Policy Briefing — China Data Security Law Takes Effect

Executive briefing: On September 1, 2021, the Data Security Law of the People's Republic of China became effective. The statute mandates data classification and hierarchical protections, requires security assessments for exporting important data, and establishes steep administrative and criminal sanctions for violations.

Immediate compliance priorities

• Data mapping. Inventory datasets handled in China and classify them under the law's categories, including core and important data.
• Cross-border governance. Prepare for security assessments led by the CAC and relevant sector regulators before transferring important data outside China.
• Incident readiness. Align reporting processes with requirements to notify authorities and affected individuals after security incidents involving protected data.

Control alignment

• Internal policies. Update data lifecycle, access, and encryption policies to reflect graded protection obligations.
• Vendor due diligence. Ensure Chinese subsidiaries and service providers implement commensurate controls for important data handling and storage.
• Regulatory liaison. Designate responsible personnel to maintain communication with CAC and industry regulators on data export filings and risk rectification.

Enablement moves

• Institute board-level reporting on data security compliance and penalties introduced by the law.
• Integrate DSL checkpoints into product launch and localization reviews for China-market services.
• Combine DSL and Personal Information Protection Law requirements into a unified China data compliance framework.

Sources

• National People's Congress Standing Committee: Data Security Law
• Cyberspace Administration of China: Implementation notice on the Data Security Law

Zeph Tech guides global firms through China's DSL obligations, including data mapping, export security assessments, and rectification programs.