Data Strategy Briefing — June 10, 2021

Executive briefing: The Standing Committee of the National People's Congress adopted the Data Security Law (DSL) on 10 June 2021, with enforcement beginning 1 September 2021. The DSL introduces national core data categories, security assessments for cross-border transfers, and localisation mandates for critical information infrastructure operators handling critical data.

Key localisation checkpoints

Data inventories. Classify datasets linked to China operations against DSL definitions for important and core data, capturing business ownership, storage locations, and processing purposes.
Cross-border assessments. Design review workflows to evaluate security, necessity, and legal basis before transmitting important data outside China, anticipating CAC security assessments.
Critical infrastructure scope. Determine whether Chinese subsidiaries qualify as critical information infrastructure operators and, if so, apply localisation and onshore backup requirements.

Operational priorities

Governance updates. Align internal data governance charters and incident response playbooks with DSL penalty structures and enforcement mechanisms.
Vendor management. Amend contracts with Chinese service providers to reflect DSL compliance clauses, inspection support, and security certification expectations.
Regulatory engagement. Establish channels with provincial regulators to monitor forthcoming implementing rules on sector-specific data catalogues.

Enablement moves

Integrate DSL requirements into enterprise risk registers alongside PIPL and Cybersecurity Law controls.
Stage tabletop exercises covering cross-border transfer approvals and breach notifications under the DSL regime.

Sources

Zeph Tech supports DSL readiness through China data mapping, localisation roadmaps, and cross-border transfer governance aligned to CAC expectations.