With the new Personal Information Protection Law (PIPL), the assessment of the impact on data subjects through the Personal Information Security Impact Assessment (PISIA) becomes the center of attention. PISIA assesses the legal compliance of current personal data processing, identifies the risks to data subjects, and evaluates the effectiveness of the data protection measures taken.
According to Chinese standard GB/T 39335-2020, the implementation of PISIA can be roughly divided into three steps. First, a comprehensive data research must be conducted and a clear data inventory and data mapping diagram must be created. Next, analyze whether the company’s actions affect the legitimate rights and interests of the data subjects, what impact they may have, and what the likelihood of a security incident is. Finally, improvement actions must be taken and a risk assessment report published.
Implementing PISIA not only helps organizations demonstrate compliance with laws and regulations. It can also act as evidence that companies are proactively assessing risks and taking certain safety measures. This can help protect companies from liability claims and reputational damage.
With the official introduction of PIPL on November 1, 2021, corresponding supporting measures will be introduced step by step. We recommend to start PISIA promptly with a data mapping analysis and to document the activities in order to be prepared in case of authority controls.