The requirements of the internationally widely discussed Data Security Law (DSL, effective since Sep 1, 2021) are a challenge for many companies operating in China. To establish a hierarchical protection system for data classification, China’s National Information Security Standardization Technical Committee has issued the National Standard – Guide for Important Data Identification (Draft, hereinafter referred to as the Guide), which goes into more detail on the identification of important data.
According to the Guide, important data are first determined by the character of the data. For the identification of important data, the significance for national and public security is an essential definition criterion. Depending on their importance, data are categorized as general data, important data, and core data. Based on the MLPS 2.0, these categories of data must be adequately protected according to their respective security standards. This categorization must be done accurately so that the flow of data is not slowed down by overprotecting unimportant data.
Companies should proceed in several steps. Important data within a company must be incorporated into a data catalog with reference to the regulations applicable to their region and sector. The company must then submit the results to the relevant authority in the form of a report. If the nature, purpose or method of use of important data changes, this must also be communicated to the authority in an updated report.
Currently, the Guide is a national standard in the drafting phase that is not yet mandatory to implement. However, it already provides companies with references for identifying important data and, once in force, will become one of the most important guidelines for competent authorities to use when compiling data catalogs. Companies that process data in China should get an overview of the Guide now.