Maintain a data inventory

PIPL requires organizations to maintain records of processing activities, including the classification of data into general, important, and core categories.

Breach response responsibilities

The PIPL outlines remedial measures and notification procedures (immediate requirement v. 72 hours under EU GDPR) in the case of leakage, falsification, or loss of personal information.

Consent and privacy notice requirements

Under the PIPL, individuals must provide informed consent for their personal information to be collected, used, or disclosed by organizations. This means that organizations must clearly explain their data collection practices and obtain explicit consent from individuals before processing their personal information.

Large-scale data processing and data localization requirements

The PIPL also includes data localization requirements for those entities considered to conduct a significant volume of personal information processing (critical information infrastructure operator (CIIO)) meaning that personal information collected in China must be stored on servers located within Chinese territory.

Cross-border data transfers (CBDT)*

If not classified as a CIIO entity, and an entity wants to transmit or share personal information outside China, it must fulfill at least one of the following conditions:

• Complete a security review subject to review by CAC
• Complete PIPL’s standard contractual clauses (SCCs)
• Complete certification requirements through an independent provider selected by CAC

*This area of PIPL continues to be evolving and subject to change, including several draft PIPL “Draft Measures” under review by the Cybersecurity Administration of China (CAC).

Organizational management

If classified as a critical information infrastructure operator (CIIO), those organizations must appoint a personal information protection officer (DPO) to oversee obligations. All others, it is highly recommended to have a privacy lead to oversee the processing of personal information and implement plans for cross-border processing activities in accordance with PIPL.

Conduct impact assessments and security audits

Processors must adhere to the regulations outlined in the PIPL and conduct a personal information protection impact assessment (PIPIA) prior to the transfer (transfer of sensitive personal information (SPI) for human resource purposes. This includes identifying the types of personal information being processed, assessing the risks to individuals’ rights and freedoms, and implementing measures to protect this data. Conducting impact assessments and regular security audits is recommended.