"

On December 8, 2022, the Ministry of Industry and Information Technology (“MIIT") promulgated the Measures for Data Security Management in Industry and Information Technology Sector (for Trial Implementation) (“Measures"), a landmark legislation for China in industry and information technology sectors. The Measures introduces and clarifies some very important concepts such as core data and important data in the sector.

This article would like to briefly introduce the Measures for enterprises practicing in the said sector.

"

Ⅰ

Who must comply?

The Measures apply to the data processing activities in the industrial and information technology field in China. The industrial and information technology data concerned under the Measures refers to industrial data, telecom data and radio data.

As such, there are three types of industrial and information technology data processors (“data processors", Under China’s law, the concept of data processors covers both controllers and processors) under the Measures: (i) industrial data processors; (ii) telecom data processors; and (iii) radio data processors. In brief, the targeting enterprises of Measures cover a wide range of data processors, such as industrial enterprises, software and information technology service enterprises, telecom operators who have obtained operation permits, such as ICP (Internet Content Provider) license holder or controller. Namely, all data processors in the industrial manufacturing and IT sectors are regulated under the Measures.

Ⅱ

What are the key compliance obligations under the Measures?

1. Classified and graded data protection system

A classified and graded data protection system is a vital management measure under the Data Security Law and the Measures. In accordance with the Measures, industrial and information technology data may be categorized as:

* By Classification: R&D (research and development) data, production and operation data, management data, operation and maintenance data, business service data, etc., from the perspective of industry requirements, characteristics, business needs, data sources and uses;

* By Gradation: general data, important data and core data, on the bases of damage to national security, public interests, or the legitimate rights and interests of individuals or organizations in the event that data are tampered with, destroyed, leaked, or illegally obtained or used.

Data processors should implement protection measures per classification and gradation of the data, such as different operating procedures. Where the data of different grades are processed simultaneously and it is difficult to take separate protection measures, the data processor should implement protection in accordance with the highest grade of the data concerned.

Where graded protection for all types of data, different levels of data being processed at the same time and hard to take protective measures should be implemented in accordance with the requirements of the highest level of protection to ensure that the data continue to be in a state of effective protection and legitimate use.

2. Catalogue of core data and important data for the industry and information technology sector

2.1  Introduction of catalogue of core data and important data for the industry and information technology sector

According to the Measures, MIIT and local authorities will formulate a catalogue of important data and core data for the industry and information technology sector (“Catalogue") based on the potential damage effect of the data concerned. The Catalogue plays a crucial role in the establishment of a classified and graded data protection system.

In the meantime, the Measures also provides damage effect standards as the rules to distinguish core, important, and general data. It is the first time that the scope of core data has been clarified in binding legislation.

Please see the table of standards for core data and important data for your reference. 

2.2 The obligation of data processors with the Catalogue

According to the Measures, a data processor shall undertake the following obligations on the basis of the Catalogue.

(1) Customized catalogue of important data and core data

A data processor is obligated to create its own catalogue of important data and core data based on the Catalogue and other relevant rules. In this sense, the data processor should proactively conduct data classification and grading and keep an eye on the publishment and update of the Catalogue.

(2) Record of Catalogue

A data processor must file the catalogue of important data and core data created by itself with the local regulatory department.

The content of the filing document includes essential details such as data source, classification, level, scale, carrier, purpose and method of handling, the scope of use, responsible entities, external information sharing, cross-border transmission, security protection measures, etc. Notably, however, the filing document does not cover the data itself.

Moreover, it shall re-file the updated catalogue of important data and core data within three months when substantial changes happen. A 30%+ change on the scale of important data and core data (including data entry and amount) or any changes on the reported content would be considered substantial changes.

3. Special obligation for important data and core data processors

3.1 Storage

Important data and core data collected and generated in China shall be stored within China if the laws and administrative regulations have such requirements. And the data exporting security assessment shall be conducted in the case of cross-border transmission.

In addition, the data processors are forbidden to provide industry and information technology data stored within China to foreign industrial, telecommunications, and radio law enforcement agencies without the permission of the MIIT.

3.2 Data security management

Important and core data processors undertake more obligations in terms of data security management. To be specific:

(i) Appointing the responsible personnel and management body for data security and establishing a regular communication and collaboration mechanism to implement data security protection responsibilities fully. The chiefly responsible personnel for data security are generally the legal representative or the principal of the enterprises, and the member(s) responsible for data security of the leading team shall act as the directly liable person(s).

(ii) Defining key data processing positions and job responsibilities, and concluding a data security liability statement with the key position personnel, which includes job responsibilities, obligations, penalties, precautions, etc.

(iii) Establishing internal registration, approval and other working mechanisms, and keeping records of important data and core data processing activities.

3.3 Annual data security risk assessment

Important data and core data processors are obligated to conduct data security risk assessment at least once a year, either by themselves or a third-party. And the assessment report shall be submitted to the relevant local industry regulators.

In addition to the special obligations summarized above, data processors who do not handle important data and core data also bear compliance obligations, such as whole-life-circle data security management, data security monitoring in daily operation and emergency management, data security training, etc. 

Conclusion

Data processors, either important data and core data processors or normal data processors, should establish various data security management mechanisms and measures required by the Measures, conduct data compliance risk assessment and make sufficient rectification, if any. Moreover, it is strongly suggested that data processors pay attention to the supporting norms and standards developed by the regulatory authorities, especially the Catalogue.