Compliance Briefing — September 1, 2021

Executive briefing: The Data Security Law of the People’s Republic of China became effective on 1 September 2021. Organisations handling data in China must classify datasets, protect “important” and “core” data, and perform security assessments when providing data abroad.

Key compliance checkpoints

• Data classification. Establish tiered management distinguishing general, important, and core data with corresponding security controls.
• Critical infrastructure obligations. Operators of critical information infrastructure must store important data domestically and undergo security assessments for exports.
• Incident response. Implement reporting workflows for data security incidents and cooperate with state security authorities during investigations.

Operational priorities

• Cross-border governance. Map outbound data flows, confirm legal bases, and prepare for CAC-led security assessments.
• Vendor oversight. Evaluate third parties processing Chinese data to ensure contractual obligations and localization controls align with the law.
• Internal controls. Update policies, access management, and monitoring around data lifecycle operations, including retention and destruction.

Enablement moves

• Deploy data discovery and classification tooling covering China-hosted systems.
• Stand up bilingual incident response playbooks referencing mandatory reporting timelines.
• Create cross-functional committees to track implementing regulations from the Cyberspace Administration of China.

Sources

• Data Security Law of the People’s Republic of China
• CAC notice on implementing the Data Security Law

Zeph Tech supports China-focused compliance programs with data classification frameworks, localization controls, and cross-border assessment tooling aligned to the Data Security Law.

Related briefings

Curated signals from the same pillar or overlapping topics.

Compliance · Credibility 89/100 · September 1, 2021

Policy Briefing — China Data Security Law Takes Effect

China’s Data Security Law took effect 1 September 2021, requiring organisations to classify data, protect critical and important datasets, undergo export security assessments, and implement incident reporting and…

Compliance · Credibility 40/100 · November 1, 2021

Compliance Briefing — China’s Personal Information Protection Law takes effect

China’s Personal Information Protection Law entered into force on 1 November 2021, imposing consent, localization, and cross-border transfer restrictions modeled on GDPR-style accountability.

Compliance · Credibility 40/100 · June 10, 2021

Compliance Briefing — China passes Data Security Law

China’s National People’s Congress adopted the Data Security Law on 10 June 2021, establishing data classification, localization, and export review obligations effective 1 September 2021.

Compliance · Credibility 40/100 · September 2, 2021

Compliance Briefing — UK Age Appropriate Design Code enters enforcement

The UK ICO began enforcing the Age Appropriate Design Code on 2 September 2021, compelling online services accessed by children to meet privacy-by-default standards and profiling limits.

Compliance · Credibility 89/100 · August 20, 2021

Policy Briefing — China Personal Information Protection Law Passed

China’s Personal Information Protection Law (PIPL) took effect on November 1, 2021, requiring clear lawful bases, data localisation and cross-border transfer pathways, strengthened individual rights, and governance…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook — Zeph Tech

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room — Zeph Tech

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• SOX Modernization Control Playbook — Zeph Tech

  Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.