China is fleshing out its data protection rules. The Network Data Security Management Regulation (Draft for Comments), published in November 2021, provides more detailed guidance regarding the obligations of processors of important data.
Data is divided into general data, important data, and national core data. Important data refers to data that may jeopardize national security and the public interest if tampered with, corrupted, leaked, or unlawfully obtained or used. This includes data from industry, telecommunications, energy, transportation, and other key sectors. However, only a general guide is provided to companies to determine important data; industry-specific catalogs are currently being developed by the relevant government agencies.
If a data security incident involves important data or reaches the personal data threshold of 100,000 individuals, the incident must be reported to the municipal cyberspace department and relevant authorities within eight hours. An investigation and assessment report must be completed within five working days of the incident being remediated. The report must include the cause of the incident, the consequences of the damage, responsibility for treatment, and improvement actions.
For the first time, the draft includes specific MLPS 2.0 requirements for processors of critical data: An IT system that handles important data should generally be rated higher than Level 3 and meet the requirements that MLPS 2.0 places on Critical Information Infrastructure Operators. For sharing, trading, commissioning, and annual assessment of critical data, the draft provides further obligations.
We are closely monitoring developments in the catalogs of important data in each industry. Based on this information, we can use data mapping to identify important data in companies, organize data inventories, and complete the legally compliant development of a data classification system in a timely manner.