China’s Personal Information Protection Law Incident Response Guidelines
What every business needs to know to prepare for compliance with China’s privacy law
China passed its first ever privacy legislation, known as the Personal Information Protection Law, on August 20, 2021. The new law will go into effect November 1, 2021, at which point organizations must obtain consent for processing personal data and practice data minimization. The law also allows consumers to withdraw consent without discrimination, obtain a copy of their data, and request their data be deleted.
Automate PIPL obligations with the BreachRx platform
Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response
Who Must Comply with China’s Personal Information Protection Law?
Any organization located in China processing the personal information of Chinese residents must comply with the Personal Information Protection Law. Any processing of personal information on Chinese residents that occurs outside China when the purpose of the processing is to provide products or services to residents within China or to analyze and evaluate the behavior of residents within China is also subject to the law.
Organizations may not share personal information with any foreign judicial or law enforcement agencies without the approval of the Chinese government. However, they can share personal information with processors in other countries if they meet the following criteria:
| Prepare the organization by meeting one of three requirements |
|
| Inform the individuals involved with pertinent information |
|
How Does China Enforce the Personal Information Protection Law?
China’s National Cyberspace Administration is responsible for overall enforcement of the Personal Information Protection Law, with state councils handling enforcement in their territories.
Enforcement Scope
Councils can lead personal information protection publicity and education efforts, supervise organizations regarding protection measures, accept and process complaints and reports, and investigate illegal processing activities
Organizational Penalties
Councils can order businesses to correct illegal practices and confiscate any illegal gains. Failure to correct can lead to a fine of up to 1 million yuan or, in serious circumstances, up to 50 million yuan or 5% of the previous year’s turnover* and a suspension of the relevant business permit.
Individual Penalties
Councils can fine individuals directly responsible for illegal actions 10,000-100,000 yuan or, in serious circumstances, 100,000 to 1 million yuan and prohibit them from taking on roles protecting personal information. Individuals can also be investigated for criminal liability.
*The law does not specify if the revenue penalty refers to turnover worldwide or only what’s generated in China. The National Cyberspace Administration will likely make this clearer via guidance in the near future.
What Incident Response Does China’s Personal Information Protection Law Require?
China’s Personal Information Protection Law requires organizations to issue a notification following any instance of leakage, tampering, or loss related to personal information.
| What is personal information | Any information (electronic or otherwise) related to an identified or identifiable natural person, excluding anonymized information. |
| What is sensitive personal information | A special class of information that, once leaked or used illegally, can easily lead to the infringement of personal dignity or threaten personal and property safety. This includes biometrics, religious beliefs, medical information, financial accounts, and personal information about minors under age 14. |
| What happens once an incident occurs | Once an organization becomes aware of any incidents, they must immediately take remedial measures to correct the situation. |
| Who the organization must notify | The relevant state council responsible for enforcement and the affected individuals. If the remedial efforts effectively mitigate the potential harm, the council may allow them to skip notifying affected individuals. |
| What to include in the notification |
|
| When and how to issue the notification | The law does not specify when or how to issue a notification. The National Cyberspace Administration may provide ongoing guidance as the law comes into effect. |
What Kind of Incidents Can Trigger a Notification Under China’s Personal Information Protection Law?
Some of the most common examples of privacy incidents that can trigger a notification under China’s Personal Information Protection Law include:
Improperly Sold Data
China’s law includes strict requirements for how organizations can process data and the consent they need from individuals for certain processing activities. Any sale of personal information that goes against consent can qualify as an incident that requires notification.
Lost or Stolen Data
Any lost or stolen personal information (electronic or physical) qualifies as a notifiable privacy incident, even if the loss was accidental, since the information might fall into the wrong hands and there is no way for organizations to track it.
Mistakenly Updated/Deleted Data
Mistakenly changing data, overriding information, or deleting details is an example of tampering with personal information and therefore creates a privacy incident that requires notification.
Ransomware
Ransomware occurs when digital information gets stolen and held captive for money. Whether or not the data gets retrieved, this theft can expose the data to malicious groups and therefore requires a notification.
How Should Organizations Prepare for China’s Personal Information Protection Law?
China’s Personal Information Protection Law places the responsibility of safeguarding personal information on organizations, requiring the following protection measures:
- Introduce internal management systems and operating procedures for processing and protecting data, including classified management for personal information
- Adopt technical security measures, such as encryption
- Regularly conduct education and training for employees involved in processing personal information
- Implement response plans for any incidents affecting personal information
- Appoint a person as responsible for supervising personal information processing activities and associated protective measures, and share their name and contact information with the relevant enforcement council (organizations located outside of China must appoint a designated representative inside the country)
- Conduct regular audits to ensure processing activities remain in compliance with the law
Organizations that provide “important internet services,” have a large number of users, and process complex personal information must also adhere to the following:
- Establish an independent organization to supervise protection of personal information
- Follow the principles of openness, fairness, and justice when developing rules for handling personal information
- Stop providing services to organizations whose handling of personal information violates the law
- Regularly publish social responsibility reports on personal information protection
Prioritizing Proactive Incident Response in China
China’s Personal Information Protection Law marks a new era of privacy in the country and forces global organizations to take a deep look at data protection and incident response plans.
Against this backdrop, organizations must take a proactive approach to incident response by taking the time to understand what’s required by global privacy laws, keeping updated on new laws and changes to existing ones, introducing response plans that can go into action at a moment’s notice, and continually revisiting those plans as regulations evolve.
Supercharge your incident response strategy with the BreachRx platform
Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.
