Story image

Are you ready? Only five weeks until China's new data security law comes into effect

02 May 17

With China’s new cybersecurity law only five weeks away, businesses should be preparing and understanding the new rules. According to DLA Piper, the new draft regulations mean more businesses are likely to be caught by new offshore data transfer rules in the new PRC Cybersecurity law.

The company says China has been moving into the data protection space through court decisions, regulations and laws. However, those rules have not been enforced.
That will now change, particularly as a new ‘whistleblower’ system comes into effect. DLA Piper says companies can now no longer ignore the offshore data requirements.

DLA Piper has provided a series of requirements and actions:

1. The new draft regulations apply to both “personal data” (as defined in the PRC Cybersecurity Law) and “important data”, which is widely defined to include information that relates to national security, economic development, or social or public interest. 

Required action: Assessment of data flows to determine what is being sent offshore and whether it falls within these definitions. 

2. Consent must be obtained from all individuals before their personal data is sent out of China

Required action: Consents need to be obtained at all data collection points including for employees, customers and individuals within your supply chain or distribution networks. Existing datasets should be identified and consents obtained where none are currently in place. 

3. A security assessment needs to be carried out before offshore transfer occurs. The security assessment needs to be redone annually.

Required action:

Your security assessment includes the need to establish:-

  • the legitimate business necessity of transferring the data offshore;
  • the amount, scope, type and sensitivity of the “personal data”, and whether consent has been obtained;
  • the amount, scope, type and sensitivity of “important data”;
  • the safety precautions established by the offshore data recipients (including group companies);
  • the risk of the transferred data being retransferred, leaked or misused; and
  • whether the transfer may create national security concerns, public or individual risks.
     

4. The offshore transfer needs to be notified to relevant regulators if any of the following transfer thresholds are met:-

  • data sets of 500,000+  individuals;
  • data files in excess of 1000GB;
  • data related to nuclear facilities, chemical biology, national defence or military, large engineering activities, ocean environmental protection or sensitive geographical information;
  • network information of "key information infrastructure", including system loopholes or security measures; or
  • you are a “key information infrastructure operator”.

Required action: Your security assessment should specifically identify if any of these thresholds are met and if so relevant regulators must be identified and notified. Notification will trigger an independent assessment by the relevant regulator(s) and/or the CAC and should be carefully constructed to minimize the risk of the transfer being blocked. Regulators are required to make an assessment within 60 days of receiving notification.

5. There is an absolute prohibition on offshore transfer if:-

  • consent has not been obtained from data subject for transferring their Personal Data;
  •  it may result in risks for state politics, the economy, technology, national defence, national security, social or public interests; or
  • any relevant regulators issue specific prohibitions.

Required action: Data must not be transferred offshore in any of these circumstances. For businesses caught by and unable to circumvent these prohibitions, China based infrastructure and onshore processing is likely to be the practical solution. 

6. Any individual or organisation has a right to report an offshore transfer that violates the law to the relevant regulators.

Required action: Complaints by individuals are one of the most common ways in which privacy and data security issues are brought to the attention of regulators in other countries.  Disgruntled employees and competitors represent obvious threats and this practical risk needs to be considered as part of your data handling policies and practices. The “nobody will find out” argument has suddenly become less compelling.

7. Sanctions will be imposed in the event of a violation of the provisions of the regulations in accordance with relevant laws and regulations.

Required action: While specific sanctions are not called out in the draft regulations, sanctions mentioned in existing privacy laws are wide ranging and include the possibility of cancellation of your China business license.

Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.
Gartner names Proofpoint Leader in enterprise information archiving
The report provides a detailed overview of the enterprise information archiving market and evaluates vendors based on completeness of vision and ability to execute.