Many global organisations have had to grapple with compliance with GDPR over recent years. Compliance with China’s data laws, specifically the 'PIPL' Personal Information Protection Law, - is not just a copy and paste exercise. With additional Data and Cyber Security Laws to consider, what are the steps your organisation can take to simplfy the compliance procedure for continued trouble-free operations in China?
Your organisation is very likely already GDPR compliant if you are reading this. China's equivalent consumer data protection law, PIPL, has been created for different reasons compared to GDPR. Sadly, as a result, compliance with China’s PIPL is not just a repeat of the GDPR process.
In the EU, the law is squarely aimed at protecting citizens' data. In China, there’s an element of establishing control over personal data by the authorities whilst they simultaneously look to limit (Western) organisations' ability to exploit Chinese personal data.
This is as much a technical issue as a legal one, requiring compliance with data storage, data security and data geo-location. Depending on your organisational size and your China data footprint, there may only be a small amount of paperwork. For companies with large China user bases, there could be a need to get legal input for submission to the authorities. Happily, many companies assume this is the case, whereas for them it's actually not required. What are the key compliance points for your business?
The new Data Laws in China are known in English collectively as 'MLPS' or the Multi-Level Protection Scheme. There are three main cornerstones of this policy:
The first task on the road to compliance is to work out the level of compliance required for your company. Many assume that it's a complex, expensive and time-consuming procedure. Sure, for some companies it can be, but for most, it's simpler and more manageable than first assumed.
Under PIPL and DSL, there can be a requirement to keep personal data in an encrypted format within China prior to any exporting of that data abroad. There are also implications for holding that data overseas. It's a complex subject, but we make things easy for you with a tiered series of packages to ensure compliance whatever your company size.
For the majority of clients, unless they have large-scale user bases within mainland China, the process of compliance can be achieved after an initial assessment based on your organisation's in-market data footprint.
Our service for your organisation to achieve and ensure compliance includes:
Following an initial assessment:
For organisations with large-scale user bases, a legal submission to the authorities may be required.