Data compliance challenges from new personal information security rules

The national standards titled Personal Information Security Specifications (GB/T 35273-2017) (the Specifications), released on 29 December 2017, are due to take effect on 1 May 2018. Being recommended national standards, the Specifications are not mandatory. However, as fundamental supporting standards under the Cybersecurity Law effective from 1 June 2017, the Specifications highlight operability by giving further guidelines on compliance with personal data protection principles under the Cybersecurity Law.

Q: What are the focuses of the Specifications?

A: The Specifications focus on all steps involved in personal information processing, including collection, preservation, use, entrusted processing, sharing, transfer and public disclosure of personal information, all subject to the personal information owner’s “consent”, which is one of the most important highlights of the Specifications.

Q: How is personal information categorized under the Specifications?

A: Categorization of personal information under the Specifications reflects data categorization requirements under Article 21 of the Cybersecurity Law. According to the Specifications, personal information includes general personal information and sensitive personal information. General personal information refers to any information identifying a specific natural person or reflecting the activities of a specific natural person. Sensitive personal information refers to any information which, if used improperly, may threaten personal or property safety or lead to discriminatory treatments or damage of personal reputation or physical or mental health.

Stephanie Wu Yuanyuan and Song Ying are partners at AnJie Law Firm