China Cybersecurity: Data Security Risk Assessment Draft Rules Released by MIIT

On 9 October 2023, China’s Cybersecurity Administration Bureau of the Ministry of Industry and Information Technology (the “MIIT”) released the Implementation Rules for Data Security Risk Assessment in the Industry and Information Technology Sectors (Draft for Comments) (the “Rules”). The Rules aim to provide guidance to local industry regulators and data processors in the field of industry and information technology on conducting risk assessment (the “Risk Assessment”). In this article, we will delve into the key aspects of this document and shed light on the compliance implications.

BACKGROUND

Data security risk assessment has emerged as a critical step in ensuring data security. To address this need, the MIIT released the Rules, which clarify the key concepts and mechanisms within the data security assessment system in the industry and information technology sector. 

Prior to the introduction of the Rules, Article 30 of the PRC Data Protection Law (the “DSL”) requires important data processors to conduct regular Risk Assessments of their data processing activities in accordance with regulations and submit the Risk Assessment reports to the relevant competent authorities. Based on this requirement, the Regulations on the Management of Network Data Security (Draft for Comments) (the “Network Data Regulations”), have outlined explicit requirements on the content of the Risk Assessment, as well as the timeline for reporting to the authorities. Particularly in the field of industry and information technology, the MIIT issued the Measures for the Administration of Data Security in the Field of Industry and

Information Technology (Trial) (the “Data Security Measures”) in December 2022, which specified the requirements for the Risk Assessment, but did not provide specific details regarding assessment content or procedures. Consequently, the Rules serve to fill this gap by offering a comprehensive explanation of how to conduct these assessments. 

KEY PROVISIONS AND OBSERVATIONS

I. Who should apply for the Risk Assessment? 

The Risk Assessment applies to processors of important data and core data within the industrial and information technology sector.
The processors (“Data Processors”) encompass various entities within the industry and information technology sector. Including industrial enterprises, software and information technology service providers, telecommunications operators holding telecommunications business operation licenses, and radio frequency and station users. In addition, the processors can independently determine the purpose and method of data processing activities.

Another issue that requires clarification is the definition of important data and core data. According to the Data Security Measures, data is classified into three levels. These are general data, important data, and core data, based on the degree of harm caused to national security, public interests, or the legitimate rights and interests of individuals and organisations, resulting from data tampering, destruction, leakage, illegal access, or unlawful use. 

We summarise the scopes of important data and core data below. 

While MIIT has provided definitions for important data and core data, the specific scope or catalogue of these data remains undetermined. To the best of our knowledge, the current practice involves data processors submitting a catalogue of their important data and core data to the local industry regulatory authority (“Local Industry Authority”) for filing. The Local Industry Authority will review the catalogue submitted by the processors. If it meets the requirements, the filing status will be reported to the MIIT; and if the catalogue falls short of requirements, feedback will be provided, including reasons for the filing failure.

II. Filing Process

The Risk Assessment necessitates the establishment of a specialised assessment team, comprising professionals with expertise in organisational management, business operations, technical support, and security compliance. Additionally, a comprehensive assessment work plan should be developed, and effective technical evaluation tools should be provided. 

Data processors have the flexibility to undertake a Risk Assessment independently or engage a third-party assessment organisation. Note that if third parties are engaged, data processors should formalise their partnership through an agreement or other legally binding documents. Data processors must also provide the necessary materials and conditions to support the third parties, ensure the authenticity and completeness of relevant materials, and confirm the assessment results. 

(2) Risk Mitigation

In case data security risks or vulnerabilities are found during the assessment, data processors must take prompt corrective actions to eliminate or mitigate these risks. Common corrective measures include:

• Developing or updating internal data protection policies and procedures;
• Strengthening data encryption and access controls;
• Developing a data classification system including identifying important data and core data; and 
• Increasing data security awareness among employees by conducting training. 

(3) Compilation and Submission of Assessment Materials

Data processors conducting the Risk Assessment must prepare a true, full and accurate assessment report. Upon completing the assessment work, data processors must submit the assessment report along with the filing materials to the Local Industry Authority within 10 working days.

(4) Industry Regulatory Authority Review

The Local Industry Authority may independently review the assessment report or delegate the task to a professional organisation. If the report does not conform to national and industry regulations and standards, the Local Industry Authority will notify the data processors to undertake necessary remediation.

For cases involving export, cross-entity provision or entrusted processing of important data and core data, Local Industry Authorities need to submit the assessment report to the MIIT for further review.

(5) Assessment Period and Updates

Data processors must perform Risk Assessments at least once a year. The validity of the reports lasts for one year from their initial issuance.

During this validity period, if any of the following circumstances arise, the data processors must conduct a new Risk Assessment and update the report:

• Plans to engage in cross-entity provision, entrusted processing, or the transfer of important data or core data;
• Significant changes in the security status of important data or core data that could negatively impact data security, including major adjustments in data processing purposes, methods, scope, and security policy;
• Occurrence of security incidents related to important data or core data; or
• Other situations in which industry regulatory authorities require an assessment.

III. The Content of the Risk Assessment Report

The Risk Assessment is a comprehensive process that evaluates various aspects of an organisation’s data processing practices. By examining these facets, data processors can gain a deeper understanding of their data security posture and make informed decisions to enhance their data protection strategies. Specifically, data processors need to conduct assessments on the following aspects and reflect them in the Risk Assessment reports:

• The legality, legitimacy, and necessity of data processing purposes, methods, and scope.
• The internal management regime, including: 

(a) the establishment and implementation of data security management systems, procedures, and strategies; 

(b) the data security organisational structure, staffing, and responsibilities; 

(c) data security technology capabilities and their practical application; and 

(d) the data security awareness, knowledge, skills, and professional backgrounds of personnel involved in data processing activities.

• The impact of security incidents involving data tampering, destruction, leakage, loss, or unauthorised access and utilisation on national security and public interests. 
• The assessment usually involves the following three aspects: 

(a) risk severity, 

(b) risk likelihood, and 

(c) comprehensive risk assessment based on the results of the other two aspects. 

• Additional assessment for special data processing activities:

(a) For cross-entity provision, entrusted processing and transfer, the security capabilities, integrity, legal compliance, and liability obligations of parties involved in these activities should be assessed;

(b) For data export that requires a data export security assessment, whether the data processor has passed the assessment should be confirmed. 

To facilitate the Risk Assessment, data processors may refer to the draft standard, Information Security Technology - Risk Assessment Method for Data Security.

CONCLUSION: HOW SHOULD DATA PROCESSORS PREPARE?

The Rules aim to provide guidance on the Risk Assessment to important data and core data processors in the industrial and information technology sectors. The implementation of the Rules will usher in significant changes for all companies involved in data processing activities in the relevant industries, particularly for important data and core data processors who will need to apply for Risk Assessments. 

To effectively assess and mitigate data security risks, it is vital for the data processors to conduct thorough data mapping to gain a comprehensive understanding of the important data and core data that they process, as well as the specific data processing activities, sources, and flows. Additionally, companies should strengthen their internal data security management and technical protective measures to ensure data security and compliance, essential for successfully passing the Risk Assessment.