As China introduces regulations and standards to govern cyberspace security and data protection, more companies are getting concerned about how this China Data Protection Regulations (CDPR) will impact them, and what they need to do to be CDPR compliant.
What is CDPR?
CDPR is the term used to represent China’s data protection regime. Under CDPR, there are multiple laws, measures, and standards:
- China Cybersecurity Law (网络安全法) was implemented in 2017
- Personal Information Security Specification (个人信息安全规范) was implemented in 2018 and was recently updated in Jan 2019. This Specification is not a law or regulation, but a standard used to determine if businesses are compliant to China’s data protection rules
- Measures for Security Assessment of Cross-Border Transfer of Personal Information and Important Data (个人信息和重要数据出境安全评估办法) & Guidelines for Data Cross-Border Transfer Security Assessment (数据出境安全评估指南) are still in the draft phase
Who is affected by CDPR?
CDPR affects any organizations that manage individuals’ personal data and imposes data privacy obligations on network operators. Network operators are defined as network owners, managers, and providers; a network is defined as any system comprised of computers and related equipment that gathers, stores, transmits, exchanges, or processes information. What this means is that any businesses in China that manage their own email or other data networks are affected by CDPR.
How does CDPR impact businesses?
CDPR will impact businesses in four different areas: Data Acquisition, Data Storage/Transfer, Data Management & Governance and Data Usage.
- Data Acquisition: CDPR affects how you go about acquiring data, how much data you are acquiring and whether you have acquired consent from individuals and informed them accordingly about the data collection.
- Data Storage/Transfer: If you are a Critical Information Infrastructure Operator (CIIO), you are required to store personal and important data locally in China unless the authority agrees that there are necessary business reasons to transfer data out of China. If you are a non-CIIO network operator, you can transfer data out of China so long as you have obtained consent from users to do so and undergone a data transfer security assessment.
- Data Management & Governance: CDPR sets certain standards as to how businesses should manage and govern their data. For example, there are guidelines on what needs to be done in the event of a data breach.
- Data Usage: CDPR will impact on how marketers perform marketing activities. For instance, you need to ensure that the word “Ad” or “广告” is included in the email subject line when sending a commercial email. Or, if you are personalizing content to individuals on your website, you need to show the words “Personalized display” prominently.
So, given the ambiguity and constantly evolving nature of CDPR, what can marketers do now to ensure that they can continue their marketing activities without violating laws and regulations under CDPR?
Firstly, businesses need to update their privacy policy to include:
- The purpose, means, and scope of the collection and use of the personal data
- How personal data is being protected, shared, transferred and disclosed
- How the personal data of underage users is being managed
- How cookie and other similar technology such as pixel tags and web beacons are being used
- User’s rights, how the privacy policy will be updated and the contact information of the business
Secondly, there are multiple data audits that are required under CDPR: Auditing the risk of data transfer and assessing the company’s data processing activities impact on users. However, I also recommend businesses to also perform a separate data audit on:
- The current data practices (e.g. current data acquisition processes)
- Partners, third parties, technology platforms and vendors’ compliance to CDPR
- The different data collected from different sources, and how this data is being used
Thirdly, it is recommended that businesses obtain explicit opt-in and consent from individuals to store or process their data outside of China.
Finally, educate employees and partners on CDPR on a regular basis, especially whenever there is an update to the laws and regulations.
What do you think about the laws and regulations in China? Comment below!
This article first appeared on https://www.linkedin.com/in/wendy-ong-90822998/
