what we think

By Connie (Yan) Chen and Sylvia Wang

China is determined to protect personal information and has passed several laws to achieve this goal. Regulatory agencies are taking a closer look at the treatment of personal data, and enforcement of the relevant laws should be taken into considering for regular business activities. As the authorities tighten up regulation and supervision, businesses need to take measures to meet the higher demands on personal data compliance. 

The impact assessment is an essential tool to help companies maintain data compliance. This article explains when enterprises may need an impact assessment, what it includes, and how it can be carried out.

1. When do enterprises need an impact assessment?

The impact assessment is a self-examination by a company on the personal information’s full lifecycle, including collection, storage, use, processing, transmission, disclosure, deletion etc. Through the impact assessment, companies are able to assess whether its conduct is compliant, whether the adopted protection measures are effective, and how big the risk is of damage to the legitimate rights and interests of the personal data subjects. In China, the impact assessment is often referred to as Personal Information Security Impact Assessment (PIA or DPIA). Other jurisdictions, including the US and the EU, have developed their own systems for conducting such impact assessments, often called Privacy Impact Assessment (also PIA).

As part of China’s current personal data legislation framework, an impact assessment is usually triggered by either of the following:

1. Under the PRC Personal Information Protection Law (PIPL) (read our article for more information), personal information processors need to carry out an impact assessment when processing sensitive personal information, using personal information to make automated decision-making, entrusting others to process personal information, providing personal information to other personal information processors, disclosing personal information, transferring personal information overseas, and other processing activities that have a significant impact on personal rights and interests.
2. Under the Measures of Data Cross-Border Transfer Security Assessment, when enterprises conduct cross-border data transmission (read our article for more information) up to certain levels, such as providing 100,000 pieces of personal information or sensitive information of 10,000 people abroad. Since 1 January 2021, companies must themselves assess the risk, and the assessment result will be part of the application to the Cyberspace Administration of China (CAC) for a data cross-border transmission security declaration.
3. The Information Security Technology Personal Information Security Specification (GB/T 35273-2020) stipulates that an impact assessment is required before the release of new products or services, when there is a major change in the business model, when a personal information security incident occurs etc.

An impact assessment aims to discover, dispose of and continuously monitor risks to harm the legitimate rights and interests of personal information subjects in information processing. Companies conduct impact assessments not only to fulfill their privacy protection responsibility under laws and regulations, but also to prepare a defense for itself in the event of a data security incident. Impact assessments are becoming a cornerstone of strategies to comply with data compliance regulations.

2. What does the impact assessment include?

The PIPL offers one illustration of what the impact assessment can cover. Focuses include whether the purpose and method of processing personal information is legal, legitimate and necessary; what is the impact on personal rights and the potential risks; and whether the protection measures are legal, effective and appropriate with reference to the actual risk levels.

In practice, companies generally need to first distinguish different business scenarios, and then complete an in-depth analysis. This generally starts with a collection of relevant information on the company’s activities:

• Type and amount of data to be processed (especially special data such as sensitive personal information and important data).
• Processing purpose and legal basis.
• Key processing activities (e.g. delegated processing, sharing, disclosure, cross-border, automated decision making etc.).
• Impact on information subjects’ rights and manners to safeguard their rights.
• How the processor fulfills its security assurance obligations, and measures taken (including technical and management measures).
• Any data security incidents in the past.
• Other matters related to data security.

3. How to carry out an impact assessment?

The impact assessment is usually conducted in 3 dimensions. Each dimension needs cooperation from different company departments. Usually, the legal department – or an external law firm with experience in this area – will need to take the lead.

1. Compliance Level

The first dimension is usually led by the legal department or specialist external counsel: the business departments will summarize specific data processing scenarios, so that the legal team can identify, review and analyze whether this involves personal information processing activities that do not comply with the requirements of data protection laws and regulations, and the possible impact of non-compliance on the rights and interests of personal information subjects. 

Typical examples of non-compliances are the collection of sensitive information without proper consent from information subjects; the entrustment of personal information handling to third parties without a contract specifying the obligations and responsibilities of both parties on personal information protection.

2. Technical Level

Second, the IT department is usually involved to review and analyze whether the company’s data security protection measures are effective, whether imperfections could lead to security incidents etc.

3. Internal System Level

The third level usually involves a collaboration between the legal team and the IT and HR departments, to review the internal rules and regulations of the enterprise and determine whether there is a need to add or modify the systems related to cyberspace security and data protection. This often involves the question whether the company has sufficient organizational structure for personal data protection and security risk management, and whether training needs to be provided to management and employees. 

All of the above will be integrated in an impact assessment report. Based on the report, the company may implement appropriate security controls in response to identified risks and take appropriate measures to continuously improve compliance in data processing.

Conclusions

The impact assessment is a good start for companies to get a better understanding of China’s rules on data protection, and in how far the company is in compliance with those rules. It is also, usually, the starting point for further steps to improve on compliance in this area.

Where companies do not have the internal capabilities to organize this, specialist lawyers can provide guidance. While support within the organization is crucial to a proper assessment, the involvement of a third-party expert can ensure that the process of an impact assessment is completed in a correct and timely manner.

On the other hand, while the impact assessment may give companies a clear conclusion on the state of their data privacy compliance issues, it is only the first step in an on-going effort to improve compliance in this area. Updates will be needed at regular intervals to remain ahead of potential issues; and in practice, the results of one impact assessment will usually serve as reference to the next one. What is abundantly clear, is that personal information processors operating in China will need to take continuous measures to comply with continuously developing regulatory requirements.

R&P China Lawyers' team of experienced data compliance counsel support companies with impact assessments and advise how to navigate regulatory uncertainty. The compliance team also works closely with R&P's specialist in employment and commercial law to provide holistic solutions to our clients. For more information, please reach out to the author or your usual contact at R&P.