China Cybersecurity: MIIT Releases Data Security Risk Assessment Rules

On 10 May 2024, China’s Cybersecurity Administration Bureau of the Ministry of Industry and Information Technology (the “MIIT”) introduced the Implementation Rules for Data Security Risk Assessment in the Industry and Information Technology (the “Rules”). These Rules are designed to serve as a comprehensive guide for local industry regulators and Data Processors in conducting thorough data security risk assessments (the “Risk Assessment”). In this article, we will provide an in-depth analysis of the Rules’ principal components and explore the broader implications for compliance.

BACKGROUND

Risk Assessment has emerged as a critical step in ensuring data security. To address this need, the MIIT released the Rules, which clarify the key concepts and mechanisms within the Risk Assessment system in the industry and information technology sector.

Prior to the introduction of the Rules, Article 30 of the PRC Data Protection Law (the “DSL”) requires important Data Processors to conduct regular Risk Assessments of their data processing activities in accordance with regulations and submit the Risk Assessment reports (“Report”) to the relevant competent authorities. Based on this requirement, the Regulations on the Management of Network Data Security (Draft for Comments) (the “Network Data Regulations”), have outlined explicit requirements on the content of the Risk Assessment, as well as the timeline for reporting to the authorities. Particularly in the field of industry and information technology, the MIIT issued the Measures for the Administration of Data Security in the Field of Industry and Information Technology (Trial) (the “Data Security Measures”) in December 2022, which specified the requirements for the Risk Assessment, but did not provide details regarding assessment content or procedures. Consequently, the MIIT released the draft Rules on 9 October 2023 and the final Rules to fill this gap by offering a comprehensive explanation of how to conduct these assessments.

KEY PROVISIONS AND OBSERVATIONS

I. Who should apply for the Risk Assessment?

The Risk Assessment applies to “Data Processors” of important data and core data within the industrial and information technology sector. Pursuant to the Data Security Measures, Data Processors refer to entities that independently determine the purpose and method of processing in data processing activities. Data Processors encompass various entities within the industry and information technology sector, including industrial enterprises, software and information technology service providers, telecommunications operators holding telecommunications business operation licenses, and radio frequency and station users.

Another issue that requires clarification is the definition of important data and core data. According to the Data Security Measures, data is classified into three levels. These are general data, important data, and core data, based on the degree of harm caused to national security, public interests, or the legitimate rights and interests of individuals and organisations, resulting from data tampering, destruction, leakage, illegal access, or unlawful use. This classification method is consistent with that of the data export policies recently issued by the free trade zones in Tianjin and Shanghai.

We summarise the scopes of important data and core data below.

While MIIT has provided definitions for important data and core data, the specific scope or catalogue of these data remains undetermined. To the best of our knowledge, the current practice involves Data Processors submitting a catalogue of their important data and core data to the local office of the MIIT (“Local MIIT Office”) for filing. The Local MIIT Office will review the catalogue submitted by the processors. If it meets the requirements, the filing status will be reported to the MIIT; and if the catalogue falls short of requirements, feedback will be provided, including reasons for the filing failure.

Notably, although the Risk Assessment is not mandated for general data processing activities, the Rules bring forward that, as an optional best practice, the Data Processors can also perform Risk Assessment for their general data processing in accordance with the Rules.

II. Filing Process

（1）Initiating the Risk Assessment

The Risk Assessment necessitates the establishment of a specialised assessment team, comprising professionals with expertise in organisational management, business operations, technical support, and security compliance. Additionally, a comprehensive assessment work plan should be developed, and effective technical evaluation tools should be provided.

Data Processors have the flexibility to undertake a Risk Assessment independently or engage a third-party assessment organisation. Note that if third parties are engaged, Data Processors should formalise their partnership through an agreement or other legally binding documents. Data processors must also provide the necessary materials and conditions to support the third parties, ensure the authenticity and completeness of relevant materials, and confirm the assessment results.

（2）Risk Mitigation

In case data security risks or vulnerabilities are found during the assessment, Data Processors must take prompt corrective actions to eliminate or mitigate these risks. Common corrective measures include:

• Developing or updating internal data protection policies and procedures;
• Strengthening data encryption and access controls;
• Developing a data classification system including identifying important data and core data; and
• Increasing data security awareness among employees by conducting training.

（3）Compilation and Submission of Assessment Materials

Data Processors conducting the Risk Assessment must prepare a true, full and Report. Upon completing the assessment work, Data Processors must submit the Report along with the filing materials to the Local MIIT Office within ten working days.

（4）Industry Regulatory Authority Review

If the Local MIIT Office finds that the Report does not conform to national and industry regulations and standards, it will notify the Data Processors to undertake necessary remediation.

The Local MIIT Offices are required to submit an annual summary of their receipt and review of the Reports within their respective regions to the MIIT by 25 December of each year. The MIIT will then conduct spot checks and reviews of the Reports as deemed necessary.

In instances where cross-entity provision or entrusted processing of important data and core data are involved, the Local MIIT Offices are required to complete the review of the Report within 20 days after the Data Processors’ submission. Subsequently, they must forward the report to the MIIT for further assessment. At present, MIIT has not interpreted the meaning of “cross-entity provision”, but considering that the Data Security Measures define “Data Processors” in the field of industry and information technology as certain entities that independently determine the purpose and method of data processing, we believe that “cross-entity provision” here means providing or sharing data to other Data Processors, including other affiliates that act as independent Data Processors within the same group.

（5）Assessment Period and Updates

Data processors must perform Risk Assessments at least once a year. The validity of the Reports lasts for one year from their initial issuance.

During this validity period, if any of the following circumstances arise, the Data Processors must conduct a Risk Assessment on the activities that have been changed and their impact:

• Plans to engage in cross-entity provision, entrusted processing, or the transfer of core data. Notably, the transfer of important data is not subject to the re-assessment requirement.
• Significant changes in the security status of important data or core data that could negatively impact data security, including major adjustments in data processing purposes, methods, scope, and security policy;
• Occurrence of security incidents related to important data or core data;
• Major changes in the filing content of the important data and core data directory; or
• Other situations in which industry regulatory authorities require an assessment.

It should be noted that the Rules alleviate the compliance workload for businesses. Once the above new situations arise, Data Processors are not required to undertake comprehensive Security Assessments on the whole data processing activities, but only on the changed parts.

III. The Content of the Risk Assessment Report

The Risk Assessment is a comprehensive process that evaluates various aspects of an organisation’s data processing practices. By examining these facets, Data Processors can gain a deeper understanding of their data security posture and make informed decisions to enhance their data protection strategies. Specifically, Data Processors need to conduct assessments on the following aspects:

• The legality, legitimacy, and necessity of data processing purposes, methods, and scope.

• The internal management regime, including:
  1. the establishment and implementation of data security management systems, procedures, and strategies;
  2. the data security organisational structure, staffing, and responsibilities;
  3. data security technology capabilities and their practical application; and
  4. the data security awareness, knowledge, skills, and professional backgrounds of personnel involved in data processing activities. Notably, compared with the draft Rules, the final Rules emphasise whether the personnel have received data security-related education and training.
• The impact of security incidents involving data tampering, destruction, leakage, loss, or unauthorised access and utilisation on national security and public interests.
• The assessment usually involves the following three aspects:
  1. risk severity,
  2. risk likelihood, and
  3. comprehensive risk assessment based on the results of the other two aspects.
• Additional assessment for special data processing activities:
  1. For cross-entity provision, entrusted processing and transfer, the security capabilities, integrity, legal compliance, and liability obligations of the data recipients or entrusted parties should be assessed;
  2. For data export that requires a data export security assessment, whether the Data Processor has passed the data export security assessment should be confirmed.

On this basis, Article 6 of the Rules sets out requirements for the content of the Report, which should include:

• Data Processor Information: the basic information of the Data Processor and the assessment team;
• Description of the Processing: the types and quantity of important data, the circumstances of data processing activities, the environment of the Risk Assessment; and
• Analysis and Conclusion: data processing activity analysis, compliance assessment, security risk analysis, assessment conclusions and response measures.

To facilitate the Risk Assessment, Data Processors may also refer to the draft standard, Information Security Technology - Risk Assessment Method for Data Security.

CONCLUSION: HOW SHOULD DATA PROCESSORS PREPARE?

The Rules aim to provide guidance on the Risk Assessment of important data and core Data Processors in the industrial and information technology sectors. The MIIT has taken a step closer towards establishing its data security regime revolving around the data categorisation and classification system.

The implementation of the Rules will impose significant obligations for all companies involved in data processing activities in their relevant industries, particularly for important data and core Data Processors who will need to apply for Risk Assessments.

To effectively assess and mitigate data security risks, it is imperative for the Data Processors to conduct thorough data mapping and gain a comprehensive understanding of the important data and core data that they process, as well as the specific data processing activities, sources, and flows. Additionally, companies should strengthen their internal data security management and technical protective measures to ensure data security and compliance, essential for successfully passing the Risk Assessment.