QTS Global Logo

UK Universities Cannot Afford To Ignore China’s Personal Information Protection Law


UK universities rely heavily on overseas students to boost revenue. Yet student numbers from East Asia plummeted during Covid – equating to a decline of £463 million in spending on tuition and living expenses – raising serious concerns over the financial viability of some UK universities. One worst-case scenario – suggests that all universities except Oxford and Cambridge may go bankrupt.

Enticing elite Chinese students back to the UK as opposed to other leading global universities is a priority. Yet there is growing recognition that unless universities achieve compliance with the Chinese Personal Information Protection Law (PIPL) passed in 2021, the potential financial and reputational damage of a data breach could outstrip even the current revenue drop.

With serious violations leading to fines of up to 50 million yuan (GBP £5,910,000) or 5% of annual revenue, the pressure is on DPOs to achieve compliance fast.

But without expertise in PIPL, native Chinese speakers or access to local Chinese sign off to conclude the compliance process, the options for achieving compliance are limited. Which is why growing numbers of UK Universities are turning to QTS Global – to gain access to IT experts on the ground in China and achieve the compliance required to rapidly safeguard this vital revenue stream.

Financial and Reputational Risk

For many Chinese students, UK universities are a top destination, offering a warm welcome, a high-quality education, and an enticing life experience. However, the restrictions created by Covid on the delivery of higher education has changed the experience. Combined with travel constraints, the lure of UK universities has fallen – with numbers of Chinese students dropping dramatically.

In 2019, there were over half a million international students studying in the UK, and over a quarter of those were Chinese nationals, and whilst there has been some recovery, overseas fee income was forecast to be down by around 10% – according to 2021 figures from the UK Government Commons library.

The pressure is on to boost enrolment for the next academic year but there is growing anecdotal evidence from Chinese students about the increased hacking of their personal data.

University DPOs are now becoming extremely concerned about the implications of the Chinese PIPL in both the short and long term.

As Matthew Spicer, Founder & Managing Director at QTS Global says, “UK universities have a duty of care to all students. But the new Chinese data security requirements have far-reaching legal and financial ramifications. No UK university can afford to be found guilty of failing to protect the data of their largest profit streams: Chinese Nationals.”

Escalating Security Threat

Achieving PIPL compliance is a priority – not only to safeguard this vital revenue stream but also in response to the escalating threat landscape: a data breach is virtually inevitable.

New data from Forrester Research in its report titled “The 2021 State Of Enterprise Breaches,” found that the majority of companies (63%) have suffered at least one breach in the past 12 months. The global average breach cost $2.4 million — a price tag that increases to $3.0 million for companies unprepared to respond to compromises.

In addition, almost three quarters (71%) of organisations were hit by ransomware in 2021, and most of those (63%) opted for paying the requested ransom, according to the 2022 Cyberthreat Defense Report (CDR) by the CyberEdge Group. No IT security team can afford to wait and assume they will deal with a threat IF it happens: as these figures show, it is happening, every day, to organisations across the globe.

As Spicer says, “No one is immune – and for any university operating in China and / or providing education to Chinese nationals, ensuring compliance to PIPL is now an urgent requirement.”

PIPL Specific Challenges

The frustration for many university IT security teams is that the underlying concepts of PIPL are familiar, as they broadly follow the General Data Protection Regulation (GDPR) introduced by the EU in 2018. However, without native Chinese speakers – who also have great IT security expertise – unraveling the specific demands of PIPL is very difficult.

Furthermore, for those universities with a Chinese campus, there is no chance of sending experts into the country while the pandemic continues. Lockdowns and travel restrictions will be in force for some time yet, and so an alternative approach to achieving PIPL compliance is needed – now.

The security demands are evolving – and increasing – fast. Just like the GDPR, the PIPL requirements are continually expanding, creating additional IT security requirements that DPOs need to rapidly absorb and apply. This is not just a ‘Chinese GDPR’, there are a number of very specific issues that need to be considered, such as the potential need for all personal data relating to Chinese national students to be stored and processed in China.

Universities are also unsure about how to deal with Chinese national students when personal information is hacked. Does the responsibility lie with the university or the student?

The fact is that if a data breach occurs with a Chinese citizen, the University must report it to both the ICO and China. This means potentially two fines, as well as the negative press and damage to reputation both at home and in China.

“UK universities increasingly understand that their lack of expertise in Chinese data security laws is a major concern,” says Spicer. “The only way to mitigate the huge financial and reputational risk associated with failure to achieve PIPL compliance is to work with a company with well-established Chinese IT data security credentials and on-the-ground experience.”

QTS Global Solution

UK universities, such as the University of Nottingham, are turning to QTS Global because it has both the academic experience and an unrivaled understanding of how to successfully operate in China. QTS Global has worked with UK universities and Education Institutions for over a decade, providing advice, guidance, and support to set up Chinese campuses.

For example, QTS Global has worked with Concordia International School Shanghai Campus, Dulwich College Beijing, and Shanghai, as well as the British International School Shanghai.

Having operated in China for almost 20 years, QTS Global has vast experience in speaking and dealing with the Chinese government.

Furthermore, having been working closely with many global businesses to understand the demands of PIPL and achieve compliance over the past 12 months, QTS Global’s team of IT experts can offer immediate insight into the specific requirements of the new Chinese data security laws.

With an IT security team that spans the UK and China, QTS Global can provide DPOs with an immediate insight into the specific demands of PIPL and how it applies within an academic setting.

Typically, experts will provide a free consultation to discuss the University’s needs and concerns before working closely with the DPO and legal teams to assess the specific implications of PIPL for the university.

Once understood, QTS Global has a best practice approach to define the compliance requirements. This includes outlining the new policies and procedures that need to be implemented and defining the data classification processes required to safeguard Chinese national students attending universities in the UK.

In addition, as a Chinese company, QTS Global, can achieve the local sign-off required to confirm the compliance process has been concluded.


There is no doubt that this is a challenging time for UK universities. On the one hand, with the ongoing revenue shortfall, it is vital to entice more Chinese students; on the other, the implications of a Chinese national being hacked while studying in the UK are now hugely more significant than pre-PIPL.

Despite the significance of the fines – from both the ICO and the Chinese government – it is the potential impact of reputational damage on future student recruitment that could be truly devastating.

The onus is on UK universities to address PIPL compliance now.

“Chinese data security laws can appear daunting. By working with a team that has long-term experience in China, a breadth of security expertise, and a knowledge of UK academia, universities can quickly allay many of their concerns regarding PIPL compliance,” concludes Spicer.

What is QTS Global All About?

QTS Global is an American IT company based in Asia Pacific for over a decade with a mission to vanquish needless IT suffering wherever our clients operate in APAC.

We serve every imaginable industry including manufacturing, logistics, services (law firms, architecture, consulting), food & beverage, software, gaming, hospitality & leisure and educational institutions.

We’re about providing innovative support models customized and aligned to client requirements at the global level, spanning the entire enterprise.

We’re about locailizing support according to the client’s market requirements and ensuring that local teams are supported wherever they work, and wherever they go.

And we’re about resisting the status quo —rejecting questionable agendas in the name of building valuable, long-term and sustainable relationships with our clients.

The result? QTS Global has helped companies decrease fixed overhead costs by as much as 75% and increase productivity by 100%.

And in the end, that’s what it’s all about.

Let’s Connect!

The ability to operate at the level of multinational corporations calls for partners that operate with the same set of core principles to have a smooth and harmonious relationship.

Efficient, interoperable, cost-effective with integrity, QTS Global has been a committed partner.