Policy Briefing — China Data Security Law Takes Effect

Executive summary. China’s Data Security Law (DSL) entered into force on 1 September 2021, creating a comprehensive regime for classifying data, protecting “important” and “core” data, restricting cross-border transfers, and imposing steep penalties for non-compliance.^[1] Organisations operating in or handling data related to China must now implement governance frameworks that align with national security, economic development, and public interest priorities set by the Chinese Communist Party and state agencies.

Data classification and hierarchical protection. The DSL requires data handlers to establish data classification and hierarchical protection systems, taking into account data importance, potential harm from misuse, and sector-specific requirements.^[1] Critical Information Infrastructure (CII) operators and entities managing “important data” must implement stricter controls, including designated responsible personnel, security assessments, and contingency plans.

Cross-border data transfer controls. Exporting important data collected or generated within China requires a prior security assessment organised by the Cyberspace Administration of China (CAC) and relevant regulators.^[2] Companies must assess national security implications, economic impacts, and data subjects’ rights before transferring data overseas. Certain data related to CII or volume thresholds may be prohibited from export or require localisation.

Incident reporting and cooperation. Data handlers must immediately initiate contingency measures when incidents occur and promptly notify affected individuals and competent authorities.^[1] Organisations are required to cooperate with public security organs and national security agencies during investigations, and they must not refuse lawful requests for data access.

Penalties and enforcement. Violations can result in fines up to RMB 10 million, business suspensions, revocation of licences, and personal liability for responsible officers.^[1] Serious offences may also trigger criminal charges under China’s Criminal Law. The DSL emphasises that foreign entities harming China’s national security or public interest can face retaliatory measures.

Relationship with other laws. The DSL complements the Cybersecurity Law (2017) and Personal Information Protection Law (effective November 2021). Organisations must harmonise compliance programmes across these statutes, ensuring consistent data classification, localisation, and consent frameworks.

Concrete compliance controls.

• Data inventory and classification. Build a repository documenting data types, sensitivity levels, storage locations, responsible owners, and processing purposes. Update quarterly and align with sector-specific catalogues (e.g., automotive, finance).
• Cross-border assessment workflow. Establish procedures to evaluate export requests, including legal review, national security risk scoring, encryption standards, and CAC filing requirements.
• Access management. Implement least privilege for important and core data, using multi-factor authentication, segregation of duties, and monitoring of administrative actions.
• Incident response integration. Incorporate DSL-specific notification timelines and authority contact lists into incident response playbooks; rehearse scenarios involving CAC investigations.
• Regulatory engagement. Maintain relationships with local industry regulators (MIIT, PBOC, SAMR) to stay informed about sectoral data catalogues and enforcement expectations.

Implementation roadmap.

1. Phase 1: Form a DSL governance task force, perform data mapping, and identify critical/important data sets.
2. Phase 2: Develop classification policies, deploy data loss prevention and encryption tools, and update vendor contracts with DSL obligations.
3. Phase 3: Build cross-border approval workflows, update privacy notices for Chinese users, and integrate DSL metrics into risk dashboards.
4. Phase 4: Conduct tabletop exercises simulating regulator inspections, evaluate localisation requirements, and plan remediation for gaps.
5. Continuous: Monitor CAC regulations, local standards (GB/T), and provincial directives that refine data categories.

Sector-specific obligations. The State Council and sector regulators publish catalogues of important data for industries such as energy, transportation, and finance. Entities should monitor these catalogues to ensure classification aligns with official designations.

Vendor management. Contracts with processors must specify data classification responsibilities, security controls, localisation requirements, and cooperation obligations during audits. Conduct annual assessments of third parties handling Chinese data.

Metrics and monitoring. Track number of datasets classified, cross-border assessment approvals, incident response times, regulator inquiries, and training completion rates. Use dashboards to provide transparency to executive leadership.

Training and awareness. Provide DSL-focused training to executives, data owners, legal teams, and operations staff. Cover national security implications, cross-border restrictions, and reporting duties. Offer bilingual materials to align with headquarters and local teams.

Technology considerations. Deploy data discovery tools that can recognise Chinese-language data elements, apply sensitivity labels, and integrate with encryption and access controls. Implement security information and event management (SIEM) tools to monitor access to important data and generate audit trails.

Future developments. CAC continues to release supporting regulations, including guidance on important data identification and security assessment templates.^[3] Organisations should engage in public consultations and track provincial pilot programmes that test classification frameworks.

Risks of non-compliance. Beyond fines and licence revocation, failing to comply can lead to reputational damage, supply chain restrictions, and limitations on market access. Multinational companies risk conflicts between DSL requirements and other jurisdictions’ laws, necessitating careful legal analysis and potential data segmentation strategies.

Risk assessment obligations. Important data handlers must conduct periodic risk assessments covering data processing activities, security risks, and mitigation measures, and submit assessment reports to relevant regulators.^[1] Maintain templates documenting threat scenarios, control effectiveness, and improvement plans.

Cybersecurity review linkage. Companies engaging in data processing activities that impact national security may be subject to cybersecurity reviews administered by the CAC and other authorities, particularly for network platform operators handling large volumes of personal information.^[4] Plan for documentation requests covering supply-chain security, data storage locations, and potential foreign influence.

Data trading and monetisation. The DSL introduces oversight for data brokerage activities, requiring marketplaces and intermediaries to verify data sources, ensure transaction compliance, and prevent illegal acquisition of data.^[1] Organisations monetising data should implement due diligence and customer vetting procedures before sharing datasets.

Localisation strategy. Evaluate whether important data can remain within mainland China by deploying regional data centres, anonymising datasets for analytics abroad, or using privacy-enhancing technologies (PETs) that allow computations without raw data export.

Documentation. Maintain bilingual policy repositories, regulator correspondence logs, and evidence of employee training to demonstrate diligence during inspections or licensing renewals.

Audit readiness. Prepare bilingual evidence binders summarising classification decisions, export approvals, and incident reports so that on-site inspections can be completed efficiently.

Related briefings

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 85/100 · September 1, 2021

Compliance Briefing — September 1, 2021

China’s Data Security Law entered into force on 1 September 2021, requiring data classification, critical data inventories, and security assessments for cross-border transfers.

Compliance · Credibility 40/100 · September 2, 2021

Compliance Briefing — UK Age Appropriate Design Code enters enforcement

The UK ICO began enforcing the Age Appropriate Design Code on 2 September 2021, compelling online services accessed by children to meet privacy-by-default standards and profiling limits.

Compliance · Credibility 89/100 · August 20, 2021

Policy Briefing — China Personal Information Protection Law Passed

China’s Personal Information Protection Law (PIPL) took effect on November 1, 2021, requiring clear lawful bases, data localisation and cross-border transfer pathways, strengthened individual rights, and governance…

Compliance · Credibility 87/100 · October 6, 2021

Compliance Briefing — U.S. DOJ Civil Cyber-Fraud Initiative

The U.S. Department of Justice launched the Civil Cyber-Fraud Initiative on October 6, 2021, signaling False Claims Act enforcement against contractors that misrepresent cybersecurity posture or incident reporting.

Compliance · Credibility 40/100 · October 6, 2021

Compliance Briefing — DOJ launches Civil Cyber-Fraud Initiative

The U.S. Department of Justice announced its Civil Cyber-Fraud Initiative on 6 October 2021 to pursue False Claims Act cases against contractors that misrepresent cybersecurity practices or breach reporting.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook — Zeph Tech

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room — Zeph Tech

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• SOX Modernization Control Playbook — Zeph Tech

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.