Understanding China’s new Personal Information Protection Law

China’s Personal Information Protection Law (PIPL) recently went into effect, with potential consequences for enterprises around the world. A new complimentary white paper from ISACA, Insights Into China’s Personal Information Protection Law, explains the key concepts of this new law, provides in-depth information on processing requirements, and explores the complex topic of cross-border data transfer protocols under the PIPL.

The PIPL is the first comprehensive and specialised legislation regarding personal information protection in China. Previously, personal information protection requirements were distributed across several laws, including the Cybersecurity Law (CSL), the Civil Code of the People's Republic of China, and the Data Security Law (DSL). While the PIPL is focused on China, it is applicable not only within the territory of the People’s Republic of China (PRC) but also beyond its borders.

This means that PIPL compliance has become critical for many enterprises around the world since China’s law took effect on 1 November 2021. The white paper outlines a PIPL-related task list for enterprises that need to comply, including:

1.      Identify personal information and personal sensitive information.

2.      Take sufficient protection measures.

3.      Notify individuals of additional information, including the necessity of processing personal data and its impact on individuals.

4.      Obtain separate consent and, if necessary, written consent.

5.      Conduct a security impact assessment.

ISACA’s white paper also discusses how the PIPL applies to all sectors, all types of enterprises (including government agencies) and most processing activities, and compares China’s PIPL to the European General Data Protection Regulation (GDPR) and the US National Institute of Standards and Technology (NIST) Privacy Framework.

“Today, enterprises must be well versed in a complex set of privacy regulations across many countries, regions and sectors,” says Safia Kazi, Privacy Professional Practices Principal at ISACA.

“China's Personal Information Protection Law has far-reaching impacts and organisations across the globe will need to pay attention to how it is enforced and ensure they are complying.”

To download a complimentary copy of the Insights Into China’s Personal Information Protection Law white paper, visit https://store.isaca.org/s/store#/store/browse/detail/a2S4w000005FJgmEAG.