continues to issue updates and guidance on data security and compliance, but working with QTS Global will ensure this business is always up to date with the latest requirements and can confidently, securely continue to operate within this key international market.”

What is QTS Global All About?

QTS Global is an American IT company based in Asia Pacific for over a decade with a mission to vanquish needless IT suffering wherever our clients operate in APAC, UAE, and Germany.

We serve every imaginable industry including manufacturing, logistics, services (law firms, architecture, consulting), food & beverage, software, gaming, hospitality & leisure and educational institutions.

We’re about providing innovative support models customized and aligned to client requirements at the global level, spanning the entire enterprise.

We’re about locailizing support according to the client’s market requirements and ensuring that local teams are supported wherever they work, and wherever they go.

And we’re about resisting the status quo —rejecting questionable agendas in the name of building valuable, long-term and sustainable relationships with our clients.

The result? QTS Global has helped companies decrease fixed overhead costs by as much as 75% and increase productivity by 100%.

And in the end, that’s what it’s all about.

Let’s Connect!

Patricia Erica Acuña
patricia.acuna@qtsglobal.com

The ability to operate at the level of multinational corporations calls for partners that operate with the same set of core principles to have a smooth and harmonious relationship.

Efficient, interoperable, cost-effective with integrity, QTS Global has been a committed partner.

Want more information?
Contact us.

Subscribe to get 15% discount