The EU’s General Data Protection Regulation (GDPR) has influenced many governments around the world to create copycat laws. Now it has reached China, where a new Personal Information Protection Law (PIPL) regulates the way companies use and process the data of some 1.4bn citizens. The new law crucially follows the GDPR’s extraterritorial application, meaning that overseas companies and entities processing personal data on Chinese citizens are within scope.
With multimillion-yuan fines or even cancellation of business licenses in store for serious offenders, the message is clear: it’s time to think seriously about data protection for customers from the region. Data-centric security in the form of encryption or tokenization should be number one on the to-do list.
PIPL, 中华人民共和国个人信息保护法, is China’s first attempt at a national data protection law covering citizens’ personal information. Effective as of November 2021, it closely follows the GDPR in many respects. In-scope data means “any information related to identified or identifiable natural persons stored in electronic or any other format.” And it applies to all forms of data activities including collection, storage, transmission and deletion.
Its maximum penalties for non-compliance are 50 million yuan ($7.5m) or 5% of global annual turnover. Suspension or cancellation of business licenses are also possible for serious violations.
Briefly, the PIPL requires any company processing data on Chinese citizens to:
Obtain explicit consent from data subjects when third parties are involved in processing personally identifiable information (PII).
Adopt security measures to protect PII from data leakage, theft or deletion.
Appoint a data protection officer inside China to supervise the handling and protection of PII.
Give data subjects new rights such as deciding whether organizations can process their PII and to what extent, to make changes to their data, to move it to another provider, or have it deleted.
Notify and gain explicit consent from data subjects when their PII is to be transferred outside China.
Pass a separate security assessment if data volumes for transfer outside China exceed a specific amount.
Store PII inside China if they exceed the amount set by the authorities.
Like GDPR, the law grants citizens new rights over their own PII, but also places strict new obligations on processors of that information to ensure it doesn’t fall into the wrong hands. Encryption is the only technology mentioned by name in GDPR as an example of an appropriate “technical measure” which could help to ensure the secure processing of personal data. Tokenization is a related technology which uses a random value called a token instead of a key to protect the data.
Both are examples of data-centric security: a best practice approach to mitigating compliance risk which focuses on securing the data itself rather than relying solely on protection at endpoints, network perimeters, and other parts of the IT environment. While the latter could be breached by determined threat actors, once data is scrambled it is rendered useless to them—making data-centric security the preferred approach for organizations looking to comply with the GDPR or PIPL.
Be sure to choose a data-centric security provider who can deliver:
The China market is a huge draw for Western retailers and service providers. But compliance risk must first be managed in order to maximize its potential. That means putting comprehensive data-centric security in place to keep PIPL regulators happy and PII safe.