On November 19, 2024, a total of 17 Chinese sector associations jointly issued the Data Security Compliance Guidelines for the Industrial and Information Technology Sectors (hereinafter referred to as “the Compliance Guideline”). The publication of the Compliance Guidance is one of the key events at the Light of Internet Expo, which is a significant section of the World Internet Conference 2024 Wuzhen Summit.

China’s data security governance has been optimized on a more regular basis due to the fast-growing application scope and amount of the data in all fields. Multiple laws and regulations have been issued since 2021, including but not limited to the Data Security Law, Cybersecurity Law, Personal Information Protection Law, and the Measures for the Security Assessment of Outbound Data Transfer etc. In the meantime, data security in the industry and information technology sectors is one of the most focused areas for data governance as it is closely related with important facilities and national security. Several regulations are also issued in the past two years, such as the Administrative Measures for Data Security in the Field of Industry and Information Technology (for Trial Implementation) and the Detailed Rules for the Implementation of Data Security Risk Assessments in the Field of Industry and Information Technology (for Trial Implementation), in the purpose of elaborate implementation path and main contents of legal and compliant data processing activities carried out by data processors in the field of industry and information technology.

The issuing of the Compliance Guideline intends to focus on issues encountered by data processors in the process of fulfilling data security protection obligations. It clarifies the basis for data security compliance, and provides practical guidelines that can help data processors carry out comprehensive, accurate and standardized data security compliance management, and improve data security protection capabilities. The legal basis of this document includes but not limited to aforementioned legal documents.

Regarding the application scope, the Compliance Guideline specifies that data processors in the field of industry and information technology can refer to it to carry out security protection throughout the lifecycle of data processing activities. Here, the “data processors in the field of industry and information technology” refers to various entities in the field of industry and information technology, such as industrial enterprises, software and information technology service enterprises, telecommunications and Internet enterprises, as well as radio frequency and station users, which independently decide the purposes and methods of processing in data processing activities.

The Compliance Guideline consists of nine chapters, besides application scope, terms and definitions, a full list of legal documents that it is drafted upon, more details are laid out on how to categorize data, how to establish and carry out security management system, full lifecycle protection, risk monitor precautions/report/processing, security  incident dealing, risk evaluation, cross-border management, and data trade.

For foreign stakeholders, the full list of the associations that jointly issue the Compliance Guideline may be a very good reference to see what sectors that this document could be of help:

- China Iron and Steel Association

- China Nonferrous Metals Industry Association

- China Petroleum and Chemical Industry Federation

- China Building Materials Federation

- China Machinery Industry Federation

- China Association of Automobile Manufacturers

- China National Textile and Apparel Council

- China National Light Industry Federation

- China Electronic Information Industry Federation

- China Computer Industry Association

- China Association of Communications Enterprises

- Internet Society of China

- China Communication Standards Association

- China International Cooperation Association of SMEs

- China Institute of Communications

- Application Industry Promotion Alliance for Commercial Password of Ministry of Industry and Information Technology

- National Information Security Industry Alliance

Previous article regarding the draft for comment of the Compliance, please visit: https://www.bestao-consulting.com/detail?id=1738&status=china_compliance

If you have any question or need further assistance, please reach us at: info@bestao-consulting.com.

BESTAO presents free monthly report on China compliance. It offers a comprehensive solution on observing various standards and regulatory activities in China. Sample of the monthly report please refer to：

https://www.bestao-consulting.com/detail?id=1740&status=bestao_library

Subscribe the free monthly report by register as a BESTAO website member at: https://www.bestao-consulting.com/login, or write an email to assistant@bestao-consulting.com.