On September 29th, 2024, a consortium of 17 Chinese industry organizations jointly unveiled a draft of the Data Security Compliance Guidelines for the Industrial and Information Technology Sectors (hereinafter referred to as “the Guidelines”) for public feedback. This consultation phase is open to member organizations until October 16th, 2024. The Guidelines are designed to steer data processors in these sectors towards lawfully conducting data processing activities while fully adhering to pertinent regulations, all while accurately fulfilling their obligations in data security protection.
Formulated in accordance with China’s prevalent data security laws, regulations, and relevant normative documents, including guidelines and standards specific to the industrial and information sectors, these Guidelines draw from a total of 17 legal and regulatory documents as compliance foundations. Notably, some documents, such as the Telecom Data Security Classification Protection Requirements and Industrial Data Security Risk Assessment Standards, are still in progress and not yet publicly disclosed.
Structured into nine chapters, the Guidelines encompass critical aspects such as data classification and grading, data security management systems, comprehensive lifecycle data protection, risk monitoring and reporting, emergency response mechanisms for security incidents, risk assessment, cross-border data transfers, and data transactions. These Guidelines specifically target data processors within the industrial and information sectors, referring to those who independently determine the objectives and methods of data processing in these fields.
In terms of cross-border data transfers, the Guidelines align with the latest national policies and regulations. The requirements for data transfers in the industrial and information sectors follow the same compliance standards as general cross-border data transfers, without imposing any sector-specific conditions. This segment essentially summarizes pre-existing regulations without introducing new compliance criteria for these sectors.
Regarding data transactions, the Guidelines provide limited directives, primarily concentrating on intermediary agencies offering data transaction services. These agencies are mandated to conduct legality and compliance assessments during transactions. China’s establishment of the National Data Bureau and the issuance of policies aimed at fostering data exchange underscore the nation’s commitment to promoting data circulation. Furthermore, in the National Data Standard System Construction Guide released in October 2024, “data transaction” is highlighted as a pivotal component of the data standard system. As China’s legal framework for data transactions evolves, more comprehensive compliance standards in this domain are anticipated to emerge.
The Guidelines are designed to aid industry enterprises in navigating intricate compliance requirements, emphasizing specific actions businesses should undertake to ensure adherence. Unlike the legal documents they are based on, the Guidelines focus on practical measures for enterprises rather than delineating governmental duties or defining legal terminology. While the legal structure for data compliance is largely in place, supporting standards are still in development, indicating that further adjustments may be necessary as new standards are implemented.
If you have any question or need further assistance, please reach us at: info@bestao-consulting.com.