Will China’s Personal Information Protection Law be a game-changer for data security?
20th August 2021, dawned a new era for China’s cybersecurity with the passing of China’s Personal Information Protection Law (PIPL) which is the first comprehensive legal attempt to define personal information and regulate its storing, transferring, and processing.
This law which came into effect on 1st November 2021, will provide a legal foundation for the protection of personal information of foreign business operations in China and it will also potentially limit cross-border transfer of information, especially critical information infrastructure due to national security. All businesses need to understand this law’s impact on their data operations.
China and Cybersecurity Laws
Recently, China has been introducing new cybersecurity laws with the idea of safeguarding its citizens from fraudulent attacks. These laws are the cornerstone of Chinese national and international policy and adhere to its fundamental principle of “China First”
The first law was the Cybersecurity law which has been in effect since June 2017. This law was designed to regulate the network and platform providers, and how they handle the data.
The second is the Data Security Law (DSL) which came into effect on September 1, 2021. This law looks at data security more from a government perspective. The DSL:
- Applies to a wide range of data and data activities, with extraterritorial jurisdiction
- Refines regulations on “important data” and emphasizes the protection of “core state data”
- Imposes a set of obligations combined with high fines and severe penalties on entities and individuals who conduct data activities
PIPL is the third of China’s new cybersecurity laws. It is part of China’s objective of providing greater security for personal data protection. While it is similar to the EU’s GDPR, it is much stricter than GDPR. The PIPL clearly defines personal information and sensitive personal information and sharpens the focus on information transfers.
Key features of the PIPL law
This PIPL law is modeled in part on the General Data Protection Regulation (GDPR) of the European Union. It aims to achieve the following objectives:
- Protects the rights and interests of individuals
- Regulate the personal Information processing activities
- Safeguard the lawful and orderly flow of data
- Facilitate reasonable use of personal information
PIPL applies to those who process personal information about Chinese individuals inside China as well as those who process personal information about Chinese individuals outside China.
What happens if the rules are not adhered to?
According to article 66 of the PIPL law when the PIPL is handled in violation of the law or personal information is handled without fulfilling personal protection duties under the provisions of this law, a fine of not more than 1 million Yuan is to be additionally imposed; the directly responsible person in charge and other directly responsible personnel are to be fined between 10,000 and 100,000 Yuan.
When the unlawful acts are grave, then a fine of not more than 50 million Yuan or 5% of annual revenue is imposed. Also, they may order the suspension of related business activities or cessation of business for rectification and report to the relevant competent department for cancellation of corresponding administrative licenses or cancellation of business licenses.
What data security measures should organizations take?
As the PIPL requires stringent requirements in data transfer, mandatory requirements on security controls and data localization, and there are increased penalties and fines on organizations upon violation are anticipated, organizations need to relook at their data security strategies.
An Enterprise Digital Rights Management (EDRM) solution can help in protecting sensitive data both inside and outside the organization as they have full visibility and control over the data. It allows protecting the data wherever it travels. Access permissions can be limited and data can be monitored.
A DRM solution automatically adds usage controls and tracking to documents as they are classified. Data classification helps to make informed decisions about how data is managed protected and shared, both within and outside the organization. It ensures that sensitive information remains under the organization’s control regardless of where it travels. Therefore, it facilitates secure external collaboration, reduces data breaches, and facilitates compliance.
How SECUDE’s Products help in data security
Organizations that use SAP as their business application or ERP system often store their most critical assets, including intellectual properties within SAP. This data must be protected against unauthorized access originating from both inside and outside the organization.
Similarly, the design and manufacturing industry also uses many critical drawings as CAD and sensitive information. These applications need to be monitored, classified, labeled, etc. An attack on SAP and CAD/PLM systems can have a devastating impact on the operations of the business that result in financial and reputational losses.
With more and more digitization, and stringent rules like PIPL, organizations have to ensure that their data is also streamlined by following these compliance rules else they face huge penalties.
SECUDE’s flag-ship products HALOCORE and HALOCAD will help you identify where PIPL-relevant data is held, downloaded and how it is being used. Data classification/data identifiers will help in identifying the data stored in the cloud and also on-premise.
SECUDE’s HALOCORE provides end-to-end protection of sensitive SAP data exports throughout their lifecycle. HALOCORE uses data classification and policies to limit who has access to what types of data. By integrating directly with SAP, it protects data with automated classification, blocks unauthorized access, and helps generate fine-grained access policies.
It uses Microsoft Information Protection (MIP) to encrypt each document at the server level. SECUDE’s HALOCORE with its deepened integration with Microsoft Azure Active Directory helps to simplify the data governance process while preserving the highest level of data security.
SECUDE’s HALOCAD is the only solution to apply MIP for securing CAD files throughout their lifecycle. It helps in the efficient protection of assembly files that are used in CAD environments and averts log file manipulation, which is the biggest threat facing this industry.
HALOCAD DRM extends the data-centric security across PLM and Multi-CAD integrations. It now supports the following PLM Multi-CAD integrations:
- HALOCAD® Add-on for Siemens Teamcenter – NX Integration
- HALOCAD® Add-on for Siemens Teamcenter – Solid Edge Integration
- HALOCAD® Add-on for Siemens Teamcenter – SolidWorks Integration
- HALOCAD® Add-on for Siemens Teamcenter – Creo Integration
- HALOCAD® Add-on for SAP ECTR – AutoCAD Integration
- HALOCAD® Add-on for SAP ECTR – Creo Integration
- HALOCAD® Add-on for SAP ECTR – Solid Edge Integration
- HALOCAD® Add-on for AutoDesk Vault – AutoCAD Integration
- HALOCAD® Add-on for AutoDesk Vault – Inventor Integration
PIPL will be a game-changer for data security. It is critical for organizations that carry out the processing of personal information of people to evaluate their data protection strategies. If you are a multi-national organization handling information related to Chinese, then this law applies to you.
The time is now right for organizations to consider how to handle PIPL, make it a priority, invest in data security solutions, and seek the help of a Digital Rights Management Solution provider like SECUDE to help them formulate their data protection strategies. Our solutions will ensure that your sensitive data doesn’t end up where it shouldn’t.
Comments are closed.