You are currently viewing China Releases Draft Measures for Personal Information Protection
Representation image: This image is an artistic interpretation related to the article theme.

China Releases Draft Measures for Personal Information Protection

The certification process involves several steps, including data mapping, data classification, and data encryption.

The Need for Certification

The increasing demand for cross-border data transfers has led to a growing need for certification. As more companies operate globally, they must comply with various data protection regulations. The CAC’s certification process aims to ensure that data processors handle personal information securely and in accordance with Chinese data protection laws. Key benefits of certification include:

  • Enhanced data security
  • Compliance with Chinese data protection regulations
  • Increased trust among consumers
  • Better risk management

    • The Certification Process

    The certification process involves several steps, including:

    Data Mapping

    Data mapping is the first step in the certification process. It involves identifying and mapping personal information to be transferred abroad. This step is crucial in ensuring that sensitive data is handled correctly. Key considerations for data mapping:

  • Identifying personal information
  • Mapping data to relevant categories
  • Ensuring data accuracy

    • Data Classification

    Data classification is the second step in the certification process. It involves categorizing personal information based on its sensitivity and risk level. This step helps data processors to prioritize data protection measures. Key considerations for data classification:

  • Categorizing data based on sensitivity
  • Assigning risk levels to data
  • Prioritizing data protection measures

    • Data Encryption

    Data encryption is the final step in the certification process. It involves encrypting personal information to protect it from unauthorized access.

    GDPR certification ensures data processor compliance with data protection principles and regulations.

    Certification is a formal recognition that the data processor has met the requirements of the GDPR. This certification is usually obtained through a third-party audit or assessment.

    Obtaining Certification

    To obtain certification, a data processor must meet the requirements set by the GDPR. These requirements include:

  • Demonstrating compliance with the GDPR’s data protection principles
  • Implementing appropriate technical and organizational measures to ensure the security and integrity of personal data
  • Providing transparency and accountability in data processing activities
  • Ensuring the rights of data subjects are respected and protected

    • Certification is typically obtained through a third-party audit or assessment.

    Foreign Personal Information Processors Under PIPL

    The Personal Information Protection Law of the People’s Republic of China (PIPL) has introduced a certification mechanism for foreign personal information processors. This mechanism aims to ensure that foreign entities handling Chinese citizens’ personal information comply with the law’s requirements.

    Eligibility Criteria

    To be eligible for the certification mechanism, foreign personal information processors must meet specific criteria outlined in Article 3(2) of PIPL. These criteria include:

  • Being a foreign entity that processes personal information of Chinese citizens
  • Having a clear and publicly available privacy policy
  • Demonstrating compliance with relevant data protection regulations
  • Having a data protection officer or equivalent responsible for overseeing data protection practices

    • Certification Process

    The certification process for foreign personal information processors involves several steps:

  • Application: Foreign entities must submit an application to the relevant data protection authority in China. Assessment: The data protection authority will assess the entity’s compliance with the eligibility criteria and the PIPL’s requirements.

    CAC PI Protection Certification Standards

    The China Academy of Ceramics (CAC) is a leading research institution in the field of materials science and technology. As part of its efforts to promote the development of cross-border data transfer and electronic information security, CAC has been working on establishing standards for the protection of personal information (PI). In this article, we will delve into the world of PI protection certification standards, specifically focusing on the work of CAC in this area.

    Background

    The concept of personal information protection has become increasingly important in today’s digital age. With the rapid growth of data transfer and storage, the need for secure and standardized practices has become more pressing than ever.

    Compliance of Cross-Border PI Transfers

    When assessing compliance with cross-border PI transfers, the following key factors are considered:

  • Data Protection Impact Assessment (DPIA): Conducting a DPIA to identify and mitigate potential risks associated with cross-border data transfers. Data Transfer Agreements: Ensuring that data transfer agreements are legally binding and compliant with relevant data protection regulations. Data Encryption: Implementing data encryption to protect sensitive data during cross-border transfers. * Data Access Controls: Establishing data access controls to ensure that only authorized personnel have access to sensitive data. ### Overseas Processors and Recipients**

    • Overseas Processors and Recipients

    When evaluating overseas processors and recipients, the following factors are considered:

  • Processor Selection: Carefully selecting overseas processors who have a proven track record of data protection and compliance. Processor Audits: Conducting regular audits of overseas processors to ensure ongoing compliance with data protection regulations. Recipient Verification: Verifying the identity and legitimacy of overseas recipients to ensure that sensitive data is not misused. * Data Retention: Ensuring that overseas recipients comply with data retention requirements and do not retain sensitive data for longer than necessary. ### Legally Binding Agreements and Organizational Safeguards**

    • Legally Binding Agreements and Organizational Safeguards

    When assessing legally binding agreements and organizational safeguards, the following factors are considered:

  • Contractual Clauses: Including contractual clauses that ensure compliance with data protection regulations and standards. Data Protection Policies: Establishing data protection policies and procedures that outline the organization’s approach to data protection.

    The Importance of Professional Certification for Cross-Border Data Transfers

    Cross-border data transfers are a critical aspect of international business, allowing companies to operate globally and access new markets. However, these transfers also pose significant risks, including data breaches and unauthorized access. To mitigate these risks, the European Union has implemented the General Data Protection Regulation (GDPR), which requires companies to implement measures to protect personal data during cross-border transfers.

    The Role of Professional Certification in Cross-Border Data Transfers

    Professional certification plays a crucial role in ensuring the security and integrity of personal data during cross-border transfers. In the context of the GDPR, professional certification bodies must meet specific qualifications to conduct PI protection certification for cross-border data transfers.

    The Draft Measures are still open for public comment. We will continue monitoring regulatory developments with respect to the certification mechanism. FOOTNOTES

Leave a Reply