A guide for businesses to China’s first cyber security law

Consistent with GDPR

The legislation consolidates China’s data protection rules and adds new ones. The fundamental principles of the new rules are consistent with the General Data Protection Regulation (GDPR), which will apply in the European Union from May 2018. For example, both laws require businesses to inform people if they hold personal data on them, explain why the data is held, how it is collected, processed and used, and obtain consent.

Businesses are also required to take all necessary measures to make data secure and confidential.

China’s new law requires businesses operating critical information infrastructure (CII) − including public communication and information services, finance, healthcare and public services – to keep all personal data and important data collected in China within the country.

If a CII operator wants to transfer data overseas, it must pass a security assessment by China’s government.

China’s government plans to extend these data localisation regulations to cover other general network operators and online service providers. Although not yet announced, it is likely businesses will be given a grace period until the end of 2018 to comply with data localisation requirements.

Cyber security requirements

The third part of the new cyber security law is cyber security requirements for network operators, online service providers and network device manufacturers.

The rules include having internal security management systems, “operating rules” for IT security; taking technical measures to prevent computer viruses and network attacks and keeping a record of network security incidents. There are also mandatory standards, examinations and certifications for network devices.

Like other IT security/data protection rules, complying with China’s cyber security law is about more than IT. It is about a company’s organisational structures, its business, administration, its culture and adapting to the regulatory and political culture of another country.

A compliance project for China’s new law will therefore probably include IT directors, directors for compliance, risk and PR, as well as legal teams.

Compliance checklist

Most of the actions companies need to take to comply with China’s cyber security law will be familiar to CIOs: audit your company’s cyber security, highlight weaknesses and fix them.

Also, update your privacy policies. And don’t forget devices and equipment on the internet of things (IoT). In the last year, there have been warnings that medical devices connected to the web – including some pacemakers and insulin pumps – had lax security and could be targeted by hackers.

Organisations should create or update an incident response plan in the event of a cyber security breach in China. They should also monitor rules about the international transfer of data, which are still being amended.

Overlapping projects to prepare for Europe’s GDPR and China’s new cyber security law may save companies time and money. Complying with China’s law may be trickier than for other IT regulations − and more expensive. But the cost of being kicked out of the Chinese market could be far higher.

Nick Beckett is managing partner, Beijing office, for international law firm CMS.