The Data Security Law (DSL) requires companies to categorize their data as “general data,” “important data,” and “core data.” Which data falls into these categories varies from industry to industry. The definition of important data for the automotive industry has received the most attention so far, and also for the financial industry a detailed explanation of what data falls into the three categories already exists. The revised version of the Interim Administrative Measures for Data Security in Industry and Information Technology (Draft) defines the data categories for the industry and information technology sectors.
The document provides that data in the industry and information technology sector will be divided into three categories: Industry, Telecommunications, and Radio data, which must then be divided into the above three levels according to the DSL. Core data affecting national security, the lifeline of the national economy, the livelihood of Chinese citizens, and important public interests are not normally collected or processed by private companies. Therefore, Western companies in China must pay particular attention to the stricter regulations protecting important data.
Industrial data includes R&D drawings and data on design, production, operation, maintenance, platform operation, and other data generated during ongoing operations. For all of this data, it must be verified whether it falls into the category of important data. If it does, the data must be stored in China in accordance with the DSL. If important data is to be transferred abroad, it is necessary to conduct a data export security assessment. Increased security standards must be met even if the data is not transferred abroad. For systems with important data, at least the security level 3 of the MLPS must be met.
The Ministry of Industry and Information Technology (MIIT) is aiming for rapid implementation and enforcement of the data security management system. It has already identified 15 pilot zones in which it will work more closely with local industrial enterprises to drive the implementation of data security measures. It aims to strengthen administrative law enforcement and improve technical capabilities for data security monitoring, risk reporting and handling data security incidents. The goal is to comprehensively improve data security monitoring in the relevant regions and apply the learnings from the pilot regions to the whole of China in a timely manner.