If you do business in China, you need to know about the “PIPL”
It’s the Chinese equivalent of the GDPR from the EU – and your responsibility to protect the data privacy of the Chinese.
The law came into being relatively quickly and has already taken effect as at November 1st 2021. However, as this stage it appears to be mainly a framework and there will be further regulations emerging across specific sectors that relate back to these requirements.
If you are already working in Europe and complying with the GDPR, then you probably just need to apply those regimes to data that relates to Chinese citizens as well. (“all information related to identified or identifiable natural persons”)
We’ve taken the following table from an excellent analysis at the International Association of Privacy Professionals (IAPP)
Rights under the GDPR | Rights under the PIPL |
Right to information | √ |
Right to access | √ |
Right to correction/rectification | √ |
Right to erasure | √ |
Right to object to and restrict the processing of an individual’s data | √ |
Right to data portability | √ (but needs to satisfy conditions stipulated by the Cyberspace Administration of China) |
Right not to be subject to automated decision-making | √ |
Right to withdraw consent | √ |
Right to lodge a complaint with the regulator | √ |
As with other data privacy regimes, it is important to consider the information you hold, and the obligations on it.
Do you know :
- What data you hold?
- Why you hold it? (Is there data you hold that is ‘nice to have’ rather than necessary)
- Where it is held?
- Who should have access to it, and who does have access to it?
- Do the people with access understand their obligations?
These considerations, and others, are part of the data governance considerations of a FlightPlan – contact your account manager for more information.