New Data Security Risk Assessment Rules for Industry and Information Technology Sectors
Companies processing “core” and “important” data in the industrial and information technology sectors must comply with China data security assessment requirements introduced in 2022. A new set of trial rules clarifies how to conduct these assessments, covering the required scope, submission instructions, and legal liabilities for non-compliance.
China’s Ministry of Industry and Information Technology (MIIT) has released a new set of trial rules for companies in industry and information technology (IT) sectors to conduct data security risk assessments.
The Implementation Rules for Data Security Risk Assessment in the Field of Industry and Information Technology (Trial) (hereinafter the “trial rules”), which are based on China’s Data Security Law (DSL), Cybersecurity Law (CSL), and the Data Security Management Measures for the Field of Industry and Information Technology (Trial) (the “trial management measures”), require companies within these fields that handle “important” or “core” data to carry our data security risk assessments. The rules are meant to guide companies in carrying out this obligation and better ensure data security by standardizing the requirements for risk assessments.
The trial rules took effect on June 1, 2024.
Background: What are “core” and “important” data?
Core and important data in the field of industry and information technology are defined in the trial management measures, which came into effect on January 1, 2023. The trial management measures classify data into “core”, “important”, and “ordinary” categories, and require firms to take different degrees of protection measures when collecting, processing, transferring, and disposing of data.
The trial management measures also require companies to compile and maintain data catalogs of core and important data and submit these catalogs to the regional industry regulatory authorities.
Data Risk Classification for Industrial and Information Technology Companies |
|
Category | Definition |
Core data | Information that poses a serious threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, and nuclear safety, and that has a great impact on the country’s overseas interests and its data security in space, polar regions, the deep sea, and artificial intelligence.
Information that has a great influence on China’s industrial and telecommunications sectors as well as key backbone enterprises, critical information infrastructure, and other important resources.
Information that can do major damage to industrial production and operations, telecommunication network and internet operation services, and radio business development, which has the potential to lead to large-scale shutdowns, large-scale radio business interruption, large-scale network and service paralysis, and loss of a large number of business processing capabilities.
Other information assessed and recognized as core data by the MIIT. |
Important data | Information that poses a threat to China’s politics, territory, military, economy, culture, society, science and technology, cyberspace, ecosystem, resources, and nuclear safety, and that has an impact on the country’s overseas interests and its data security in space, polar regions, the deep sea, and artificial intelligence.
Information that has an influence on the development, production, operations, and economic interests of China’s industrial and telecommunications sectors.
Information that can cause major data security incidents or production safety accidents, has a significant impact on the legal rights of individuals and organizations, and has a large negative impact on society.
Information that has obvious cascading effects across a range of industries and enterprises or has long-lasting effects that can seriously impact China’s industrial development, technological advancement, and industrial ecology. |
Ordinary data | Information that has a relatively low impact on the legal interests of individuals and organizations.
Information that can only affect a small number of users and enterprises or a small scope of production and living areas, that only has a short-term effect, and that has a relatively low impact on the operations of enterprises, industry development, technological advancement, and industrial ecology.
Other data excluded from the catalogue of important and core data. |
The trial management measures also specify three types of industry data that fall under the definition of “industrial and information technology data”: industrial data, telecom data, and radio data.
Industrial data refers to data generated and collected during R&D, design, production and manufacturing, business management, operation and maintenance, and platform operation across various industries and fields within the industrial sector.
Telecom data refers to data generated and collected during telecommunications business operations.
Radio data refers to data on radio frequencies, stations, and other electromagnetic wave parameters generated and collected during radio business activities.
Obligations under the trial rules
Under the trial rules, industrial and IT companies handling important or core data are required to conduct data security risk assessments. Risk assessments must be carried out at least once a year and will remain valid for one year from the date the assessment report is first issued.
While the trial rules are specifically intended for companies processing core and important data, they state that they can also be used to conduct risk assessments of companies processing of general data.
The risk assessment must cover the purpose and method, business scenarios, security measures, and risk impact of processing core or important data, covering the following areas:
- Whether the purpose, method, and scope of data processing are legal, legitimate, and necessary;
- The formulation and implementation of data security management systems and process strategies;
- The data security organizational structure, work allocation, and performance of responsibilities;
- The construction and application of data security technical protection capabilities;
- Whether the personnel involved in data processing activities are familiar with data security-related policies and regulations, whether they have the knowledge and skills required for data security, and whether they have received data security-related education and training;
- The scope and degree of impact on national security and public interests in the event of security incidents, such as tampering, destruction, leaks, loss, or illegal acquisition and illegal use of the data in question;
- The security capabilities, responsibilities, and obligations of the data acquirer or trustee in the case of the data being provided, entrusted processing, or transferred to another party; and
- The fulfillment of data export security assessment requirements in cases where data export security assessments need to be reported as required by national laws and regulations.
The assessment report must also include basic information on the company, the assessment team, the types and quantities of important data, the situation of data processing activities, the data security risk assessment environment, as well as the analysis of data processing activities, compliance assessment, security risk analysis, assessment conclusions, and response measures.
If any changes occur during the validity of the assessment report, the company must immediately conduct another risk assessment of the change, including the impact it may have on data security.
These changes include the following scenarios:
- Core data has been provided, entrusted, and transferred to a new entity;
- There is a change in the security status of important data and core data with an adverse impact on data security, including but not limited to major adjustments to the purpose, method, scope of application, and security system strategy of the data processing;
- The occurrence of security incidents involving important data and core data;
- The occurrence of major changes in the content of the important data and core data catalog; or
- Other circumstances where the industry regulatory department requires an assessment.
Carrying out a data risk assessment
The company can choose to carry out the data risk assessment by itself or entrust a third-party assessment agency with industrial and IT data security capabilities to do it on its behalf.
The MIIT will select third-party assessment agencies that have passed certain capability certifications and publish them in a database. Local industry regulatory authorities can also refer to this to establish a database of agencies in their regions.
Companies carrying out risk assessments on their own must establish a professional assessment team. This team must be comprised of personnel in positions of management, business operations, technical support, and security and compliance. They must also formulate a complete assessment work plan, and be equipped with effective technical assessment tools.
Companies that entrust a third-party assessment agency to conduct data security risk assessment must clarify the rights and responsibilities of both parties through the conclusion of a contract or other legally binding documents. They must also provide the necessary materials and conditions to the third-party assessment agency, ensure the authenticity and completeness of the relevant materials, and confirm the assessment results.
Submission of assessment report and follow-up reviews
After the completion of the assessment report, companies must submit it to the local industry regulatory department within 10 working days. The local industry regulatory departments will then submit the assessment results to the MIIT.
Local industry regulatory departments must promptly notify a company of the need to make corrections if they find that it has not complied with any laws or regulations, and companies must take appropriate measures to eliminate or reduce any data security risk hazards found in the assessment.
By December 25 of each year, the local industry regulatory departments must report all of the assessment reports they have received and reviewed in their region in that year to the MIIT. The MIIT will then organize spot checks and reviews of the assessment reports as deemed necessary.
For the provision, transfer, or entrusted processing of core data involving multiple entities, local industry regulatory departments must complete the review within 20 working days of the company submitting the assessment report and report it to the MIIT for reexamination.
Penalties for non-compliance
While the trial rules do not outline specific penalties for non-compliance, they do stipulate that industry regulatory departments will impose administrative penalties on a company that violates the requirements. The penalty will depend on the severity of the circumstances, and if a violation constitutes a crime, the company can be held criminally liable.
Impact of the trial rules and considerations for businesses
While the new trial rules will assist companies by providing better guidelines for conducting data security risk assessments, they still lack clarity. The definition of “core” and “important” data remains ambiguous, as the previous trial management measures do not provide specific examples or clear distinctions among core, important, and general data. This ambiguity leaves room for subjectivity and interpretation, potentially causing confusion and inconsistency in compliance efforts. Companies may still face challenges in accurately classifying their data and ensuring that they meet all regulatory requirements without more precise guidelines.
To navigate these uncertainties, companies should keep up to date with the latest regulatory news and developments. Staying informed about any updates or clarifications issued by the MIIT can help ensure compliance with evolving standards. Additionally, maintaining open lines of communication with local industry regulatory authorities can provide companies with valuable guidance and support.
About Us
China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.
Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.
- Previous Article China’s National Financing Credit Service Platform: Insights and Impact
- Next Article China’s Wine Market Outlook: Trends and Opportunities