China's Data Protection Law Compliance

China Personal Information Protection Law - PIPL

Is PIPL the same as GDPR?

Your organisation is very likely already GDPR compliant if you are reading this. China's equivalent consumer data protection law, PIPL, has been created for different reasons compared to GDPR. Sadly, as a result, compliance with China’s PIPL is not just a repeat of the GDPR process.

In the EU, the law is squarely aimed at protecting citizens' data. In China, there’s an element of establishing control over personal data by the authorities whilst they simultaneously look to limit (Western) organisations' ability to exploit Chinese personal data.

This is as much a technical issue as a legal one, requiring compliance with data storage, data security and data geo-location. Depending on your organisational size and your China data footprint, there may only be a small amount of paperwork. For companies with large China user bases, there could be a need to get legal input for submission to the authorities. Happily, many companies assume this is the case, whereas for them it's actually not required. What are the key compliance points for your business?

Understanding the different laws - PIPL, CSL, DSL

The new Data Laws in China are known in English collectively as 'MLPS' or the Multi-Level Protection Scheme. There are three main cornerstones of this policy:

• PIPL - the Personal Information Protection Law. This will be the primary law affecting Western organisations active in China. It concerns Chinese citizens' personal data. The chances are if GDPR affects your organisation, so will PIPL. There are requirements around consent, data processing and access to personal records.
• DSL - the Data Security Law. This concerns data collected in China. The law regulates its storage and the subsequent transfer of that data abroad. For example, if you gather enquiries from a website form or WeChat and export this into Salesforce, this would come under both PIPL and DSL.
• CSL - Cyber Security Law. This concerns data protection from the perspective of cyber security. It stipulates cyber security requirements for Chinese network operators and critical information infrastructure operators. For most clients, their exposure to this law is through their 3rd party providers. It would be expected that the liability for compliance lies with the 3rd party operators although some awareness of the 3rd party CSL compliance may be desirable.

The first task on the road to compliance is to work out the level of compliance required for your company. Many assume that it's a complex, expensive and time-consuming procedure. Sure, for some companies it can be, but for most, it's simpler and more manageable than first assumed.

Comply with data residency

Under PIPL and DSL, there can be a requirement to keep personal data in an encrypted format within China prior to any exporting of that data abroad. There are also implications for holding that data overseas. It's a complex subject, but we make things easy for you with a tiered series of packages to ensure compliance whatever your company size.

For the majority of clients, unless they have large-scale user bases within mainland China, the process of compliance can be achieved after an initial assessment based on your organisation's in-market data footprint.

Become compliant

Our service for your organisation to achieve and ensure compliance includes:

• An initial assessment of the level of compliance required by your organisation
• Standard website legal policy documentation

Following an initial assessment:

• Data flow mapping: A process to establish the level of compliance needed for your organisation along with data flow of any exported data;
• Self-assessment policy documentation in Chinese and English;
• Data solution provision and compliance with the requirement for data residency in China;
• Provision of secure China-based data storage solutions and at-rest encryption.

For organisations with large-scale user bases, a legal submission to the authorities may be required.