On 10 May 2024, China’s Cybersecurity Administration Bureau of the Ministry of Industry and Information Technology (the “MIIT”) introduced the Implementation Rules for Data Security Risk Assessment in the Industry and Information Technology (the “Rules”). These Rules are designed to serve as a comprehensive guide for local industry regulators and Data Processors in conducting thorough data security risk assessments (the “Risk Assessment”). In this article, we will provide an in-depth analysis of the Rules’ principal components and explore the broader implications for compliance.
Risk Assessment has emerged as a critical step in ensuring data security. To address this need, the MIIT released the Rules, which clarify the key concepts and mechanisms within the Risk Assessment system in the industry and information technology sector.
Prior to the introduction of the Rules, Article 30 of the PRC Data Protection Law (the “DSL”) requires important Data Processors to conduct regular Risk Assessments of their data processing activities in accordance with regulations and submit the Risk Assessment reports (“Report”) to the relevant competent authorities. Based on this requirement, the Regulations on the Management of Network Data Security (Draft for Comments) (the “Network Data Regulations”), have outlined explicit requirements on the content of the Risk Assessment, as well as the timeline for reporting to the authorities. Particularly in the field of industry and information technology, the MIIT issued the Measures for the Administration of Data Security in the Field of Industry and Information Technology (Trial) (the “Data Security Measures”) in December 2022, which specified the requirements for the Risk Assessment, but did not provide details regarding assessment content or procedures. Consequently, the MIIT released the draft Rules on 9 October 2023 and the final Rules to fill this gap by offering a comprehensive explanation of how to conduct these assessments.
The Risk Assessment applies to “Data Processors” of important data and core data within the industrial and information technology sector. Pursuant to the Data Security Measures, Data Processors refer to entities that independently determine the purpose and method of processing in data processing activities. Data Processors encompass various entities within the industry and information technology sector, including industrial enterprises, software and information technology service providers, telecommunications operators holding telecommunications business operation licenses, and radio frequency and station users.
Another issue that requires clarification is the definition of important data and core data. According to the Data Security Measures, data is classified into three levels. These are general data, important data, and core data, based on the degree of harm caused to national security, public interests, or the legitimate rights and interests of individuals and organisations, resulting from data tampering, destruction, leakage, illegal access, or unlawful use. This classification method is consistent with that of the data export policies recently issued by the free trade zones in Tianjin and Shanghai.
We summarise the scopes of important data and core data below.
Data Level | Definition |
Important Data |
|
Core Data |
|
While MIIT has provided definitions for important data and core data, the specific scope or catalogue of these data remains undetermined. To the best of our knowledge, the current practice involves Data Processors submitting a catalogue of their important data and core data to the local office of the MIIT (“Local MIIT Office”) for filing. The Local MIIT Office will review the catalogue submitted by the processors. If it meets the requirements, the filing status will be reported to the MIIT; and if the catalogue falls short of requirements, feedback will be provided, including reasons for the filing failure.
Notably, although the Risk Assessment is not mandated for general data processing activities, the Rules bring forward that, as an optional best practice, the Data Processors can also perform Risk Assessment for their general data processing in accordance with the Rules.
(1)Initiating the Risk Assessment
The Risk Assessment necessitates the establishment of a specialised assessment team, comprising professionals with expertise in organisational management, business operations, technical support, and security compliance. Additionally, a comprehensive assessment work plan should be developed, and effective technical evaluation tools should be provided.
Data Processors have the flexibility to undertake a Risk Assessment independently or engage a third-party assessment organisation. Note that if third parties are engaged, Data Processors should formalise their partnership through an agreement or other legally binding documents. Data processors must also provide the necessary materials and conditions to support the third parties, ensure the authenticity and completeness of relevant materials, and confirm the assessment results.
(2)Risk Mitigation
In case data security risks or vulnerabilities are found during the assessment, Data Processors must take prompt corrective actions to eliminate or mitigate these risks. Common corrective measures include:
(3)Compilation and Submission of Assessment Materials
Data Processors conducting the Risk Assessment must prepare a true, full and Report. Upon completing the assessment work, Data Processors must submit the Report along with the filing materials to the Local MIIT Office within ten working days.
(4)Industry Regulatory Authority Review
If the Local MIIT Office finds that the Report does not conform to national and industry regulations and standards, it will notify the Data Processors to undertake necessary remediation.
The Local MIIT Offices are required to submit an annual summary of their receipt and review of the Reports within their respective regions to the MIIT by 25 December of each year. The MIIT will then conduct spot checks and reviews of the Reports as deemed necessary.
In instances where cross-entity provision or entrusted processing of important data and core data are involved, the Local MIIT Offices are required to complete the review of the Report within 20 days after the Data Processors’ submission. Subsequently, they must forward the report to the MIIT for further assessment. At present, MIIT has not interpreted the meaning of “cross-entity provision”, but considering that the Data Security Measures define “Data Processors” in the field of industry and information technology as certain entities that independently determine the purpose and method of data processing, we believe that “cross-entity provision” here means providing or sharing data to other Data Processors, including other affiliates that act as independent Data Processors within the same group.
(5)Assessment Period and Updates
Data processors must perform Risk Assessments at least once a year. The validity of the Reports lasts for one year from their initial issuance.
During this validity period, if any of the following circumstances arise, the Data Processors must conduct a Risk Assessment on the activities that have been changed and their impact:
It should be noted that the Rules alleviate the compliance workload for businesses. Once the above new situations arise, Data Processors are not required to undertake comprehensive Security Assessments on the whole data processing activities, but only on the changed parts.
The Risk Assessment is a comprehensive process that evaluates various aspects of an organisation’s data processing practices. By examining these facets, Data Processors can gain a deeper understanding of their data security posture and make informed decisions to enhance their data protection strategies. Specifically, Data Processors need to conduct assessments on the following aspects:
On this basis, Article 6 of the Rules sets out requirements for the content of the Report, which should include:
To facilitate the Risk Assessment, Data Processors may also refer to the draft standard, Information Security Technology - Risk Assessment Method for Data Security.
The Rules aim to provide guidance on the Risk Assessment of important data and core Data Processors in the industrial and information technology sectors. The MIIT has taken a step closer towards establishing its data security regime revolving around the data categorisation and classification system.
The implementation of the Rules will impose significant obligations for all companies involved in data processing activities in their relevant industries, particularly for important data and core Data Processors who will need to apply for Risk Assessments.
To effectively assess and mitigate data security risks, it is imperative for the Data Processors to conduct thorough data mapping and gain a comprehensive understanding of the important data and core data that they process, as well as the specific data processing activities, sources, and flows. Additionally, companies should strengthen their internal data security management and technical protective measures to ensure data security and compliance, essential for successfully passing the Risk Assessment.